Giving access to an IBM MQ object on UNIX, Linux, and Windows systems
Use the setmqaut control command, the SET AUTHREC MQSC command, or the MQCMD_SET_AUTH_REC PCF command to give users, and groups of users, access to IBM® MQ objects. Note, that on IBM MQ Appliance you can use only the SET AUTHREC command.
For a full definition of the setmqaut control command and its syntax, see setmqaut.
For a full definition of the SET AUTHREC MQSC command and its syntax, see SET AUTHREC.
For a full definition of the MQCMD_SET_AUTH_REC PCF command and its syntax, see Set Authority Record.
The queue manager must be running to use this command. When you have changed access for a principal, the changes are reflected immediately by the OAM.
- The name of the queue manager that owns the objects you are working with; if you do not specify the name of a queue manager, the default queue manager is assumed.
- The name and type of the object (to identify the object uniquely). You specify the name as a profile ; this is either the explicit name of the object, or a generic name, including wildcard characters. For a detailed description of generic profiles, and the use of wildcard characters within them, see Using OAM generic profiles on UNIX, Linux, and Windows systems.
- One or more principals and group names to which the authority applies.
If a user ID contains spaces, enclose it in quotation marks when you use this command. On Windows systems, you can qualify a user ID with a domain name. If the actual user ID contains an at sign (@) symbol, replace it with @@ to show that it is part of the user ID, not the delimiter between the user ID and the domain name.
- A list of authorizations. Each item in the list specifies a type of access that is to be granted to that object (or revoked from it). Each authorization in the list is specified as a keyword, prefixed with a plus sign (+) or a minus sign (-). Use a plus sign to add the specified authorization, and a minus sign to remove the authorization. There must be no spaces between the + or - sign and the keyword.
You can specify any number of authorizations in a single command. For example, the list of authorizations to permit a user or group to put messages on a queue and to browse them, but to revoke access to get messages is:
+browse -get +put
Examples of using the setmqaut command
The following examples show how to use the setmqaut command to grant and revoke permission to use an object:
setmqaut -m saturn.queue.manager -t queue -n RED.LOCAL.QUEUE
-g groupa +browse -get +put
saturn.queue.manager
is the queue manager namequeue
is the object typeRED.LOCAL.QUEUE
is the object namegroupa
is the identifier of the group with authorizations that are to change+browse -get +put
is the authorization list for the specified queue+browse
adds authorization to browse messages on the queue (to issue MQGET with the browse option)-get
removes authorization to get (MQGET) messages from the queue+put
adds authorization to put (MQPUT) messages on the queue
setmqaut -m saturn.queue.manager -t queue -n MyQueue -p fvuser
-g groupa -g groupb -put
Using the setmqaut command with a different authorization service
If you are using your own authorization service instead of the OAM, you can specify the name of this service on the setmqaut command to direct the command to this service. You must specify this parameter if you have multiple installable components running at the same time; if you do not, the update is made to the first installable component for the authorization service. By default, this is the supplied OAM.
Usage notes for SET AUTHREC
The list of authorizations to add and the list of authorizations to remove must not overlap. For example, you cannot add display authority and remove display authority with the same command. This rule applies even if the authorities are expressed using different options. For example, the following command fails because DSP authority overlaps with ALLADM authority:
SET AUTHREC PROFILE(*) OBJTYPE(QUEUE) PRINCIPAL(PRINC01) AUTHADD(DSP) AUTHRMV(ALLADM)
SET AUTHREC PROFILE(*) OBJTYPE(QUEUE) PRINCIPAL(PRINC01) AUTHADD(ALL) AUTHRMV(SETID)
SET AUTHREC PROFILE(*) OBJTYPE(QUEUE) PRINCIPAL(PRINC01) AUTHADD(DSP) AUTHRMV(ALL)
Regardless of the order in which they are provided on the command, the ALL are processed first.