Authorizing users to configure IBM MQ on Windows and Linux (x86 and x86-64 platforms)

IBM MQ uses the normal user and group authorizations to protect IBM MQ applications and IBM MQ administration.

Parent topic: Manage security and authorities


Configure IBM MQ


About this task

The IBM MQ installation automatically creates the local group mqm. Only users that belong to the mqm group can perform tasks such as creating, deleting, and altering queue managers, setting authorizations on queue manager objects, and running listeners. For more information regarding the commands that are used to perform these tasks, see Administration using the control commands.

On Windows, user names that are members of the Windows Administrators group also have the authority to perform these tasks. Users that are members of the Windows Administrators group are also authorized to alter the local Windows operating system settings. For IBM MQ on Windows, user names can contain a maximum of 20 characters; for IBM MQ on other platforms, user names can contain a maximum of only 12 characters.

To give a user authority to administer queue managers:


Procedure

  1. Log in to the operating system with a user name that has Administrator authority on Windows, or root authority on Linux .
  2. Add the users user name to the mqm group.


Results

On Windows, the security token that the IBM MQ Explorer queries for authority when it starts, contains the user name and authority information and is cached by Windows. If changes are made to a user name authorization, that user must log off and on again for the changes to take effect when IBM MQ Explorer is restarted.


Performing IBM MQ operations


About this task

To perform operations such as connecting to a queue manager, opening a queue, or creating a queue, the user must have the correct IBM MQ privileges. Only users who belong to the mqm group or who have been granted +chg permission on the queue manager can perform tasks such as creating, deleting, and altering queue managers. A user that has the correct privileges can run applications but cannot, for example, create or delete queue managers unless they are also a member of the mqm group.

We can make user name authorizations with various levels of capability for the IBM MQ applications you create and implement on your own network so that, for example, a user name might have the authority to connect to a queue manager and put and get messages to a queue, but not have authority to alter the attributes of that queue. Use the setmqaut command to do this. For more information, see setmqaut. We can make the user names that use the application members of a global group for the network, and then, on each computer where the application must run, make the global group a member of the mqm group.

Changes made to IBM MQ authorizations by the setmqaut command take immediate effect. However, changes made to user name authorization do not take effect until the relevant queue manager is stopped and restarted.


Starting Windows service for a IBM MQ installation


About this task

The service starts at Windows startup time, before any user is logged on. The service is used to start any queue managers configured with the automatic startup option. In order to ensure that queue manager processes run with correct authority, the service must be configured with an appropriate user name. For more information on configuring the IBM MQ service, see Change the password of the IBM MQ Windows service user account.