Authority to administer IBM MQ on UNIX, Linux, and Windows
IBM MQ administrators can use all IBM MQ commands and grant authorities for other users. When administrators issue commands to remote queue managers, they must have the required authority on the remote queue manager. Further considerations apply to Windows systems.
IBM MQ administrators have authority to use all IBM MQ commands (including the commands to grant IBM MQ authorities for other users).
To be an IBM MQ administrator, we must be a member of a special group that is called the mqm group.
Alternatively, on Windows only, local accounts can administer IBM MQ if they are members of the Administrators group on Windows systems. Attention: We can add your Azure AD user to the mqm group by using an administrator command. For example, use the command net localgroup mqm AzureAD\<your userID> /add. Then run IBM MQ administration commands or use IBM MQ Explorer.The mqm group is created automatically when IBM MQ is installed. We can add further users to the group to allow them to perform administration. All members of this group have access to all resources. This access can be revoked only by removing a user from the mqm group and issuing the REFRESH SECURITY command.
Administrators can use control commands to administer IBM MQ. One of these control commands is setmqaut, which is used to grant authorities to other users to enable them to access or control IBM MQ resources. The PCF commands for managing authority records are available to non-administrators who are granted dsp and chg authorities on the queue manager. For more information about managing authorities by using PCF commands, see Programmable Command Formats.
Administrators must have the required authorities for the MQSC commands to be processed by the remote queue manager. The IBM MQ Explorer issues PCF commands to perform administration tasks. Administrators require no additional authorities to use the IBM MQ Explorer to administer a queue manager on the local system. When the IBM MQ Explorer is used to administer a queue manager on another system, administrators must have the required authorities for the PCF commands to be processed by the remote queue manager.
Attention: From IBM MQ Version 8.0, we do not have to be an administrator to use the control command runmqsc, that issues IBM MQ Script (MQSC) commands.When runmqsc is used in indirect mode to send MQSC commands to a remote queue manager, each MQSC command is encapsulated within an Escape PCF command.
For more information about authority checks when PCF and MQSC commands are processed, see the following topics:- For PCF commands that operate on queue managers, queues, processes, namelists, and authentication information objects, see Authority to work with IBM MQ objects. Refer to this section for the equivalent MQSC commands encapsulated within Escape PCF commands.
- For PCF commands that operate on channels, channel initiators, listeners, and clusters, see Channel security.
- For PCF commands that operate on authority records, see Authority checking for PCF commands
- For MQSC commands that are processed by the command server on IBM MQ for z/OS, see Command security and command resource security on z/OS .
Additionally, on Windows systems, the SYSTEM account has full access to IBM MQ resources.
On UNIX and Linux platforms, a special user ID of mqm is also created, for use by the product only. It must never be available to non-privileged users. All IBM MQ objects are owned by user ID mqm.
On Windows systems, members of the Administrators group can also administer any queue manager, as can the SYSTEM account. We can also create a domain mqm group on the domain controller that contains all privileged user IDs active within the domain, and add it to the local mqm group. Some commands, for example crtmqm, manipulate authorities on IBM MQ objects and so need authority to work with these objects (as described in the following sections). Members of the mqm group have authority to work with all objects, but there might be circumstances on Windows systems when authority is denied if you have a local user and a domain-authenticated user with the same name. This is described in Principals and groups on UNIX, Linux, and Windows.
Windows versions with a User Account Control (UAC) feature restricts the actions users can perform on certain operating system facilities, even if they are members of the Administrators group. If your userid is in the Administrators group but not the mqm group we must use an elevated command prompt to issue IBM MQ admin commands such as crtmqm, otherwise the error AMQ7077: You are not authorized to perform the requested operation is generated. To open an elevated command prompt, right-click the start menu item, or icon, for the command prompt, and select Run as administrator.
You do not need to be a member of the mqm group to take the following actions:- Issue commands from an application program that issues PCF commands, or MQSC commands within an Escape PCF command, unless the commands manipulate channel initiators. (These commands are described in Protecting channel initiator definitions ).
- Issue MQI calls from an application program (unless we want to use the fast path bindings on the MQCONNX call).
- Use the crtmqcvx command to create a fragment of code that performs data conversion on data type structures.
- Use the dspmq command to display queue managers.
- Use the dspmqtrc command to display IBM MQ formatted trace output.
A 12 character limitation applies to both group and user IDs.
UNIX and Linux platforms generally restrict the length of a user ID to 12 characters. AIX Version 5.3 has raised this limit but IBM MQ continues to observe a 12 character restriction on all UNIX and Linux platforms. If we use a user ID of greater than 12 characters, IBM MQ replaces it with the value UNKNOWN . Do not define a user ID with a value of UNKNOWN .
- Manage the mqm group on UNIX, Linux, and Windows
Users in the mqm group are granted full administrative privileges over IBM MQ. For this reason, we should not enrol applications and ordinary users in the mqm group. The mqm group should contain the accounts of the IBM MQ administrators only.
Parent topic: Authorizing access to objects