IBM MQ checks that any users attempting to access the queue managers or the queue manager resources such as queues, have the permission to access them. This verification is performed under the authority of a user that is configured to run the MQ Windows service. Hence, the user configured to run the MQ Windows service should have the authority to perform this action. By default MQ is configured to run under the inbuilt user ‘MUSR_MQADMIN’ which belongs to the group ‘mqm’. The group ‘mqm’ is created during MQ installation and all required permission to administer MQ is assigned to this group. Hence, any user that is a member of this group has all the administrative permission required by MQ.
If MQ needs to be administered and accessed by domain user accounts then it needs to be configured to run under a domain account which has permission to query the group membership information of the other domain accounts. Follow the steps documented in the below IBM MQ Knowledge Center page to create the domain group and the domain accounts for using with IBM MQ.
In the example that I am illustrating here, I have created a domain group with the name ‘Domain mqm’ and a domain user called ‘mqsvcadmin’.
This image shows the ‘Domain mqm’ group on my domain controller.
MQ recognizes the special name ‘Domain mqm’ and if this group is created before installing MQ on any of the ember server, then MQ automatically adds this group as a member of local ‘mqm’ group. If the name of the domain group is anything other than ‘Domain mqm’ or if the group is created after installing MQ then you must manually add the domain group as a member of the local ‘mqm’ group. Use Prepare MQ Wizard (i.e run amqmjpse program from the MQ Bin64 folder) to configure MQ Service.
On the domain member server where MQ is installed the ‘Domain mqm’ group is added as a member of the local mqm group.
Run Prepare MQ Wizard to configure MQ.
All domain users that are a member of the Domain mqm group will have administrative permission on IBM MQ. Use setmqaut command to assign specific permission to the domain user or group that needs to access MQ.
In order to use setmqaut command to assign permissions for the domain groups you would need to have the security stanza set for the queue manager as below.