Access authorities for IBM MQ objects on IBM i
Access authorities required for running IBM® MQ CL commands.
- Group 1
- Users must be in the QMQMADM user group, or have *ALLOBJ authority, to process these commands.
Users having either of these authorities can process all commands in all categories without
requiring any extra authority. Note: These authorities override any OAM authority.These commands can be grouped as follows:
- Command Server Commands
- ENDMQMCSVR, End IBM MQ Command Server
- STRMQMCSVR, Start IBM MQ Command Server
- Dead-Letter Queue Handler Command
- STRMQMDLQ, Start IBM MQ Dead-Letter Queue Handler
- Listener Command
- ENDMQMLSR, End IBM MQ listener
- STRMQMLSR, Start non-object listener
- Media Recovery Commands
- RCDMQMIMG, Record IBM MQ Object Image
- RCRMQMOBJ, Re-create IBM MQ Object
- WRKMQMTRN, Work with IBM MQ Q Transactions
- Queue Manager Commands
- CRTMQM, Create Message Queue Manager
- DLTMQM, Delete Message Queue Manager
- ENDMQM, End Message Queue Manager
- STRMQM, Start Message Queue Manager
- Security Commands
- GRTMQMAUT, Grant IBM MQ Object Authority
- RVKMQMAUT, Revoke IBM MQ Object Authority
- Trace Command
- TRCMQM, Trace IBM MQ Job
- Transaction Commands
- RSVMQMTRN, Resolve IBM MQ Transaction
- Trigger Monitor Commands
- STRMQMTRM, Start Trigger Monitor
- IBM MQSC Commands
- RUNMQSC, Run IBM MQSC Commands
- STRMQMMQSC, Start IBM MQSC Commands
- Command Server Commands
- Group 2
- The rest of the commands, for which two levels of authority are required:
- IBM i authority to run the command. An IBM MQ administrator sets this using the GRTOBJAUT command
to override the *PUBLIC(*EXCLUDE) restriction for a user or group of users. For example:
GRTOBJAUT OBJ(QMQM/DSPMQMQ) OBJTYPE(*CMD) USER(MQUSER) AUT(*USE)
- IBM MQ authority to manipulate the IBM MQ objects associated with the command, or commands, given
the correct IBM i authority in Step 1.
This authority is controlled by the user having the appropriate OAM authority for the required action, set by an IBM MQ administrator using the GRTMQMAUT command
For example:GRTMQMAUT *connect authority to the queue manager + *admchg authority to the queue
The commands can be grouped as follows:- Channel Commands
- CHGMQMCHL, Change IBM MQ Channel
This requires *connect authority to the queue manager and *admchg authority to the channel.
- CPYMQMCHL, Copy IBM MQ Channel
This requires *connect and *admcrt authority to the queue manager, *admdsp authority to the default channel type to be copied, and *admcrt authority to the channel object class.
For example, copying a Sender channel, needs *admdsp authority to SYSTEM.DEF.SENDER channel
- CRTMQMCHL, Create IBM MQ Channel
This requires *connect and *admcrt authority to the queue manager, *admdsp authority to the default channel type to be created and *admcrt authority to the channel object class.
For example, creating a Sender channel, needs *admdsp authority to SYSTEM.DEF.SENDER channel
- DLTMQMCHL, Delete IBM MQ Channel
This requires *connect authority to the queue manager and *admdlt authority to the channel.
- RSVMQMCHL, Resolve IBM MQ Channel
This requires *connect authority to the queue manager and *ctrlx authority to the channel.
- CHGMQMCHL, Change IBM MQ Channel
- Display commands
To process the DSP commands you must grant the user
*connect
and*admdsp
authority to the queue manager, together with any specific option listed:- DSPMQM, Display Message Queue Manager
- DSPMQMAUT, Display IBM MQ Object Authority
- DSPMQMAUTI, Display IBM MQ Authentication
Information -
*admdsp
to the authentication information object - DSPMQMCHL, Display IBM MQ Channel -
*admdsp
to the channel - DSPMQMCSVR, Display IBM MQ Command Server
- DSPMQMNL, Display IBM MQ Namelist -
*admdsp
to the namelist - DSPMQMOBJN, Display IBM MQ Object Names
- DSPMQMPRC, Display IBM MQ Process -
*admdsp
to the process - DSPMQMQ, Display IBM MQ Queue -
*admdsp
to the queue - DSPMQMTOP, Display IBM MQ Topic -
*admdsp
to the topic
- Work with commands
To process the WRK commands and display the options panel you must grant the user
*connect
and*admdsp
authority to the queue manager, together with any specific option listed:- WRKMQM, Work with Message Queue Managers
- WRKMQMAUT, Work with IBM MQ Object Authority
- WRKMQMAUTD, Work with IBM MQ Object Authority Data
- WRKMQMAUTI, Work with IBM MQ Authentication Information
*admchg
for the Change IBM MQ Authentication Information Object command.*admcrt
for the Create and Copy IBM MQ Authentication Information Object command.*admdlt
for the Delete IBM MQ Authentication Information Object command.*admdsp
for the Display IBM MQ Authentication Information Object command.
- WRKMQMCHL, Work with IBM MQ Channel This requires the following authorities:
*admchg
for the Change IBM MQ Channel command.*admclr
for the Clear IBM MQ Channel command.*admcrt
for the Create and Copy IBM MQ Channel command.*admdlt
for the Delete IBM MQ Channel command.*admdsp
for the Display IBM MQ Channel command.*ctrl
for the Start IBM MQ Channel command.*ctrl
for the End IBM MQ Channel command.*ctrl
for the Ping IBM MQ Channel command.*ctrlx
for the Reset IBM MQ Channel command.*ctrlx
for the Resolve IBM MQ Channel command.
- WRKMQMCHST, Work with IBM MQ Channel Status
This requires
*admdsp
authority to the channel. - WRKMQMCL, Work with IBM MQ Clusters
- WRKMQMCLQ, Work with IBM MQ Cluster Queues
- WRKMQMCLQM, Work with IBM MQ Cluster Queue Manager
- WRKMQMLSR, Work with IBM MQ Listener
- WRKMQMMSG, Work with IBM MQ Messages
This requires
*browse
authority to the queue - WRKMQMNL, Work with IBM MQ Namelists This requires the following authorities:
*admchg
for the Change IBM MQ Namelist command.*admcrt
for the Create and Copy IBM MQ Namelist command.*admdlt
for the Delete IBM MQ Namelist command.*admdsp
for the Display IBM MQ Namelist command.
- WRKMQMPRC, Work with IBM MQ Processes This requires the following authorities:
*admchg
for the Change IBM MQ Process command.*admcrt
for the Create and Copy IBM MQ Process command.*admdlt
for the Delete IBM MQ Process command.*admdsp
for the Display IBM MQ Process command.
- WRKMQMQ, Work with IBM MQ queues This requires the following authorities:
*admchg
for the Change IBM MQ Queue command.*admclr
for the Clear IBM MQ Queue command.*admcrt
for the Create and Copy IBM MQ Queue command.*admdlt
for the Delete IBM MQ Queue command.*admdsp
for the Display IBM MQ Queue command.
- WRKMQMQSTS, Work with IBM MQ Queue Status
- WRKMQMTOP, Work with IBM MQ Topics This requires the following authorities
*admchg
for the Change IBM MQ Topic command.*admcrt
for the Create and Copy IBM MQ Topic command.*admdlt
for the Delete IBM MQ Topic command.*admdsp
for the Display IBM MQ Topic command.
- WRKMQMSUB, Work with IBM MQ Subscriptions
- Other Channel commands
To process the channel commands you must grant the user the specific authorities listed:
- ENDMQMCHL, End IBM MQ Channel
This requires
*connect
authority to the queue manager and*allmqi
authority to the transmission queue associated with the channel. - ENDMQMLSR, End IBM MQ Listener
This requires
*connect
authority to the queue manager and*ctrl
authority to the named listener object. - PNGMQMCHL, Ping IBM MQ Channel
This requires
*connect
and*inq
authority to the queue manager and*ctrl
authority to the channel object. - RSTMQMCHL, Reset IBM MQ Channel
This requires
*connect
authority to the queue manager. - STRMQMCHL, Start IBM MQ Channel
This requires
*connect
authority to the queue manager and*ctrl
authority to the channel object. - STRMQMCHLI, Start IBM MQ Channel Initiator
This requires
*connect
and*inq
authority to the queue manager, and*allmqi
authority to the initiation queue associated with the transmission queue of the channel. - STRMQMLSR, Start IBM MQ Listener
This requires *connect authority to the queue manager and *ctrl authority to the named listener object.
- ENDMQMCHL, End IBM MQ Channel
- Other commands:
To process the following commands you must grant the user the specific authorities listed:
- CCTMQM, Connect to Message Queue Manager
This requires no IBM MQ object authority.
- CHGMQM, Change Message Queue Manager
This requires
*connect
and*admchg
authority to the queue manager. - CHGMQMAUTI, Change IBM MQ Authentication Information
This requires
*connect
authority to the queue manager and*admchg
and*admdsp
authority to the authentication information object. - CHGMQMNL, Change IBM MQ Namelist
This requires
*connect
authority to the queue manager and*admchg
authority to the namelist. - CHGMQMPRC, Change IBM MQ Process
This requires
*connect
authority to the queue manager and*admchg
authority to the process. - CHGMQMQ, Change IBM MQ Queue
This requires
*connect
authority to the queue manager and*admchg
authority to the queue. - CLRMQMQ, Clear IBM MQ Queue
This requires
*connect
authority to the queue manager and*admclr
authority to the queue. - CPYMQMAUTI, Copy IBM MQ Authentication Information
This requires
*connect
authority to the queue manager and*admdsp
authority to the authentication information object and*admcrt
authority to the authentication information object class. - CPYMQMNL, Copy IBM MQ Namelist
This requires
*connect
and*admcrt
authority to the queue manager. - CPYMQMPRC, Copy IBM MQ Process
This requires
*connect
and*admcrt
authority to the queue manager. - CPYMQMQ, Copy IBM MQ Queue
This requires
*connect
and*admcrt
authority to the queue manager. - CRTMQMAUTI, Create IBM MQ Authentication Information
This requires
*connect
authority to the queue manager and*admdsp
authority to the authentication information object and*admcrt
authority to the authentication information object class. - CRTMQMNL, Create IBM MQ Namelist
This requires
*connect
and*admcrt
authority to the queue manager and*admdsp
authority to the default namelist. - CRTMQMPRC, Create IBM MQ Process
This requires
*connect
and*admcrt
authority to the queue manager and*admdsp
authority to the default process. - CRTMQMQ, Create IBM MQ Queue
This requires
*connect
and*admcrt
authority to the queue manager and*admdsp
authority to the default queue. - CVTMQMDTA, Convert IBM MQ Data Type Command
This requires no IBM MQ object authority.
- DLTMQMAUTI, Delete IBM MQ Authentication Information
This requires
*connect
authority to the queue manager and*ctrlx
authority to the authentication information object. - DLTMQMNL, Delete IBM MQ Namelist
This requires
*connect
authority to the queue manager and*admdlt
authority to the namelist. - DLTMQMPRC, Delete IBM MQ Process
This requires
*connect
authority to the queue manager and*admdlt
authority to the process. - DLTMQMQ, Delete IBM MQ Queue
This requires
*connect
authority to the queue manager and*admdlt
authority to the queue. - DSCMQM, Disconnect from Message Queue Manager
This requires no IBM MQ object authority.
- RFRMQMAUT, Refresh Security
This requires
*connect
authority to the queue manager. - RFRMQMCL, Refresh Cluster
This requires
*connect
authority to the queue manager. - RSMMQMCLQM, Resume Cluster Queue Manager
This requires
*connect
authority to the queue manager. - RSTMQMCL, Reset Cluster
This requires
*connect
authority to the queue manager. - SPDMQMCLQM, Suspend Cluster Queue Manager
This requires
*connect
authority to the queue manager.
- CCTMQM, Connect to Message Queue Manager
- IBM i authority to run the command. An IBM MQ administrator sets this using the GRTOBJAUT command
to override the *PUBLIC(*EXCLUDE) restriction for a user or group of users.