Authority to work with IBM MQ objects on UNIX, Linux, and Windows

All objects are protected by IBM MQ, and principals must be given appropriate authority to access them. Different principals need different access rights to different objects.

Queue managers, queues, process definitions, namelists, channels, client connection channels, listeners, services, and authentication information objects are all accessed from applications that use MQI calls or PCF commands. These resources are all protected by IBM MQ, and applications need to be given permission to access them. The entity making the request might be a user, an application program that issues an MQI call, or an administration program that issues a PCF command. The identifier of the requester is referred to as the principal.

Different groups of principals can be granted different types of access authority to the same object. For example, for a specific queue, one group might be allowed to perform both put and get operations; another group might be allowed only to browse the queue ( MQGET with browse option). Similarly, some groups might have put and get authority to a queue, but not be allowed to alter attributes of the queue or delete it.

Some operations are particularly sensitive and should be limited to privileged users. For example:

• Accessing some special queues, such as transmission queues or the command queue SYSTEM.ADMIN.COMMAND.QUEUE
• Running programs that use full MQI context options
• Create and deleting application queues

Full access permission to an object is automatically given to the user ID that created the object and to all members of the mqm group (and to the members of the local Administrators group on Windows systems).

• When security checks are made on UNIX, Linux, and Windows
  Security checks are typically made on connecting to a queue manager, opening or closing objects, and putting or getting messages.
• How access control is implemented by IBM MQ on UNIX, Linux, and Windows
  IBM MQ uses the security services provided by the underlying operating system, using the object authority manager. IBM MQ supplies commands to create and maintain access control lists.
• Identifying the user ID on UNIX, Linux, and Windows
  The object authority manager identifies the principal that is requesting access to a resource. The user ID used as the principal varies according to context.
• Alternate-user authority on UNIX, Linux, and Windows
  We can specify that a user ID can use the authority of another user when accessing an IBM MQ object. This is called alternate-user authority, and we can use it on any IBM MQ object.
• Context authority on UNIX, Linux, and Windows
  Context is information that applies to a particular message and is contained in the message descriptor, MQMD, which is part of the message. Applications can specify the context data when either an MQOPEN or MQPUT call is made.

Parent topic: Authorizing access to objects

Related concepts

• Authority to administer IBM MQ on UNIX, Linux, and Windows