Information for domain administrators
Use this topic to understand how IBM® MQ services check the authorization of user accounts attempting to access IBM MQ.
The user account must either have an individual IBM MQ authorization set or belong to a local group that has been authorized. A domain account can also be authorized through membership of a domain group included under an authorized local group through a single level of nesting.
The account under which the IBM MQ services are run must have the ability to query group memberships of domain accounts and have the authority to administer IBM MQ. Without the ability to query group memberships the access checks made by the services fail.
On most Windows domains, with domain controllers running Windows Active Directory, local accounts do not have the required authorization and a special domain user account with the required permissions must be used. The IBM MQ installer must be given the userid and password details so that they can be used to configure the IBM MQ service after the product is installed.
Typically, this special account has the IBM MQ administrator rights through membership of the domain group DOMAIN\Domain mqm. The domain group is automatically nested by the installation program under the local mqm group of the system on which IBM MQ is being installed.
See Creating and setting up domain accounts for IBM MQ for instructions on creating a suitable domain account.
- An installer currently logged on with a domain user account is not be able to complete the Default Configuration, and the Postcard application does not work.
- IBM MQ connections to queue managers running under domain accounts on other systems might fail.
- Typical errors include
AMQ8066: Local mqm group not found
andAMQ8079: Access was denied when attempting to retrieve group membership information for user 'abc@xyz'
.