User IDs
When you create user IDs for client applications, the user IDs must not be longer than the maximum permitted length. You must not use the reserved user IDs UNKNOWN and NOBODY. If the server that the client connects to is an IBM® MQ for Windows server, you must escape the use of the at sign, @. The permitted length of user IDs is dependent on the platform that is used for the server:
![[z/OS]](ngzos.gif)
![[UNIX]](ngunix.gif)
![[Linux]](nglinux.gif)
On z/OS® and UNIX and Linux®, the maximum length of a user ID is 12
characters.![[IBM i]](ngibmi.gif)
On IBM i, the maximum length of a
user ID is 10 characters.![[Windows]](ngwin.gif)
On Windows, if both the IBM MQ MQI client, and the IBM MQ server are on Windows, and the server has access to the domain on which the
client user ID is defined, the maximum length of a user ID is 20 characters. However, if the
IBM MQ server is not a Windows server, the user ID is truncated to 12 characters. - If you use the MQCSP structure to pass credentials, the maximum length of a user ID is 1024 characters. The MQCSP structure user ID cannot be used to circumvent the maximum userid length used by IBM MQ for authorization. For more information about the MQCSP structure, see Identifying and authenticating users using the MQCSP structure.
On UNIX and Linux systems the default is that user IDs are used to authenticate, and groups are used for authorization. However, you can configure these systems to authorize against user Ids. For more information, see OAM user-based permissions on UNIX and Linux. Windows systems can use both user IDs for both authentication and authorization and groups for authorization.
If you create service accounts, without paying attention to groups, and authorize all the user IDs differently, every user can access the information of every other user.
Restricted user IDs
The user IDs UNKNOWN and group NOBODY have special meanings to
IBM MQ. Creating a user ID in the operating system
called UNKNOWN or a group called NOBODY could have unintended
results.
User IDs when connecting to an IBM MQ for Windows server
An IBM MQ for Windows server does not support the connection
of a Windows client if the client is running under a
user ID that contains the @ character, for example, abc@d. The return code to the
MQCONN call at the client is MQRC_NOT_AUTHORIZED.
However, you can specify the user ID using two @ characters, for example,
abc@@d. Using the id@domain format is the preferred practice, to
ensure that the user ID is resolved in the correct domain consistently; thus
abc@@d@domain.