Authority checking for PCF commands in IBM MQ
When a PCF command is processed, the UserIdentifier
from the message descriptor in the command message is used for the required IBM® MQ object authority checks. Authority checking is implemented differently on each platform as described in this topic.
The checks are performed on the system on which the command is being processed; therefore this user ID must exist on the target system and have the required authorities to process the command. If the message has come from a remote system, one way of achieving the ID existing on the target system is to have a matching user ID on both the local and remote systems.
IBM MQ for IBM i
In order to process any PCF command, the user ID must have dsp authority for the IBM MQ object on the target system.
In most cases these checks are the same checks as those checks performed by the equivalent IBM MQ CL commands issued on a local system. See the Setting up security on IBM i , for more information about the mapping from IBM MQ authorities to IBM i system authorities, and the authority requirements for the IBM MQ CL commands. Details of security concerning exits are given in the Link level security using a security exit documentation.
To process any of the following commands the user ID must be a member of the group profile QMQMADM:
- Ping Channel
- Change Channel
- Copy Channel
- Create Channel
- Delete Channel
- Reset Channel
- Resolve Channel
- Start Channel
- Stop Channel
- Start Channel Initiator
- Start Channel Listener
IBM MQ for UNIX, Linux®, and Windows
To process any of the following commands the user ID must belong to group mqm.
- Change Channel
- Copy Channel
- Create Channel
- Delete Channel
- Ping Channel
- Reset Channel
- Start Channel
- Stop Channel
- Start Channel Initiator
- Start Channel Listener
- Resolve Channel
- Reset Cluster
- Refresh Cluster
- Suspend Queue Manager
- Resume Queue Manager
IBM MQ Object authorities for Multiplatforms
Command | IBM MQ object authority | Class authority (for object type) |
---|---|---|
Change Authentication Information | dsp and chg | n/a |
Change Channel | dsp and chg | n/a |
Change Channel Listener | dsp and chg | n/a |
Change Client Connection Channel | dsp and chg | n/a |
Change Namelist | dsp and chg | n/a |
Change Process | dsp and chg | n/a |
Change Queue | dsp and chg | n/a |
Change Queue Manager | chg see Note 3 and Note 5 | n/a |
Change Service | dsp and chg | n/a |
Clear Queue | clr | n/a |
Copy Authentication Information | dsp | crt |
Copy Authentication Information (Replace) see Note 1 | from: dsp to: chg | crt |
Copy Channel | dsp | crt |
Copy Channel (Replace) see Note 1 | from: dsp to: chg | crt |
Copy Channel Listener | dsp | crt |
Copy Channel Listener (Replace) see Note 1 | from: dsp to: chg | crt |
Copy Client Connection Channel | dsp | crt |
Copy Client Connection Channel (Replace) see Note 1 | from: dsp to: chg | crt |
Copy Namelist | dsp | crt |
Copy Namelist (Replace) see Note 1 | from: dsp to: dsp and chg | crt |
Copy Process | dsp | crt |
Copy Process (Replace) see Note 1 | from: dsp to: chg | crt |
Copy Queue | dsp | crt |
Copy Queue (Replace) see Note 1 | from: dsp to: dsp and chg | crt |
Create Authentication Information | (system default authentication information) dsp | crt |
Create Authentication Information (Replace) see Note 1 | (system default authentication information) dsp to: chg | crt |
Create Channel | (system default channel) dsp | crt |
Create Channel (Replace) see Note 1 | (system default channel) dsp to: chg | crt |
Create Channel Listener | (system default listener) dsp | crt |
Create Channel Listener (Replace) see Note 1 | (system default listener) dsp to: chg | crt |
Create Client Connection Channel | (system default channel) dsp | crt |
Create Client Connection Channel (Replace) see Note 1 | (system default channel) dsp to: chg | crt |
Create Namelist | (system default namelist) dsp | crt |
Create Namelist (Replace) see Note 1 | (system default namelist) dsp to: dsp and chg | crt |
Create Process | (system default process) dsp | crt |
Create Process (Replace) see Note 1 | (system default process) dsp to: chg | crt |
Create Queue | (system default queue) dsp | crt |
Create Queue (Replace) see Note 1 | (system default queue) dsp to: dsp and chg | crt |
Create Service | (system default queue) dsp | crt |
Create Service (Replace) see Note 1 | (system default queue) dsp to: chg | crt |
Delete Authentication Information | dsp and dlt | n/a |
Delete Authority Record | (queue manager object) chg see Note 4 | see Note 4 |
Delete Channel | dsp and dlt | n/a |
Delete Channel Listener | dsp and dlt | n/a |
Delete Client Connection Channel | dsp and dlt | n/a |
Delete Namelist | dsp and dlt | n/a |
Delete Process | dsp and dlt | n/a |
Delete Queue | dsp and dlt | n/a |
Delete Service | dsp and dlt | n/a |
Inquire Authentication Information | dsp | n/a |
Inquire Authority Records | see Note 4 | see Note 4 |
Inquire Channel | dsp | n/a |
Inquire Channel Listener | dsp | n/a |
Inquire Channel Status (for ChannelType MQCHT_CLSSDR) | inq | n/a |
Inquire Client Connection Channel | dsp | n/a |
Inquire Namelist | dsp | n/a |
Inquire Process | dsp | n/a |
Inquire Queue | dsp | n/a |
Inquire Queue Manager | see note 3 | n/a |
Inquire Queue Status | dsp | n/a |
Inquire Service | dsp | n/a |
Ping Channel | ctrl | n/a |
Ping Queue Manager | see note 3 | n/a |
Refresh Queue Manager | (queue manager object) chg | n/a |
Refresh Security (for SecurityType MQSECTYPE_SSL) | (queue manager object) chg | n/a |
Reset Channel | ctrlx | n/a |
Reset Queue Manager | (queue manager object) chg | n/a |
Reset Queue Statistics | dsp and chg | n/a |
Resolve Channel | ctrlx | n/a |
Set Authority Record | (queue manager object) chg see Note 4 | see Note 4 |
Start Channel | ctrl | n/a |
Stop Channel | ctrl | n/a |
Stop Connection | (queue manager object) chg | n/a |
Start Listener | ctrl | n/a |
Stop Listener | ctrl | n/a |
Start Service | ctrl | n/a |
Stop Service | ctrl | n/a |
Escape | see Note 2 | see Note 2 |
- This command applies if the object to be replaced does exist, otherwise the authority check is as for Create, or Copy without Replace.
- The required authority is determined by the MQSC command defined by the escape text, and it is equivalent to one of the previous commands.
- In order to process any PCF command, the user ID must have dsp authority for the queue manager object on the target system.
- This PCF command is authorized unless the command server has been started with the -a parameter. By default the command server starts when the queue manager is started, and without the -a parameter. For more information, see Programmable command formats reference.
- Granting a user ID chg authority for a queue manager gives the ability to set authority records for all groups and users. Do not grant this authority to ordinary users or applications.
IBM MQ also supplies some channel security exit points so that you can supply your own user exit programs for security checking. For more information, see Displaying a channel.