Object authority manager (OAM)

The authorization service component supplied with the WebSphere® MQ products is called the Object Authority Manager (OAM).

By default, the OAM is active and works with the control commands dspmqaut (display authority),dmpmqaut (dump authority), and setmqaut (set or reset authority).

The syntax of these commands and how to use them are described in The control commands.

The OAM works with the entity of a principal or group.
  • On UNIX and Linux® systems:
    • the principal is a user ID, or an ID associated with an application program running on behalf of a user.
    • the group is a UNIX or Linux system-defined collection of principals.
    • Authorizations can be granted or revoked at the group level only. A request to grant or revoke a user's authority updates the primary group for that user.
  • On Windows systems:
    • the principal is a Windows user ID, or an ID associated with an application program running on behalf of a user.
    • the group is a Windows group.
    • Authorizations can be granted or revoked at the principal or group level.
When an MQI request is made or a command is issued, the OAM checks the authorization of the entity associated with the operation to see whether it can:
  • Perform the requested operation.
  • Access the specified queue manager resources.

The authorization service enables you to augment or replace the authority checking provided for queue managers by writing your own authorization service component.