Users and groups (entities) in the authorization service

In the authorization service, authorities are granted to users (also known as principals when the user name is fully qualified with the domain name) or groups of users for accessing IBM® MQ objects. Users and groups are collectively known as entities in the authorization service. You grant a set of authorities to an entity by creating an authority record.

On objects on Windows, you can create authority records for individual users and for groups of users. On UNIX, Linux®, and IBM i, you can create authority records only for groups of users; if you grant authorities to an individual user, the authorization service creates or updates the authority record for the user's primary group so that the same authorities are granted to all the users in the primary group.

The following figure shows the authority record for the mqm group on a queue called Q_STOCKS_5. Q_STOCKS_5 is a queue on a Windows queue manager so it is possible to view authority records that have been created for individual users. If the queue were hosted on a UNIX,Linux, or IBM i queue manager, there would be no Users tab available in the dialog.

The users and groups that are displayed in MQ Explorer are defined in the operating system that hosts the queue manager and objects. You cannot, therefore, create or delete entities from within the MQ Explorer itself. If you make a change to an entity while MQ Explorer is running, you must refresh the authorization service to pick up the changes; for more information, see Refreshing authorization service information .

Entities can be granted authorities explicitly and also by inheritance. For more information about how entities can inherit authorities, see Accumulated authorities.

On Windows, delete the authority records corresponding to a particular Windows user account before deleting that user account. It is impossible to remove the authority records after removing the Windows user account.