Determining which user is used for authorization
Authorities to access resources are granted to groups that the user is a member of or, in certain modes, directly to the user associated with the connection. During the connection process, and in particular for remote (client) connections, this identity could be changed by the queue manager's configuration. This page lists the different features of IBM® MQ and their configuration options that could impact a connecting application's identity and the order of precedence in which these features take effect.
Features that can modify which user is adopted
- Application asserted user
- When a remote connection is started by IBM MQ, the operating system user that the process is running as is sent to the receiving queue manager. This user is sent to ensure that if no further configuration exists that modifies the user, there is a user that can be used for authorization checking.
- Channel MCAUSER setting
- Applications connecting through network bindings do so by using an IBM MQ channel definition. Channel definitions support the MCAUSER attribute, which can be used to specify a different user to be used for authorization instead of the user asserted by the connecting applications.
- Connection authentication ADOPTCTX
- Applications can specify a user and password to be sent to a queue manager for authentication purposes. These credentials are authenticated using the configuration that is specified for the Connection Authentication feature. The ADOPTCTX option for Connection Authentication controls whether a user should be used for authorization after it has been successfully validated. If set to YES, then the user that is supplied for authentication is adopted for authorization checks.
- Channel authentication record MCAUSER
- During connection processing the queue manager will attempt to find a channel authentication record that matches the connection. If a channel authentication record is matched, and its USERSRC attribute value is set to MAP, then IBM MQ changes the user used for authorizations to the value of the MCAUSER attribute.
- Security exits
- Security exits are custom functions that can be written and called during the IBM MQ security processing. When the function is called it is supplied with a copy of the MQCD structure that includes several fields relating to the connections user that will be used for authorization checks. Security exits can modify these fields to change the user that will be authorized.
Order of precedence
The following table shows the order of precedence for each security feature described in Features that can modify which user is adopted when IBM MQ is selecting a user to authorize. The order is from lowest to highest, that is, a security feature setting a user at the first row is overridden by any of the other rows.
Order | Feature |
---|---|
1 (lowest) | Application Asserted ID |
2 | Channel definition MCAUSER attribute |
3 | Connection authentication with ADOPTCTX(YES) |
4 | Channel authentication records with USERSRC(MAP) |
5 (highest) | Security exit |
Implications of early adopt
Connection authentication and channel authentication records provide a configuration option that controls when connection authentication user adoption is performed. This setting is referred to as early adopt. If early adopt is enabled, connection authentication identity adoption happens before channel authentication records are processed (meaning the channel authentication records override any CONNAUTH adoption).
If disabled, the order is reversed – that is, channel authentication records are processed before CONNAUTH adoption. In this situation, connection authentication adoption has a higher effective priority that channel authentication records.
The default setting for early adopt is enabled.