OAM user-based permissions on UNIX and Linux
From Version 8.0, on UNIX and Linux systems, the object authority manager (OAM) can use user-based authorization as well as group-based authorization.
Before Version 8.0, access control lists (ACLs) on UNIX and Linux are based on groups only. From Version 8.0, ACLs are based on both user IDs and groups and we can use either the user-based model or the group-based model for authorization by setting the SecurityPolicy attribute to the appropriate value as described in Configure installable services and Configure authorization service stanzas on UNIX and Linux.
Changes in behavior for Version 8.0 and later
From Version 8.0, when running with the user-based policy, some commands return different information from earlier versions of the product:
- The dmpmqaut and dmpmqcfg commands show user-based records, as do the PCF equivalent operations.
- The OAM plug-in for IBM MQ Explorer shows user-based records and allows user-based modifications.
- The OAM Inquire function returns results that show that it is user-capable.
Use the -p attribute on the setmqaut command does not grant access to all users in the same primary group, when user-based authorizations are enabled in the qm.ini file as described in Service stanza format.
If you start to employ user-based authorization and have many users, there will probably be more records that are stored on the AUTH queue than with the group-based model, and the authorization process might take a little longer than previously as there are more records to verify. This increase is not expected to be significant. If required, we can use a mixture of user and group permissions.
Migration considerations
If we change the model from group to user for an existing queue manager, there is no immediate effect. The authorizations that have already been made continue to apply. Any user that connects to the queue manager receives the same privileges as before: the combination of all the groups to which their ID belongs. When new setmqaut commands are issued for user IDs, they take immediate effect.
If you create a new queue manager with the user policy, this queue manager has permissions only for the user who creates it (which is normally, but not necessarily, the mqm user ID). There are also permissions that are automatically granted to the mqm group. However, if we do not have mqm as the primary group, then the mqm group is not included in the initial set of authorizations.
If you move from a user to group policy, the user-based authorizations are not automatically deleted. However, they are no longer used during the permissions check. Before reverting the policy, save the current configuration, change the policy, restart the queue manager, and then replay the script. Because it is now a group-based queue manager, the effect is that user ID rules are stored based on the primary group.
Parent topic: Control access to objects by using the OAM on UNIX, Linux, and Windows
Related information
- Object authority manager (OAM)
- Principals and groups on UNIX, Linux and Windows
- Queue manager configuration file: service stanza format
- crtmqm (create queue manager) command