Principals and groups
Principals can belong to groups. You can grant access to a particular resource to groups rather than to individuals, to reduce the amount of administration required. On UNIX and Linux® systems all Access Control Lists (ACLs) are based on groups, but on Windows systems, ACLS are based on user IDs and groups.
- UNIX and Linux systems
- All ACLs are based on groups. When a user is granted access to a particular resource, the
primary group of the user ID is included in the ACL. The individual user ID is not included and
authority is granted to all members of that group. Because of this, be aware that you can
inadvertently change the authority of a principal by changing the authority of another principal in
the same group. All users are nominally assigned to the default user group nobody and by
default, no authorizations are given to this group. You can change the authorization in the
nobody group to grant access to WebSphere® MQ
resources to users without specific authorizations.
Do not define a user ID with the value
UNKNOWN
. The valueUNKNOWN
is used when a user ID is too long, so arbitrary user IDs would use the access authorities of UNKNOWN.User IDs can contain up to 12 characters and group names up to 12 characters.
- Windows systems
- ACLs are based on both user IDs and groups. Checks are the same
as for UNIX systems except that individual user IDs can be displayed in the
ACL as well. You can have different users on different domains with
the same user ID. WebSphere MQ permits user IDs to be qualified by a domain name so that these
users can be given different levels of access. The group name can optionally include a domain name, specified in the following formats:
Global groups are checked by the OAM in two cases only:GroupName@domain domain\GroupName
User IDs can contain up to 20 characters, domain names up to 15 characters, and group names up to 64 characters.
The OAM first checks the local security database, then the database of the primary domain, and finally the database of any trusted domains. The first user ID encountered is used by the OAM for checking. Each of these user IDs might have different group memberships on a particular computer.
Some control commands (for example, crtmqm) change authorities on WebSphere MQ objects using the object authority manager (OAM). The OAM searches the security databases in the order given in the preceding paragraph to determine the authority rights for a particular user ID. As a result, the authority determined by the OAM might override the fact that a user ID is a member of the local mqm group. For example, if you issue the crtmqm command from a user ID authenticated by a domain controller that has membership of the local mqm group through a global group, the command fails if the system has a local user of the same name who is not in the local mqm group.