How access control is implemented by IBM MQ on UNIX, Linux , and Windows
IBM MQ uses the security services provided by the underlying operating system, using the object authority manager. IBM MQ supplies commands to create and maintain access control lists.
An access control interface called the Authorization Service Interface is part of IBM MQ. IBM MQ supplies an implementation of an access control manager (conforming to the Authorization Service Interface) known as the object authority manager (OAM). This is automatically installed and enabled for each queue manager you create, unless you specify otherwise (as described in Preventing security access checks on UNIX, Linux, and Windows systems ). The OAM can be replaced by any user or vendor written component that conforms to the Authorization Service Interface.
The OAM exploits the security features of the underlying operating system, using operating system user and group IDs. Users can access IBM MQ objects only if they have the correct authority. Controlling access to objects by using the OAM on UNIX, Linux, and Windows describes how to grant and revoke this authority.
The OAM maintains an access control list (ACL) for each resource that it controls. Authorization data is stored on a local queue called SYSTEM.AUTH.DATA.QUEUE. Access to this queue is restricted to users in the mqm group, and additionally on Windows, to users in the Administrators group, and users logged in with the SYSTEM ID. User access to the queue cannot be changed.
IBM MQ supplies commands to create and maintain access control lists. For more information on these commands, see Controlling access to objects by using the OAM on UNIX, Linux, and Windows.
IBM MQ passes the OAM a request containing a principal, a resource name, and an access type. The OAM grants or rejects access based on the ACL that it maintains. IBM MQ follows the decision of the OAM; if the OAM cannot make a decision, IBM MQ does not allow access.