Setting queue-based permissions on Linux, UNIX, and Windows systems
Use queue-based administration security to grant users permissions to complete specific tasks against an integration node running on Linux®, UNIX, or Windows.
Before you begin
Use the mqsichangeauthmode command to activate administration security and to specify the queue-based mode of administration security for the integration node.
About this task
For security reasons, it is important that permissions are set correctly. You can use WebSphere® MQ commands to set up and manage your required security levels. Use the setmqaut command to set the required permissions, and the dspmqaut command to check which permissions have been set.
Action | Integration node permission | Queue | WebSphere MQ permission (set on setmqaut command) |
---|---|---|---|
View | read | SYSTEM.BROKER.AUTH | +INQ |
Create | write | SYSTEM.BROKER.AUTH | +PUT |
Delete | write | SYSTEM.BROKER.AUTH | +PUT |
Modify | write | SYSTEM.BROKER.AUTH | +PUT |
Start | execute | SYSTEM.BROKER.AUTH | +SET |
Stop | execute | SYSTEM.BROKER.AUTH | +SET |
Action | Integration node permission | Queue | WebSphere MQ permission (set on setmqaut command) |
---|---|---|---|
View | read | SYSTEM.BROKER.AUTH.EG | +INQ |
Create | write | SYSTEM.BROKER.AUTH.EG | +PUT |
Delete | write | SYSTEM.BROKER.AUTH.EG | +PUT |
Modify | write | SYSTEM.BROKER.AUTH.EG | +PUT |
Start | execute | SYSTEM.BROKER.AUTH.EG | +SET |
Stop | execute | SYSTEM.BROKER.AUTH.EG | +SET |
Action | Integration node permission | Queue | WebSphere MQ permission (set on setmqaut command) |
---|---|---|---|
View | read | SYSTEM.BROKER.DC.AUTH | +INQ |
Replay | execute | SYSTEM.BROKER.DC.AUTH | +SET |
The setmqaut command grants
and revokes permissions cumulatively. To avoid retaining unwanted
permissions that have been set previously, set them explicitly on
each setmqaut command by specifying -all
to
remove all existing permissions, followed by the permissions that
you want to set.
The following command grants execute permission and retains any permissions that were already set:
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1 +set
The following command grants execute permission and does not retain any existing permissions:
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1 -all +set
You can also set multiple permissions at the same time. For example, the following command removes any existing permissions and then grants execute and write permissions:
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1 -all +set +put
Use the dspmqaut command after each setmqaut command, to check that the permissions have been set correctly.
For further information about the commands shown in the following examples, and for details of the parameters, see the WebSphere MQ Version 7.5 product documentation online.
Examples
All the examples shown here are
for an integration node that is associated with the queue manager test
.
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1 -all +set
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group2 -all +set +put
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group2
Revoke execute permission from the user IDs that are defined in the group group2:
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group2 -set
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group2
setmqaut -m test -t queue -n "SYSTEM.BROKER.AUTH.**" -g group3 -all +put
dspmqaut -m test -t queue -n "SYSTEM.BROKER.AUTH.**" -g group3
Using OAM generic profiles on UNIX systems and Windowstopic.
setmqaut -m test -t queue -n "SYSTEM.BROKER.AUTH.**" -g group3 -all -put
dspmqaut -m test -t queue -n "SYSTEM.BROKER.AUTH.**" -g group3
default
for
group group4:setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.default -g group4 -all +inq
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.default -g group4
default
for
group group5:setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.default -g group5 -set -put
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.default -g group5
dmpmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.**