Windows security identifiers (SIDs)
IBM MQ on Windows uses the SID where it is available. If a Windows SID is not supplied with an authorization request, IBM MQ identifies the user based on the user name alone, but this might result in the wrong authority being granted.
On Windows systems, the security identifier (SID) is used to supplement the user ID. The SID contains information that identifies the full user account details on the Windows security account manager (SAM) database where the user is defined. When a message is created on IBM MQ for Windows, IBM MQ stores the SID in the message descriptor. When IBM MQ on Windows performs authorization checks, it uses the SID to query the full information from the SAM database. (The SAM database in which the user is defined must be accessible for this query to succeed.)
By default, if a Windows SID is not supplied with an authorization request, IBM MQ identifies the user based on the user name alone. It does this by searching the security databases in the following order:- The local security database
- The security database of the primary domain
- The security database of trusted domains
To specify that all authorization requests must include an SID, use regedit. Set the SecurityPolicy to NTSIDsRequired.