Giving access to an IBM MQ object on UNIX, Linux, and Windows systems

Use the setmqaut control command, the SET AUTHREC MQSC command, or the MQCMD_SET_AUTH_REC PCF command to give users, and groups of users, access to IBM® MQ objects. Note, that on IBM MQ Appliance you can use only the SET AUTHREC command.

For a full definition of the setmqaut control command and its syntax, see setmqaut.

For a full definition of the SET AUTHREC MQSC command and its syntax, see SET AUTHREC.

For a full definition of the MQCMD_SET_AUTH_REC PCF command and its syntax, see Set Authority Record.

The queue manager must be running to use this command. When you have changed access for a principal, the changes are reflected immediately by the OAM.

To give users access to an object, you need to specify:
  • The name of the queue manager that owns the objects you are working with; if you do not specify the name of a queue manager, the default queue manager is assumed.
  • The name and type of the object (to identify the object uniquely). You specify the name as a profile ; this is either the explicit name of the object, or a generic name, including wildcard characters. For a detailed description of generic profiles, and the use of wildcard characters within them, see Using OAM generic profiles on UNIX, Linux, and Windows systems.
  • One or more principals and group names to which the authority applies.

    If a user ID contains spaces, enclose it in quotation marks when you use this command. On Windows systems, you can qualify a user ID with a domain name. If the actual user ID contains an at sign (@) symbol, replace it with @@ to show that it is part of the user ID, not the delimiter between the user ID and the domain name.

  • A list of authorizations. Each item in the list specifies a type of access that is to be granted to that object (or revoked from it). Each authorization in the list is specified as a keyword, prefixed with a plus sign (+) or a minus sign (-). Use a plus sign to add the specified authorization, and a minus sign to remove the authorization. There must be no spaces between the + or - sign and the keyword.
    You can specify any number of authorizations in a single command. For example, the list of authorizations to permit a user or group to put messages on a queue and to browse them, but to revoke access to get messages is: 
    
+browse -get +put

Examples of using the setmqaut command

The following examples show how to use the setmqaut command to grant and revoke permission to use an object: 


setmqaut -m saturn.queue.manager -t queue -n RED.LOCAL.QUEUE
         -g groupa +browse -get +put
In this example:
  • saturn.queue.manager is the queue manager name
  • queue is the object type
  • RED.LOCAL.QUEUE is the object name
  • groupa is the identifier of the group with authorizations that are to change
  • +browse -get +put is the authorization list for the specified queue
    • +browse adds authorization to browse messages on the queue (to issue MQGET with the browse option)
    • -get removes authorization to get (MQGET) messages from the queue
    • +put adds authorization to put (MQPUT) messages on the queue
The following command revokes put authority on the queue MyQueue from principal fvuser and from groups groupa and groupb. On UNIX and Linux® systems, this command also revokes put authority for all principals in the same primary group as fvuser. 

setmqaut -m saturn.queue.manager -t queue -n MyQueue -p fvuser
         -g groupa -g groupb -put

Using the setmqaut command with a different authorization service

If you are using your own authorization service instead of the OAM, you can specify the name of this service on the setmqaut command to direct the command to this service. You must specify this parameter if you have multiple installable components running at the same time; if you do not, the update is made to the first installable component for the authorization service. By default, this is the supplied OAM.

Usage notes for SET AUTHREC

The list of authorizations to add and the list of authorizations to remove must not overlap. For example, you cannot add display authority and remove display authority with the same command. This rule applies even if the authorities are expressed using different options. For example, the following command fails because DSP authority overlaps with ALLADM authority: 

SET AUTHREC PROFILE(*) OBJTYPE(QUEUE) PRINCIPAL(PRINC01) AUTHADD(DSP) AUTHRMV(ALLADM)
The exception to this overlap behavior is with the ALL authority. The following command first adds ALL authorities then removes the SETID authority: 

SET AUTHREC PROFILE(*) OBJTYPE(QUEUE) PRINCIPAL(PRINC01) AUTHADD(ALL) AUTHRMV(SETID)
The following command first removes ALL authorities then adds the DSP authority: 

SET AUTHREC PROFILE(*) OBJTYPE(QUEUE) PRINCIPAL(PRINC01) AUTHADD(DSP) AUTHRMV(ALL)

Regardless of the order in which they are provided on the command, the ALL are processed first.