Dear MQ community users,
I would appreciate if you could advise on the correct domain group name format in order to grant the proper access to MQ objects.
I have a Windows DEV MQ Server v9.1.5 (host name :
V000080117) joined domain
NBGIT.I need to grant numerous developers that they belong to AD domain groups (such as:
NBGIT\Domain Users,
NBGIT\Domain Computers) but not on
mqm group -since they should not have MQ Admin rights-
with specific MQ authorities.
Using IBM MQ explorer, i am capable to grant access to individual domain users IDs(principals) on that MQ Server objects (Queue Manager, Queues, Chasnels), for instance :
exxxxx@NBGIT or
fullname@NBGIT, BUT
I am not capable of adding domain group in the object access list.
For example, I am able to add the mqm group in the (QM) access list -> mqm@V000080117 and
Users@BUILTINwhere "Users" is local group on that Windows 2019 Server including
NBGIT\Domain Users &
NBGIT\Domain Computers. But when trying to add Domain Users@NBGIT in the (QM) access list, I am receiving the error msg:
AMQ4808: Unknown Group 'Domain Users@NBGIT'.But the domain group name is valid since it exists on Active Driectory..
In the MQ server error log it appears the
AMQ8075W: Authorization failed because the SID for entity 'domain_users@nbgit' cannot be obtained.
I have read that the correct Group name format is the following:
GroupName@domain domain_name\group_name
So, I am very skeptical about what might be wrong..
I have read also in IBM MQ 9.2 KnowledgeCenter that
"For IBM MQ authorizations, names of user IDs and groups must be no longer than 64 characters (spaces are not allowed)."
Do you think that spaces in Domain Group names might be the root cause?
Any advise will be much appreciated.
Cheers Nick.
------------------------------
NICK DAKORONIAS
------------------------------