SAFMQ User Security Contexts
SAFMQ uses the "User" paradigm to describe client access authentication and authorization. When a client connects to SAFMQ, it presents its user name (sometimes called a user ID, login ID, or account), along with a password. The user name is well known in the SAFMQ system, where as the password is meant to be confidential between the SAFMQ server and the client. Thus the password ensures the identity of the client presenting the user name as identification.
Alternately, a user name can be mapped to an X509 Digital Certificate's identity (See: Passwordless Login). Using X509 Identities to identify a client eliminates the need to send a password from the client to the server. Additionally, the user name is not required, thus the X509 Digital Certificate can be used to fully identify a user account.
Each user account (identified by a user name) is granted or denied three permissions. These permissions are Modify Queues, Modify Users, and Modify Groups. The Modify Queues permission allows that account to create Queues in the SAFMQ server. The Modify Users permission allows the account to create and destroy other accounts as well as grant permissions to those accounts. The Modify Groups permission allows the account to create and destroy Security Groups (xref). These permissions are set via the SAFMQ API (and SAFMQ Manager) function MQConnection::UserSetPermissions().
Users may be placed in a Security Group (sometimes simply referred to as "Groups"). Since Groups may be granted the same permissions as users, this allows multiple accounts to be granted similar permissions.
On a Queue by Queue basis, User Accounts and Groups (referred to collectively as Actors) are granted permissions to Queues (See Queue Access Control). This enables individual Users (Accounts) or Groups to be granted access to a Queue.
Table of Contents Hierarchy of classes