Access control
The access control list for a queue uses the following permissions:
- [PDMQ]E
- The application or user is allowed to enqueue, or put, messages on the queue
- [PDMQ]D
- The application or user is allowed to dequeue, or get, messages from the queue
- [PDMQ]R
- The application or user is allowed to connect to the queue manager via client channel connection
When an application attempts to open a queue, Access Manager for Business Integration inspects the access control list for the queue to check whether the user ID associated with the application has the required permissions for the operations requested. If the user ID does not have the required permissions, the MQOPEN call fails.
Access Manager for Business Integration performs these authority checks even if the quality of protection for the queue is specified as none. We can therefore specify a quality of protection of none for a queue if the only security service you require is access control.
When an application attempts to get a message from a queue, Access Manager for Business Integration checks that the sender of the message did have permission to put the message on the queue. This check is relevant for a message that has arrived from a remote queue manager and was actually put on the queue by an MCA. If the sender does not have the required permission, the MQGET call fails and the message is not delivered to the application. The message is put on the Access Manager for Business Integration error queue, or on the local dead letter queue if an error queue has not been created. This authority check is performed only if the quality of protection for the queue is specified as integrity or privacy.
When a queue manager receives a client channel connection request, the Access Manager for Business Integration security exit checks whether the initiator has permission to connect to the queue manager. The client identity is then extracted from the client certificate by WMQ SSL. If the check is successful, the client channel connection is established and the client identity is saved for use during authorization of other requests. If the check failed, the client channel connection is dropped.
Parent topic:
Access Manager for Business Integration
sy11390_