OAM user-based permissions on UNIX and Linux

From IBM® MQ 8.0, on UNIX and Linux® systems, the object authority manager (OAM) can use user-based authorization as well as group-based authorization.

Before IBM MQ 8.0, access control lists (ACLs) on UNIX and Linux are based on groups only. From IBM MQ 8.0, ACLs are based on both user IDs and groups and you can use either the user-based model or the group-based model for authorization by setting the SecurityPolicy attribute to the appropriate value as described in Configuring installable services and Configuring authorization service stanzas on UNIX and Linux.

Changes in behavior for IBM MQ 8.0 and later

From IBM MQ 8.0, when running with the user-based policy, some commands return different information from earlier versions of the product:
  • The dmpmqaut and dmpmqcfg commands show user-based records, as do the PCF equivalent operations.
  • The OAM plug-in for IBM MQ Explorer shows user-based records and allows user-based modifications.
  • The OAM Inquire function returns results that show that it is user-capable.

Using the -p attribute on the setmqaut command does not grant access to all users in the same primary group, when user-based authorizations are enabled in the qm.ini file as described in Service stanza format.

If you start to employ user-based authorization and have many users, there will probably be more records that are stored on the AUTH queue than with the group-based model, and the authorization process might take a little longer than previously as there are more records to verify. This increase is not expected to be significant. If required, you can use a mixture of user and group permissions.

Migration considerations

If you change the model from group to user for an existing queue manager, there is no immediate effect. The authorizations that have already been made continue to apply. Any user that connects to the queue manager receives the same privileges as before: the combination of all the groups to which their ID belongs. When new setmqaut commands are issued for user IDs, they take immediate effect.

If you create a new queue manager with the user policy, this queue manager has permissions only for the user who creates it (which is normally, but not necessarily, the mqm user ID). There are also permissions that are automatically granted to the mqm group. However, if you do not have mqm as the primary group, then the mqm group is not included in the initial set of authorizations.

If you move from a user to group policy, the user-based authorizations are not automatically deleted. However, they are no longer used during the permissions check. Before reverting the policy, save the current configuration, change the policy, restart the queue manager, and then replay the script. Because it is now a group-based queue manager, the effect is that user ID rules are stored based on the primary group.