Object authority manager (OAM)

The authorization service component supplied with the IBM MQ products is called the Object Authority Manager (OAM).

By default, the OAM is active and works with the control commands dspmqaut (display authority), dmpmqaut (dump authority), and setmqaut (set or reset authority).

The syntax of these commands and how to use them are described in IBM MQ control commands reference.

The OAM works with the entity of a principal or group:

On UNIX and Linux systems, a principal is a user ID, or an ID associated with an application program running on behalf of a user; a group is a system-defined collection of principals.
On Windows systems, a principal is a Windows user ID, or an ID associated with an application program running on behalf of a user; a group is a Windows group.

Authorizations can be granted or revoked at the principal or group level.

When an MQI request is made or a command is issued, the OAM checks whether the entity associated with the operation has authorization to perform the requested operation and to access the specified queue manager resources.

The authorization service enables you to augment or replace the authority checking provided for queue managers by writing your own authorization service component.