Commands and authorizations for administration security
If you have enabled administration security, users require specific permissions to be able to run the administration commands.
The following tables show the list of commands, and the permissions that you must set up
before users can run them.
| Command | MQ queue-based security | File-based security | ||
|---|---|---|---|---|
| IBM MQ Queue6 | MQ permission (set on setmqaut command) | Object flag (set on mqsichangefileauth command)6 | File permission (set on mqsichangefileauth command or in a .yaml configuration file) | |
| mqsichangeresourcestats |
SYSTEM.BROKER.AUTH
|
+INQ | read+ | |
|
SYSTEM.BROKER.AUTH.EG1
|
+SET | -e integration_server1 | execute+ | |
| mqsicreateexecutiongroup |
SYSTEM.BROKER.AUTH
|
+INQ +PUT | read+,write+ | |
| mqsideleteexecutiongroup |
SYSTEM.BROKER.AUTH
|
+INQ +PUT | read+,write+ | |
| mqsideploy |
SYSTEM.BROKER.AUTH
|
+INQ | read+ | |
|
SYSTEM.BROKER.AUTH.EG
|
+PUT | -e integration_server | write+ | |
| mqsilist |
SYSTEM.BROKER.AUTH
|
+INQ | read+ | |
|
SYSTEM.BROKER.AUTH.**2
|
+INQ | -e integration_server2 | read+ | |
| mqsipushapis |
SYSTEM.BROKER.AUTH
|
+INQ | read+ | |
|
SYSTEM.BROKER.AUTH.EG
|
+INQ | -e integration_server | read+ | |
| mqsireloadsecurity |
SYSTEM.BROKER.AUTH
|
+INQ | read+ | |
|
SYSTEM.BROKER.AUTH.**3
|
+PUT | -e integration_server3 | write+ | |
| mqsireportresourcestats |
SYSTEM.BROKER.AUTH
|
+INQ | read+ | |
|
SYSTEM.BROKER.AUTH.EG4
|
+INQ | -e integration_server4 | read+ | |
| mqsistartmsgflow5 |
SYSTEM.BROKER.AUTH
|
+INQ | read+ | |
|
SYSTEM.BROKER.AUTH.EG
|
+SET | -e integration_server | execute+ | |
| mqsistopmsgflow5 |
SYSTEM.BROKER.AUTH
|
+INQ | read+ | |
|
SYSTEM.BROKER.AUTH.EG
|
+SET | -e integration_server | execute+ | |
| mqsiwebuseradmin |
SYSTEM.BROKER.AUTH
|
+PUT | write+ | |
| Command | LDAP permissions |
|---|---|
| LDAP permission (set in a .yaml configuration file) | |
| mqsichangeresourcestats | execute+ |
| mqsicreateexecutiongroup | read+,write+ |
| mqsideleteexecutiongroup | read+,write+ |
| mqsideploy | write+ |
| mqsilist | read+ |
| mqsipushapis | read+ |
| mqsireportresourcestats | read+ |
| mqsistartmsgflow | execute+ |
| mqsistopmsgflow | execute+ |
| mqsiwebuseradmin | write+ |
Notes:
- If you are changing resource statistics collection for all integration servers on the integration node, you must have execute permission for all integration servers.
- You must have read permission for every integration node and every integration server for which you are requesting information. If you request details about a resource for which you do not have the required permissions, message BIP1185S is returned to identify each resource with inappropriate permissions: The command completes the request and returns results for all the resources for which permissions are correct.
- If you are using MQ queue-based security and SYSTEM.BROKER.AUTH.** is specified, the user ID running the command must have permissions for all integration servers. You can set up this level of authority by either creating a generic profile for all integration servers, or a specific profile for every integration server.
- If you are reporting resource statistics collection for all integration servers on the integration node, you must have read permission for all integration servers.
- If you are using MQ queue-based security and the queue name SYSTEM.BROKER.AUTH.EG is specified, the EG refers to the name of your integration server.
- Where no object flag is specified, the permissions are set at the level of the integration node.
Only the commands that are listed in these tables are subject to administration security.
Note: The permissions that are listed in these tables are in addition to the permission required to
run the command on specific platforms. Refer to the following topics for information about
platform-specific permissions: