Setting queue-based permissions on Linux, UNIX, and Windows systems

Use queue-based administration security to grant users permissions to complete specific tasks against an integration node running on Linux®, UNIX, or Windows.

Before you begin

Use the mqsichangeauthmode command to activate administration security and to specify the queue-based mode of administration security for the integration node.

About this task

For security reasons, it is important that permissions are set correctly. You can use WebSphere® MQ commands to set up and manage your required security levels. Use the setmqaut command to set the required permissions, and the dspmqaut command to check which permissions have been set.

The following permissions are required for users to act on the integration node and its resources:

Table 1. Permissions required for acting on an integration node
Action	Integration node permission	Queue	WebSphere MQ permission (set on setmqaut command)
View	read	SYSTEM.BROKER.AUTH	+INQ
Create	write	SYSTEM.BROKER.AUTH	+PUT
Delete	write	SYSTEM.BROKER.AUTH	+PUT
Modify	write	SYSTEM.BROKER.AUTH	+PUT
Start	execute	SYSTEM.BROKER.AUTH	+SET
Stop	execute	SYSTEM.BROKER.AUTH	+SET

Table 2. Permissions required for acting on an integration server
Action	Integration node permission	Queue	WebSphere MQ permission (set on setmqaut command)
View	read	SYSTEM.BROKER.AUTH.EG	+INQ
Create	write	SYSTEM.BROKER.AUTH.EG	+PUT
Delete	write	SYSTEM.BROKER.AUTH.EG	+PUT
Modify	write	SYSTEM.BROKER.AUTH.EG	+PUT
Start	execute	SYSTEM.BROKER.AUTH.EG	+SET
Stop	execute	SYSTEM.BROKER.AUTH.EG	+SET

Table 3. Permissions required for acting on a data capture object
Action	Integration node permission	Queue	WebSphere MQ permission (set on setmqaut command)
View	read	SYSTEM.BROKER.DC.AUTH	+INQ
Replay	execute	SYSTEM.BROKER.DC.AUTH	+SET

The setmqaut command grants and revokes permissions cumulatively. To avoid retaining unwanted permissions that have been set previously, set them explicitly on each setmqaut command by specifying -all to remove all existing permissions, followed by the permissions that you want to set.

The following command grants execute permission and retains any permissions that were already set:

setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1 +set

The following command grants execute permission and does not retain any existing permissions:

setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1 -all +set

You can also set multiple permissions at the same time. For example, the following command removes any existing permissions and then grants execute and write permissions:

setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1 -all +set +put

Use the dspmqaut command after each setmqaut command, to check that the permissions have been set correctly.

For further information about the commands shown in the following examples, and for details of the parameters, see the WebSphere MQ Version 7.5 product documentation online.

Examples

All the examples shown here are for an integration node that is associated with the queue manager test.

Grant only execute permission to the integration node to the user IDs that are defined in the group group1:

setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1 -all +set
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1

Grant only execute and write permission to the integration node to the user IDs that are defined in the group group2:

setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group2 -all +set +put
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group2

Revoke execute permission from the user IDs that are defined in the group group2:

setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group2 -set
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group2

Using a generic WebSphere MQ profile on a UNIX system, grant only write permission for all integration servers for the user IDs that are defined in the group group3:

setmqaut -m test -t queue -n "SYSTEM.BROKER.AUTH.**" -g group3 -all +put
dspmqaut -m test -t queue -n "SYSTEM.BROKER.AUTH.**" -g group3

Note: You enclose generic profile names in quotes on UNIX and Linux systems. For more information see the WebSphere MQ Version 7.5 product documentation online and search for the Using OAM generic profiles on UNIX systems and Windows topic.

Using a generic WebSphere MQ revoke write permission on a UNIX system for all integration servers for the user IDs that are defined in the group group3:

setmqaut -m test -t queue -n "SYSTEM.BROKER.AUTH.**" -g group3 -all -put
dspmqaut -m test -t queue -n "SYSTEM.BROKER.AUTH.**" -g group3

Grant only read permission for a specific integration server called default for group group4:

setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.default -g group4 -all +inq
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.default -g group4

Revoke execute and write permission for a specific integration server called default for group group5:

setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.default -g group5 -set -put
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.default -g group5

Using a generic WebSphere MQ on a non-UNIX system, dump all WebSphere MQ permissions for all integration servers:

dmpmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.**