setmqaut (grant or revoke authority)
Change the authorizations to a profile, object, or class of objects. Authorizations can be granted to, or revoked from, any number of principals or groups.
For more information about authorization service components, see Configuring installable services, Service components, and Authorization service interface.
For more information about how authorizations work, see How authorizations work.
From IBM® MQ 8.0, on UNIX and Linux® systems, the object authority manager (OAM) can use
user-based authorization as well as group-based authorization. For more information about user-based
authorizations, see OAM user-based
permissions on AIX® and Linux systems.
![[AIX]](ngaix.gif)
![[Linux]](nglinux.gif)
setmqaut -p username ...
, the primary group of the specified user
is the one that is associated with the authorization being updated.Syntax
Description
- Queue manager name
- Principals and user groups
- Object type
- Profile name
- Service component
- Authorizations for issuing MQI calls
- Authorizations for MQI context
- Authorizations for issuing commands for administration tasks
- Generic authorizations
Each authorization to be changed is specified in an authorization list as part of the command.
Each item in the list is a string prefixed by a plus sign (+) or a minus sign (-). For example, if
you include +put
in the authorization list, you grant authority to issue MQPUT
calls against a queue. Alternatively, if you include -put
in the authorization
list, you revoke the authority to issue MQPUT calls.
On Windows systems, the SecurityPolicy attribute applies only if the service specified is the default authorization service, that is, the OAM. The SecurityPolicy attribute allows you to specify the security policy for each queue manager.
On UNIX and Linux systems, for IBM MQ 8.0 and later, the value of the SecurityPolicy attribute specifies whether the queue manager uses user-based or group-based authorization. If you do not include this attribute, the default, which uses group-based authorization, is used.
For more information about the effect of the user and group settings of the SecurityPolicy attribute, see OAM user-based permissions on UNIX and Linux systems.
You can specify any number of principals, user groups, and authorizations in a single setmqaut command, but you must specify at least one principal or user group.
If a principal is a member of more than one user group, the principal effectively has the combined authorities of all those user groups.
On Windows systems, the principal
also has all the authorities that are granted to it explicitly using the setmqaut
command.
![[AIX]](ngaix.gif)
![[Linux]](nglinux.gif)
- If you use the setmqaut command to grant an authority to a principal, the authority is granted to the primary user group of the principal. This means that the authority is effectively granted to all members of that user group.
- If you use the setmqaut command to revoke an authority from a principal, the authority is revoked from the primary user group of the principal. This means that the authority is effectively revoked from all members of that user group.
To alter authorizations for a cluster sender channel that has been automatically generated by a repository, see Channel definition commands.
Required parameters
- -t ObjectType
- The type of object for which to change authorizations.
Possible values are as follows:
Table 1. ObjectType values. Value Description authinfo An authentication information object channel or chl A channel clntconn or clcn A client connection channel comminfo A communication information object listener or lstr A listener namelist or nl A namelist process or prcs A process queue or q A queue qmgr A queue manager rqmname or rqmn A remote queue manager name service or srvc A service topic or top A topic - -n Profile
- The name of the profile for which to change authorizations. The authorizations apply to all
IBM MQ objects with names that match the profile name
specified. The profile name can be generic, using wildcard characters to specify a range of names as
explained in Using OAM generic
profiles on AIX, Linux, and Windows systems.
This parameter is required, unless you are changing the authorizations of a queue manager, in which case you must not include it. To change the authorizations of a queue manager use the queue manager name, for example
where QMGR is the name of the queue manager and user1 is the principal for which you are adding or removing permissions.setmqaut -m QMGR -t qmgr -p user1 +connect
Each class of object has authority records for each group or principal. These records have the profile name@CLASS
and track thecrt
(create) authority common to all objects of that class. If thecrt
authority for any object of that class is changed then this record is updated. For example:
This shows that members of the groupprofile: @class object type: queue entity: test entity type: principal authority: crt
test
havecrt
authority to the classqueue
.Attention: You cannot delete the@CLASS
entries (the system is working as designed)
Optional parameters
- -m QMgrName
- The name of the queue manager of the object for which to change authorizations. The name can contain up to 48 characters.
This parameter is optional if you are changing the authorizations of your default queue manager.
- -p PrincipalName
- The name of the principal for which to change authorizations.
For IBM MQ for Windows only, the name of the principal can optionally include a domain name, specified in the following format:
userid@domain
For more information about including domain names on the name of a principal, see Principals and groups on UNIX, Linux and Windows.
You must have at least one principal or group.
- -g GroupName
- The name of the user group for which to change authorizations. You can specify more than one
group name, but each name must be prefixed by the -g flag.
For IBM MQ for Windows only, the group name can optionally include a domain name, specified in the following formats:
GroupName@domain domain\GroupName
The IBM MQ Object Authority Manager validates the users and groups at the domain level, only if you set the GroupModel attribute to GlobalGroups in the Securing stanza of the queue manager.
- -u SID
- The SID for which authorities are to be removed. You can specify more than one SID, but each name must be prefixed by the -u flag.
This option must be used with either +remove or -remove.
This parameter is only valid on IBM MQ for Windows.
- -s ServiceComponent
- The name of the authorization service to which the authorizations apply (if your system supports installable authorization services). This parameter is optional; if you omit it, the authorization update is made to the first installable component for the service.
- +remove or -remove
- Remove all the authorities from IBM MQ objects that match the specified profile.
- Authorizations
- The authorizations to be granted or revoked. Each item in the list is prefixed by a plus sign
(+) or a minus sign (-). The plus sign indicates that authority is to be granted. The minus sign
indicates that authority is to be revoked.
For example, to grant authority to issue MQPUT calls, specify +put in the list. To revoke the authority to issue MQPUT calls, specify -put.
Table 2 shows the authorities that can be given to the different object types.Table 2. Specifying authorities for different object types Authority Queue Process Queue manager Remote queue manager name Namelist Topic Auth info Clntconn Channel Listener Service Comminfo all
1Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes alladm
2Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes allmqi
3Yes Yes Yes Yes Yes Yes Yes No No No No No none
Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes altusr
No No Yes No No No No No No No No No browse
Yes No No No No No No No No No No No chg
Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes clr
Yes No No No No Yes No No No No No No connect
No No Yes No No No No No No No No No crt
Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes ctrl
4No No Yes No No Yes No No Yes Yes Yes No ctrlx
No No No No No No No No Yes No No No dlt
Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes dsp
Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes get
Yes No No No No No No No No No No No pub
No No No No No Yes No No No No No No put
Yes No No Yes No No No No No No No No inq
Yes Yes Yes No Yes No Yes No No No No No passall
Yes No No No No No No No No No No No passid
Yes No No No No No No No No No No No resume
No No No No No Yes No No No No No No set
Yes Yes Yes No No No No No No No No No setall
5Yes No Yes No No No No No No No No No setid
5Yes No Yes No No Yes No No No No No No sub
No No No No No Yes No No No No No No system
No No Yes No No No No No No No No No Notes:- The authority
all
is equivalent to the union of the authoritiesalladm
,allmqi
, andsystem
appropriate to the object type. - The authority
alladm
is equivalent to the union of the individual authoritieschg
,clr
,dlt
,dsp
,ctrl
, andctrlx
appropriate to the object type.crt
authority is not included in the subsetalladm
. - The authority
allmqi
is equivalent to the union of the individual authoritiesaltusr
,browse
,connect
,get
,inq
,pub
,put
,resume
,set
, andsub
appropriate to the object type. - The authority
ctrl
on the qmgr object is included when the you specifyalladm
on the setmqaut command. - To use
setid
orsetall
authority, authorizations must be granted on both the appropriate queue object and also on the queue manager object.setid
andsetall
are included inallmqi
.
- The authority
Description of specific authorities
You should not grant a user an authority (for example, set
authority on a queue
manager, or system
authority) that allows the user to access IBM MQ privileged options, unless the required authority is
specifically documented, and required to run any IBM MQ
command, or IBM MQ API call.
For example, a user requires system authority to run the setmqaut command.
- chg
-
A user needs
chg
authority to make any authorization changes on the queue manager. The authorization changes include:- Changing the authorizations to a profile, object, or class of objects
- Creating and modifying channel authentication records, and so on
A user also needs
chg
authority to change or set the attributes of an IBM MQ object, using PCF or MQSC commands. - ctrl
-
Within CHLAUTH rules it is possible to insist that users connecting are not privileged.
For the channel to check whether a user is privileged, the real user id running the channel process must have
+ctrl
authority on the qmgr object.For example, when the SVRCONN channel is running as a thread in an amqrmppa process and the real uid for this process is a userid named
mqadmin
(the userid that started the queue manager), thenmqadmin
must have+ctrl
authority on the qmgr object. - crt
-
If you grant an entity
+crt
authority to the queue manager, then that entity also gains+crt
authority for each object class.However, when you remove
+crt
authority against the queue manager object that only removes the authority on the queue manager object class;crt
authority for other objects classes are not removed.Note that
crt
authority on the queue manager object has no functional use, and is available for backwards-compatibility purposes only. - dlt
-
Note that the
dlt
authority against the queue manager object has no functional use, and is available for backwards-compatibility purposes only. - set
-
A user needs
set
authority against the queue to change or set the attributes of a queue using the MQSET API call.set
authority on the queue manager is not required for any administrative purpose, or for any application connecting to the queue manager.However, a user needs
set
authority against the queue manager to set privileged connection options.Note that
set
authority on the process object has no functional use, and is available for backwards-compatibility purposes only.Important: Privileged connection options are internal to the queue manager and are not available in IBM MQ API calls used by IBM MQ applications. - system
-
The setmqaut command makes a privileged IBM MQ connection to the queue manager.
Any user who runs IBM MQ commands that makes a privileged IBM MQ connection needs
system
authority on the queue manager.
Return codes
Return code | Explanation |
---|---|
0 | Successful operation |
26 | Queue manager running as a standby instance. |
36 | Invalid arguments supplied |
40 | Queue manager not available |
49 | Queue manager stopping |
58 | Inconsistent use of installations detected |
69 | Storage not available |
71 | Unexpected error |
72 | Queue manager name error |
133 | Unknown object name |
145 | Unexpected object name |
146 | Object name missing |
147 | Object type missing |
148 | Invalid object type |
149 | Entity name missing |
150 | Authorization specification missing |
151 | Invalid authorization specification |
Examples
- This example shows a command that specifies that the object on which authorizations are being given is the queue orange.queue on queue manager saturn.queue.manager.
The authorizations are given to a user group called tango, and the associated authorization list specifies that the user group can:setmqaut -m saturn.queue.manager -n orange.queue -t queue -g tango +inq +alladm
- Issue MQINQ calls
- Perform all administration operations on that object
- In this example, the authorization list specifies that a user group called foxy:
- Cannot issue any MQI calls to the specified queue
- Can perform all administration operations on the specified queue
setmqaut -m saturn.queue.manager -n orange.queue -t queue -g foxy -allmqi +alladm
- This example gives user1 full access to all queues with names beginning a.b. on queue manager qmgr1. The profile applies to any object with a name that matches the profile.
setmqaut -m qmgr1 -n a.b.* -t q -p user1 +all
- This example deletes the specified profile.
setmqaut -m qmgr1 -n a.b.* -t q -p user1 -remove
- This example creates a profile with no authority.
setmqaut -m qmgr1 -n a.b.* -t q -p user1 +none