Manage object authorities with an authorization service
The authorization service is an installable service that enables you to view and manage the access authorities of groups and users on IBM MQ objects. We can manage these authorities using IBM MQ Explorer.
About this task
The authorization service component that is supplied with IBM MQ is the Object Authority Manager (OAM) but we can use IBM MQ Explorer to manage authorities through other installable authorization services if you prefer.
The authorization service maintains an access control list (ACL) for each IBM MQ object to which it is controlling access. An ACL contains a list of all the group IDs that can perform operations on the object; on Windows, the ACL can contain user IDs as well as group IDs. In the authorization service, we can grant and revoke authorities for users to access queue managers and objects.
For more information about managing object authorities with the OAM, see Object authority manager (OAM) and Securing.
For more information about granting authorities on queue managers and objects, see the following topics:
- Granting the Create authority
- Granting authorities on a queue manager
- Granting authorities on a specific object
- Granting authorities on multiple objects
- Granting the Create authority
To create a new object on a queue manager, the user who performs the operation must have authority to create that type of object on the queue manager.- Granting role-based authorities on a queue manager
A user must have the correct authorities to perform operations on objects; we can assign these authorities individually, but if a user needs either read-only access or full administrative access to all the objects hosted by a queue manager, this can be granted in a single action.- Granting authorities on a queue manager
To perform an operation on a queue manager, the user must have authority to perform that particular operation on the queue manager.- Granting authorities on a specific object
A user must have the correct authorities to perform operations on objects; for example, to browse the messages on a queue.- Granting authorities on multiple objects
A user must have the correct authorities to perform operations on objects; for example, to browse the messages on a queue. We can grant the same set of authorities to multiple objects on a queue manager by using generic profiles.- Granting the authority to connect to a queue manager
Before a user can access a queue manager's objects, the user must connect to the queue manager. The user must, therefore, have authority to connect to that queue manager.- Comparing the authorities of two entities
In the authorization service, we can compare the authorities that have been granted to two groups of users.- Comparing the accumulated authorities of two entities
We can compare the accumulated authorities on an object of two users, two groups, or a user with a group.- Finding the authorities of a user or group on an object
We can search the authorization service for authority records or accumulated authorities that have been granted to groups or users (entities) on a queue manager's objects. If the group or user does not have an authority record on the specified objects, no results are displayed.- Finding the accumulated authorities of an entity on an object
We can find and view the accumulated authorities of an entity. The accumulated effect of the authorities of an entity on an object affects whether the entity can perform operations on the object.- Determining why an entity has certain authorities
An entity's authorities can accumulate from several sources so it is useful to be able to find out which authority records contributed to an entity's accumulated authorities.- Accumulated authorities
Accumulated authorities are the total authorities that a user or group has to perform an operation on an object.- Authority records
An authority record is the set of authorities that have been granted to a particular user or group of users (entities) on a named object.- Users and groups (entities) in the authorization service
In the authorization service, authorities are granted to users (also known as principals when the user name is fully qualified with the domain name) or groups of users for accessing IBM MQ objects. Users and groups are collectively known as entities in the authorization service. You grant a set of authorities to an entity by creating an authority record.- Generic and specific profiles
When you manage authorities for a folder of objects (for example, the Queues folder) using the Manage Authority Records dialog, you grant authorities against profiles instead of granting authorities on specific objects.- Authorization service control commands
IBM MQ Explorer performs the same functions as the IBM MQ control commands setmqaut, dspmqaut, and dmpmqaut.- Authorities we can set on IBM MQ objects
We can set authorities for users and groups accessing different IBM MQ objects.- Wildcards used in generic profiles
We can use some wildcard characters in generic profiles.- Exporting authorities to a file
We can export object authorities to a text file from IBM MQ Explorer.Parent topic: Manage security and authorities
Related concepts
- Authorities we can set on IBM MQ objects
- Authority records
- Accumulated authorities
- Users and groups (entities) in the authorization service
Related tasks