IBM Tivoli Composite Application Manager for Applications, Version 7.2.1.1

Setting the message access authorization level

For security considerations, you can use WebSphere® MQ Monitoring agent to control the level of user access to WebSphere MQ messages with the MSGACCESS parameter.

Before you begin

If you are unfamiliar with how to change monitoring options for an agent instance, review the steps in Changing monitoring options. If you are unfamiliar with the monitoring options used, review the descriptions of the options in Monitoring options.

About this task

WebSphere MQ Monitoring agent can be configured to set message access authorization level when one of the following accounts is used:
  • The Tivoli® Enterprise Portal user ID as the account (default setting).
  • The account of the WebSphere MQ Monitoring agent.
  • The predefined account.

Do the following steps to set message access authorization level:

Procedure

  1. Open the monitoring file of the agent instance that you want to configure.
  2. Modify the MSGACCESS parameter in the SET MANAGER statement for a queue manager as needed, to specify the message manipulation authorization level. If not specified, this setting for the applicable SET GROUP statement is used.
    • If you specify the MSGACCESS parameter as NONE, DESC, RETRY, DATA, or DELETE, the SET QACCESS statement is ignored, and the message manipulation account is the same as the Tivoli Enterprise Portal user ID.
    • If you specify the value of USEQACCESS on the MSGACCESS parameter, the message manipulation account is defined on the SET QACCESS statement. If you do not specify the SET QACCESS statement, or if the SET QACCESS statement does not accommodate the specified Tivoli Enterprise Portal user ID for the specified queue name, the Tivoli Enterprise Portal user ID has the default message manipulation right of NONE; the specified Tivoli Enterprise Portal user ID cannot perform any message manipulation on the specified queue.
    1. Use the SET QACCESS statement to define multiple rules so that different Tivoli Enterprise Portal user IDs can have different message manipulation authorization levels. In this case, the message manipulation account can be specified. Table 1 shows the outcomes when a Tivoli Enterprise Portal user attempts to manipulate a message on a specified queue name. (These outcomes assume that the specified queue name passes the NAME parameter value check that is defined in SET QACCESS statement).
      Table 1. Message manipulation on a specified queue name
      MSGACCOUNT value Tivoli Enterprise Portal user ID matches the MSGAUTHUSERS parameter value? Rule result Message Manipulation Account
      UIUSER YES SUCCESS Tivoli Enterprise Portal user ID
      NO FAIL N/A
      MQAGENT YES SUCCESS monitoring agent Account
      NO FAIL N/A
      USER=user-id YES SUCCESS user ID
      NO FAIL N/A
      If the rule result in the above table is FAIL, the given SET QACCESS settings are ignored for the current request, and other SET QACCESS settings are checked. If none apply (all result in FAIL), the resultant access is NONE.
    2. Optional: Use multiple SET QACCESS statements to impose the strictest rules on a particular Tivoli Enterprise Portal user for a particular queue. If you issue multiple SET QACCESS commands that specify different manipulation access settings, and more than one of the access settings applies to a given Tivoli Enterprise Portal user, WebSphere MQ Monitoring agent assigns the lowest manipulation access to that user. The order of manipulation access settings from lowest to highest is: NONE, DESC, RETRY, DATA, DELETE.
  3. Save your settings.

Example

If you set the monitoring options as follows, the user SYSADMIN potentially has the manipulation access of DESC: 

SET GROUP NAME(GROUP1) DEFAULT(YES) COMMAND(YES) MSGACCESS(DATA)
SET MANAGER NAME(QM1) MSGACCESS(USEQACCESS)
SET QACCESS NAME(DEMO*) MSGAUTHUSERS(*) MSGACCOUNT(MQAGENT) MSGACCESS(DELETE)
    MGRNAME(QM1)
SET QACCESS NAME(D*) MSGAUTHUSERS(SYS*) MSGACCOUNT(USER=DEMOUSER) MSGACCESS(DESC)
    MGRNAME(QM1)

Assume that the Tivoli Enterprise Portal user SYSADMIN wants to manipulate messages on the DEMO.QUEUE1 queue. The first manipulation access that applies to this user is DELETE, and the message manipulation account is the agent account (MQAGENT). However, the manipulation access of DESC also applies to this user, and the message manipulation account is DEMOUSER. WebSphere MQ Monitoring agent assigns the message manipulation access of DESC to this user, because that is the lowest manipulation access that applies. If this Tivoli Enterprise Portal user attempts to delete a message, the following message is displayed: (KMQW008E) Not allowed By MSGACCESS, and the WebSphere MQ Monitoring agent prevents the user from deleting the message. See Customizing monitoring options for more detailed description.

Parent topic: Manipulating WebSphere MQ messages
Related concepts:
Interrelationship of Message Manipulation Access and Message Manipulation Account settings
Related reference:
Settings for controlling access to WebSphere MQ messages
SET GROUP
SET MANAGER
SET QACCESS

Feedback