Identifying the user ID on UNIX, Linux, and Windows

The object authority manager identifies the principal that is requesting access to a resource. The user ID used as the principal varies according to context.

The object authority manager (OAM) must be able to identify who is requesting access to a particular resource. IBM MQ uses the term principal to refer to this identifier. The principal is established when the application first connects to the queue manager; it is determined by the queue manager from the user ID associated with the connecting application. (If the application issues XA calls without connecting to the queue manager, then the user ID associated with the application that issues the xa_open call is used for authority checks by the queue manager.)

On UNIX and Linux systems, the authorization routines checks either the real (logged-in) user ID, or the effective user ID associated with the application. The user ID checked can be dependent on the bind type, for details see Installable services.

IBM MQ propagates the user ID received from the system in the message header (MQMD structure) of each message as identification of the user. This identifier is part of the message context information and is described in Context authority on UNIX, Linux, and Windows. Applications cannot alter this information unless they have been authorized to change context information.

• Principals and groups on UNIX, Linux, and Windows
  Principals can belong to groups. By granting resource access to groups rather than to individuals, we can reduce the amount of administration required. Access Control Lists (ACLs) are based on both groups and user IDs.
• Windows security identifiers (SIDs)
  IBM MQ on Windows uses the SID where it is available. If a Windows SID is not supplied with an authorization request, IBM MQ identifies the user based on the user name alone, but this might result in the wrong authority being granted.

Parent topic: Authority to work with IBM MQ objects on UNIX, Linux, and Windows