Authorization for applications to use IBM MQ
When applications access objects, the user IDs associated with the applications need appropriate authority.
Applications can access the following IBM MQ objects by issuing MQI calls:- Queue managers
- Queues
- Processes
- Namelists
- Topics
Applications can also use PCF commands to administer IBM MQ objects. When the PCF command is processed, it uses the authority context of the user ID that put the PCF message. Applications, in this context, include those written by users and vendors, and those supplied with IBM MQ for z/OS . The applications supplied with IBM MQ for z/OS include:
- The operations and control panels
- The IBM MQ utility program, CSQUTIL
- The dead letter queue handler utility, CSQUDLQH
Applications that use IBM MQ classes for Java, IBM MQ classes for JMS, IBM MQ classes for .NET, or the Message Service Clients for C/C++ and .NET use the MQI indirectly.
MCAs also issue MQI calls and the user IDs associated with the MCAs need authority to access these IBM MQ objects. For more information about these user IDs and the authorities they require, see Channel authorization.
On z/OS, applications can also use MQSC commands to access these IBM MQ objects but command security and command resource security provide the authority checks in these circumstances. For more information, see Command security and command resource security on z/OS and MQSC commands and the system command input queue on z/OS.
On IBM i, a user that issues a CL command in Group 2 might require authority to access an IBM MQ object associated with the command. For more information, see When authority checks are performed.
- When authority checks are performed
Authority checks are performed when an application attempts to access a queue manager, queue, process, or namelist. - Alternate user authority
When an application opens an object or subscribes to a topic, the application can supply a user ID on the MQOPEN, MQPUT1, or MQSUB call. It can ask the queue manager to use this user ID for authority checks instead of the one associated with the application. - Message context
Message context information allows the application that retrieves a message to find out about the originator of the message. The information is held in fields in the message descriptor and the fields are divided into three logical parts - Authority to work with IBM MQ objects on IBM i, UNIX, Linux, and Windows systems
The authorization service component provided with IBM MQ is called the object authority manager (OAM). It provides access control via authentication and authorization checks. - Authority to work with IBM MQ objects on z/OS
On z/OS, there are seven categories of authority check associated with calls to the MQI. We must define certain RACF profiles and give appropriate access to these profiles. Use the RESLEVEL profile to control how many users IDs are checked.
Parent topic: Plan authorization