dspmqaut (display object authorization)
dspmqaut displays the authorizations of a specific IBM® MQ object.
Purpose
Use the dspmqaut command to display the current authorizations to a specified object.
If a user ID is a member of more than one group, this command displays the combined authorizations of all the groups.
Only one group or principal can be specified.
For more information about authorization service components, see Installable services, Service components, and Authorization service interface.
Syntax
Required parameters
- -n Profile
- The name of the profile for which to display authorizations. The authorizations apply to all
IBM MQ objects with names that match the profile name
specified.
This parameter is required, unless you are displaying the authorizations of a queue manager. In this case you must not include it and instead specify the queue manager name using the -m parameter.
- -t ObjectType
- The type of object on which to make the inquiry. Possible values are:
Table 1. The object type on which to make the inquiry. Object Type Description authinfo An authentication information object, for use with TLS channel security channel or chl A channel clntconn or clcn A client connection channel listener or lstr A Listener namelist or nl A namelist process or prcs A process queue or q A queue or queues matching the object name parameter qmgr A queue manager rqmname or rqmn A remote queue manager name service or srvc A service topic or top A topic
Optional parameters
- -m QMgrName
- The name of the queue manager on which to make the inquiry. This parameter is optional if you are displaying the authorizations of your default queue manager.
- -g GroupName
- The name of the user group on which to make the inquiry. You can specify only one name, which must be the name of an existing user group.
For IBM MQ for Windows only, the group name can optionally include a domain name, specified in the following formats:
GroupName@domain domain\GroupName
- -p PrincipalName
- The name of a user for whom to display authorizations to the specified object. For IBM MQ for Windows only, the name of the principal can optionally include a domain name, specified in the following format:
For more information about including domain names on the name of a principal, see Principals and groups.userid@domain
- -s ServiceComponent
- If installable authorization services are supported, specifies the name of the authorization service to which the authorizations apply. This parameter is optional; if you omit it, the authorization inquiry is made to the first installable component for the service.
Returned parameters
Returns an authorization list, which can contain none, one, or more authorization values. Each authorization value returned means that any user ID in the specified group or principal has the authority to perform the operation defined by that value.
Table 2 shows the authorities that can be given to the different object types.
Authority | Queue | Process | Queue manager | Remote queue manager name | Namelist | Topic | Auth info | Clntconn | Channel | Listener | Service |
---|---|---|---|---|---|---|---|---|---|---|---|
all | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
alladm | Yes | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
allmqi | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No | No | No | No |
none | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
altusr | No | No | Yes | No | No | No | No | No | No | No | No |
browse | Yes | No | No | No | No | No | No | No | No | No | No |
chg | Yes | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
clr | Yes | No | No | No | No | Yes | No | No | No | No | No |
connect | No | No | Yes | No | No | No | No | No | No | No | No |
crt | Yes | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
ctrl | No | No | No | No | No | Yes | No | No | Yes | Yes | Yes |
ctrlx | No | No | No | No | No | No | No | No | Yes | No | No |
dlt | Yes | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
dsp | Yes | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
get | Yes | No | No | No | No | No | No | No | No | No | No |
pub | No | No | No | No | No | Yes | No | No | No | No | No |
put | Yes | No | No | Yes | No | Yes | No | No | No | No | No |
inq | Yes | Yes | Yes | No | Yes | No | Yes | No | No | No | No |
passall | Yes | No | No | No | No | Yes | No | No | No | No | No |
passid | Yes | No | No | No | No | Yes | No | No | No | No | No |
resume | No | No | No | No | No | Yes | No | No | No | No | No |
set | Yes | Yes | Yes | No | No | No | No | No | No | No | No |
setall | Yes | No | Yes | No | No | Yes | No | No | No | No | No |
setid | Yes | No | Yes | No | No | Yes | No | No | No | No | No |
sub | No | No | No | No | No | Yes | No | No | No | No | No |
system | No | No | Yes | No | No | No | No | No | No | No | No |
The following list defines the authorizations associated with each value:
Value | Description |
---|---|
all | Use all operations relevant to the object. all authority is equivalent to the union of the authorities alladm , allmqi , and system appropriate to the object type. |
alladm | Perform all administration operations relevant to the object |
allmqi | Use all MQI calls relevant to the object |
altusr | Specify an alternative user ID on an MQI call |
browse | Retrieve a message from a queue by issuing an MQGET call with the BROWSE option |
chg | Change the attributes of the specified object, using the appropriate command set |
clr | Clear a queue (PCF command Clear queue only) or a topic |
ctrl | Start, and stop the specified channel, listener, or service, and ping the specified channel. |
ctrlx | Reset or resolve the specified channel |
connect | Connect the application to the specified queue manager by issuing an MQCONN call |
crt | Create objects of the specified type using the appropriate command set |
dlt | Delete the specified object using the appropriate command set |
dsp | Display the attributes of the specified object using the appropriate command set |
get | Retrieve a message from a queue by issuing an MQGET call |
inq | Make an inquiry on a specific queue by issuing an MQINQ call |
passall | Pass all context |
passid | Pass the identity context |
pub | Publish a message on a topic using the MQPUT call. |
put | Put a message on a specific queue by issuing an MQPUT call |
resume | Resume a subscription using the MQSUB call. |
set | Set attributes on a queue from the MQI by issuing an MQSET call |
setall | Set all context |
setid | Set the identity context |
sub | Create, alter, or resume a subscription to a topic using the MQSUB call. |
system | Use queue manager for internal system operations |
- Control commands
- MQSC commands
- PCF commands
Return codes
Return code | Description |
---|---|
0 | Successful operation |
26 | Queue manager running as a standby instance. |
36 | Invalid arguments supplied |
40 | Queue manager not available |
49 | Queue manager stopping |
58 | Inconsistent use of installations detected |
69 | Storage not available |
71 | Unexpected error |
72 | Queue manager name error |
133 | Unknown object name |
145 | Unexpected object name |
146 | Object name missing |
147 | Object type missing |
148 | Invalid object type |
149 | Entity name missing |
Examples
- The following example shows a command to display the authorizations on queue manager
saturn.queue.manager
associated with user groupstaff
:dspmqaut -m saturn.queue.manager -t qmgr -g staff
The results from this command are:Entity staff has the following authorizations for object: get browse put inq set connect altusr passid passall setid
- The following example displays the authorities user1 has for queue a.b.c:
dspmqaut -m qmgr1 -n a.b.c -t q -p user1
The results from this command are:Entity user1 has the following authorizations for object: get put