Types of user and how they are authenticated
There are two types of user on the IBM® MQ Appliance: appliance users, and messaging users. Appliance users are users that can administer the appliance and IBM MQ resources. Messaging users are users that can perform operations on messaging resources.
Appliance users
- Users can be authenticated by an LDAP server.
- User details can be specified in an XML file.
- You can specify local users on the appliance itself.
- Access policies can be defined in an XML file.
- Access policies can be defined in local user groups.
Where you have locally defined users, RBM can specify password polices and account policies for them. These policies define the rules governing password (such as minimum length, character types, and expiration periods) and those rules governing when accounts are locked out after failed log in attempts.
Messaging users
Messaging users can connect to queue managers remotely to send and receive messages. They can be authorized to remotely manage some aspects of queue managers by using client connections such as the IBM MQ Explorer. Messaging users are created by using user administration commands.
Messaging users can be stored in the internal user store, or in an external LDAP repository. (The internal user store is separate to the store used for appliance users.) The scalability of the internal store is limited, so in situations where many messaging users exist, an external LDAP repository provides better performance.
See Administering messaging users for guidance on working with messaging users and messaging user groups.
See Overview of LDAP authorization in the IBM MQ documentation for guidance on using an external LDAP repository.