Granting OAM permissions in AMS

File permissions authorize all users to execute setmqspl and dspmqspl commands. However, Advanced Message Security relies on the Object Authority Manager (OAM) and every attempt to execute these commands by a user who does not belong to the mqm group, which is the IBM® MQ administration group, or does not have permissions to read security policy settings that are granted, results in an error.

Procedure

To grant necessary permissions to a user, run:

setmqaut -m SOME.QUEUE.MANAGER -t qmgr -p SOME.USER +connect +inq
setmqaut -m SOME.QUEUE.MANAGER -t queue -n SYSTEM.PROTECTION.POLICY.QUEUE -p SOME.USER +browse +put
setmqaut -m SOME.QUEUE.MANAGER -t queue -n SYSTEM.PROTECTION.ERROR.QUEUE -p SOME.USER +put
Note: You only need to set these OAM authorities if you intend to connect clients, to the queue manager, using Advanced Message Security 7.0.1.
Attention: Browse authority to the SYSTEM.PROTECTION.POLICY.QUEUE is not mandatory in all situations. IBM MQ optimizes performance by caching policies so that you do not have to browse records for policy details on the SYSTEM.PROTECTION.POLICY.QUEUE in all cases.

IBM MQ does not cache all the policies available. If there are high number of policies, IBM MQ caches a limited number of policies. So, if the queue manager has a low number of policies defined, there is no need to provide the browse option to the SYSTEM.PROTECTION.POLICY.QUEUE.

However, you should give browse authority to this queue, in case there is a high number of policies defined, or if you are using old clients. The SYSTEM.PROTECTION.ERROR.QUEUE is used to put error messages generated by the AMS code. The put authority against this queue is checked only when you attempt to put an error message to the queue. Your put authority against the queue is not checked when you attempt to put or get message from an AMS protected queue.