Comments (5)
  • Add a Comment
  • Edit
  • More Actions v
  • Quarantine this Entry

1 PPotkay commented Permalink

If doing the above for a Unix Queue Manager, please use a group name instead of the individual user name. Refer to section 4.1.11 of the IBM MQ Security Redbook for details on why you might want to avoid granting access to individual User IDs on Unix systems.
http://www.redbooks.ibm.com/redpieces/abstracts/sg248069.html

2 Morag Hughson commented Permalink

Thanks Peter - you're absolutely right! And that link to the Redbook is an excellent one.

 
Cheers
Morag

3 Simon Davitt commented Permalink

Just a clarification to the above notes. When running the MQ Explorer on Unix or against a Unix queue manager it (the Explorer) only gives an option for adding a group. The option for adding a user is suppressed.

 
As I understand it this is because of a restriction when working with the OAM.
http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/index.jsp?topic=%2Fcom.ibm.mq.dev.doc%2Fq027720_.htm
States:
On Unix and Linux
- Authorizations can be granted or revoked at the group level only. A request to grant or revoke a user's authority updates the primary group for that user.

4 Morag Hughson commented Permalink

Many thanks Simon. Yes indeed so, we advise the use of groups on Unix.

5 Morag Hughson commented Permalink

Now in IBM MQ V8, the Unix OAM can be run in two possible modes. Group mode, where the comments above from Simon apply, and User mode where you can now work with permissions assigned to Users even on Unix.