Changing and revoking access to an IBM MQ object on UNIX, Linux, and Windows

To change the level of access that a user or group has to an object, use the setmqaut control command, the DELETE AUTHREC MQSC command, or the MQCMD_DELETE_AUTH_REC PCF command. Note that on IBM® MQ Appliance you can use only the DELETE AUTHREC command.

The user ID that creates an IBM MQ object is granted full control authorities to that object. If you remove this user ID from the local mqm group (or the Administrators group on Windows systems) these authorities are not revoked. Use the setmqaut control command or the MQCMD_DELETE_AUTH_REC PCF command to revoke access to an object for the user ID that created it, after removing it from the mqm or Administrators group.

For a full definition of the setmqaut control command and its syntax, see setmqaut.

For a full definition of the DELETE AUTHREC MQSC command and its syntax, see DELETE AUTHREC.

For a full definition of the MQCMD_DELETE_AUTH_REC PCF command and its syntax, see Delete Authority Record.

On Windows, from IBM MQ 8.0, you can delete the OAM entries corresponding to a particular Windows user account at any time using the -u SID parameter of setmqaut.

Prior to IBM MQ 8.0, you had to delete the OAM entries corresponding to a particular Windows user account before deleting the user profile. It was impossible to remove the OAM entries after removing the user account.