Home
Authority to work with WebSphere MQ objects
Queue managers, queues, process definitions, namelists, channels, client connection channels, listeners, services and authentication information objects are all accessed from applications that use MQI calls or PCF commands. These resources are all protected by WebSphere MQ, and applications need to be given permission to access them. The entity making the request might be a user, an application program that issues an MQI call, or an administration program that issues a PCF command. The identifier of the requester is referred to as the principal.
Different groups of principals can be granted different types of access authority to the same object. For example, for a specific queue, one group might be allowed to perform both put and get operations; another group might be allowed only to browse the queue (MQGET with browse option). Similarly, some groups might have put and get authority to a queue, but not be allowed to alter attributes of the queue or delete it.
Some operations are particularly sensitive and should be limited to privileged users. For example:
- Accessing some special queues, such as transmission queues or the command queue SYSTEM.ADMIN.COMMAND.QUEUE
- Running programs that use full MQI context options
- Creating and deleting application queues
Full access permission to an object is automatically given to the user ID that created the object and to all members of the mqm group (and to the members of the local Administrators group on Windows systems).
- When security checks are made
- How access control is implemented by WebSphere MQ
- Identifying the user ID
- Alternate-user authority
- Context authority
Parent topic:
WebSphere MQ security
fa12760_
Home