Question & Answer
Question
What is the difference between the wildcard * (one asterisk) and wildcard ** (two asterisks) when specifying profile names for queues in MQ setmqaut?
Answer
The best way to answer this question is by explaining a specific scenario that has a set of queues that have a pattern in the name (which has periods between string tokens).
ContextLevel1
ContextLevel1.ContextLevel2
ContextLevel1.ContextLevel2.ContextLevel3
ContextLevel1.ContextLevel2.ContextLevel3.ContextLevel4
The single asterisk pattern in the wildcard, such as"ContextLevel1.*", will address ONLY the IMMEDIATE SINGLE contexts. For this example is:
ContextLevel1.ContextLevel2
In contrast, the double asterisk patter in the wildcard, "ContextLevel1.**" will address ALL the context levels. For this example is:
ContextLevel1
ContextLevel1.ContextLevel2
ContextLevel1.ContextLevel2.ContextLevel3
ContextLevel1.ContextLevel2.ContextLevel3.ContextLevel4
Now let's proceed with actual examples to distinguish the behavior between * and ** wildcards:
Let's assume that the following local queues have been created. Notice that each string between period(s) is considered to be "1 context level"
123 => 1 context level
123.456 => 2 context levels
ContextLevel1
ContextLevel1.ContextLevel2
ContextLevel1.ContextLevel2.ContextLevel3
ContextLevel1.ContextLevel2.ContextLevel3.ContextLevel4
The single asterisk pattern in the wildcard, such as"ContextLevel1.*", will address ONLY the IMMEDIATE SINGLE contexts. For this example is:
ContextLevel1.ContextLevel2
In contrast, the double asterisk patter in the wildcard, "ContextLevel1.**" will address ALL the context levels. For this example is:
ContextLevel1
ContextLevel1.ContextLevel2
ContextLevel1.ContextLevel2.ContextLevel3
ContextLevel1.ContextLevel2.ContextLevel3.ContextLevel4
Now let's proceed with actual examples to distinguish the behavior between * and ** wildcards:
Let's assume that the following local queues have been created. Notice that each string between period(s) is considered to be "1 context level"
123 => 1 context level
123.456 => 2 context levels
ABC => 1 context level
ABC.DEF => 2 context levels
ABC.DEF.GHI => 3 context levels
ABC.DEF.GHI.JKL => 4 context levels
ABC.DEF.GHI.JKL.MNO => 5 context levels
The user for this scenario is a non-MQ administrator, which means, that we have to explicitly execute the setmqaut command to provide necessary authorities.
The following 4 authorities are needed for this user to use the MQ Explorer:
setmqaut -m MYQMGR -t qmgr -p myuser +connect +inq +dsp
setmqaut -m MYQMGR -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -p myuser +inq +browse +get +dsp
setmqaut -m MYQMGR -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -p myuser +inq +put +dsp
setmqaut -m MYQMGR -t q -n SYSTEM.MQEXPLORER.REPLY.MODEL -p myuser +inq +browse +get +dsp +put
In addition, it is necessary to specify the following to provide "display" only authority for the SYSTEM queues. Notice that it is exploiting already the use of a wildcard with 2 asterisk, but the explanation will be delayed for a little bit. Suffice to say that without this authority, the user will not be able to see the queues displayed in MQ Explorer.
setmqaut -m MYQMGR -t q -n SYSTEM.** -p myuser +dsp
Let's begin with the scenario.
1) Baseline:
At this point, the user does not have additional authorities for the new local queues.
When using MQ Explorer to see the queues, the user sees ONLY the queues that begin with SYSTEM.
Let's click on the icon that hides these SYSTEM queues, in order to concentrate on the non-system queues. This icon is called "Show/Hide System Objects" and it is the 5th icon from the right at the upper right corner. This icon is a toggle.
After clicking on this icon, the SYSTEM queues are now hidden.
Result:
There are NO queues displayed in MQ Explorer.
2) As an MQ administrator give access to specific queues without the use of wildcards, giving the +dsp flag, which means "authority to display the name of the queues".
setmqaut -m MYQMGR -t q -n 123 -p myuser +dsp
setmqaut -m MYQMGR -t q -n 123.456 -p myuser +dsp
From the MQ Explorer, click on the icon Refresh, which is the 3rd icon from the right (upper right corner)
Result:
The MQ Explorer only shows these 2 queues.
123
123.456
3) The MQ administrator gives access using a wildcard of a SINGLE asterisk.
Notice that when using wildcards, in UNIX it is necessary to enclose with double quotes:
Windows: setmqaut -m MYQMGR -t q -n ABC.* -p myuser +dsp
Unix: setmqaut -m MYQMGR -t q -n "ABC*" -p myuser +dsp
Result:
The MQ Explorer only shows these 3 queues:
123
123.456
ABC
Hum! This is not what is typically expected when using an asterisk!
The expectation would be that ALL the queues that begin with ABC would be shown.
3.a) If instead of "ABC*" we used a period before the asterisk" ... then the result would include "ABC.DEF" but not "ABC"
Unix: setmqaut -m MYQMGR -t q -n "ABC.*" -p myuser +dsp
Result:
The MQ Explorer only shows these 3 queues:
123
123.456
ABC.DEF
Hum! This is not what is typically expected when using an asterisk!
The expectation would be that ALL the queues that begin with ABC would be shown, including "ABC" itself!
4) If all the context levels are desired, then it is necessary to use the wildcard of 2 asterisks!
The MQ administrator gives access using a wildcard that has TWO asterisks.
Notice that when using wildcards, in UNIX it is necessary to enclose with double quotes:
Windows: setmqaut -m MYQMGR -t q -n ABC.** -p myuser +dsp
Unix: setmqaut -m MYQMGR -t q -n "ABC.**" -p myuser +dsp
Result:
The MQ Explorer now shows all the local queues:
123
123.456
ABC
ABC.DEF
ABC.DEF.GHI
ABC.DEF.GHI.JKL
ABC.DEF.GHI.JKL.MNO
+ Reference:
setmqaut -m MYQMGR -t qmgr -p myuser +connect +inq +dsp
setmqaut -m MYQMGR -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -p myuser +inq +browse +get +dsp
setmqaut -m MYQMGR -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -p myuser +inq +put +dsp
setmqaut -m MYQMGR -t q -n SYSTEM.MQEXPLORER.REPLY.MODEL -p myuser +inq +browse +get +dsp +put
In addition, it is necessary to specify the following to provide "display" only authority for the SYSTEM queues. Notice that it is exploiting already the use of a wildcard with 2 asterisk, but the explanation will be delayed for a little bit. Suffice to say that without this authority, the user will not be able to see the queues displayed in MQ Explorer.
setmqaut -m MYQMGR -t q -n SYSTEM.** -p myuser +dsp
Let's begin with the scenario.
1) Baseline:
At this point, the user does not have additional authorities for the new local queues.
When using MQ Explorer to see the queues, the user sees ONLY the queues that begin with SYSTEM.
Let's click on the icon that hides these SYSTEM queues, in order to concentrate on the non-system queues. This icon is called "Show/Hide System Objects" and it is the 5th icon from the right at the upper right corner. This icon is a toggle.
After clicking on this icon, the SYSTEM queues are now hidden.
Result:
There are NO queues displayed in MQ Explorer.
2) As an MQ administrator give access to specific queues without the use of wildcards, giving the +dsp flag, which means "authority to display the name of the queues".
setmqaut -m MYQMGR -t q -n 123 -p myuser +dsp
setmqaut -m MYQMGR -t q -n 123.456 -p myuser +dsp
From the MQ Explorer, click on the icon Refresh, which is the 3rd icon from the right (upper right corner)
Result:
The MQ Explorer only shows these 2 queues.
123
123.456
3) The MQ administrator gives access using a wildcard of a SINGLE asterisk.
Notice that when using wildcards, in UNIX it is necessary to enclose with double quotes:
Windows: setmqaut -m MYQMGR -t q -n ABC.* -p myuser +dsp
Unix: setmqaut -m MYQMGR -t q -n "ABC*" -p myuser +dsp
Result:
The MQ Explorer only shows these 3 queues:
123
123.456
ABC
Hum! This is not what is typically expected when using an asterisk!
The expectation would be that ALL the queues that begin with ABC would be shown.
3.a) If instead of "ABC*" we used a period before the asterisk" ... then the result would include "ABC.DEF" but not "ABC"
Unix: setmqaut -m MYQMGR -t q -n "ABC.*" -p myuser +dsp
Result:
The MQ Explorer only shows these 3 queues:
123
123.456
ABC.DEF
Hum! This is not what is typically expected when using an asterisk!
The expectation would be that ALL the queues that begin with ABC would be shown, including "ABC" itself!
4) If all the context levels are desired, then it is necessary to use the wildcard of 2 asterisks!
The MQ administrator gives access using a wildcard that has TWO asterisks.
Notice that when using wildcards, in UNIX it is necessary to enclose with double quotes:
Windows: setmqaut -m MYQMGR -t q -n ABC.** -p myuser +dsp
Unix: setmqaut -m MYQMGR -t q -n "ABC.**" -p myuser +dsp
Result:
The MQ Explorer now shows all the local queues:
123
123.456
ABC
ABC.DEF
ABC.DEF.GHI
ABC.DEF.GHI.JKL
ABC.DEF.GHI.JKL.MNO
+ Reference:
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q013500_.html
IBM MQ 9.2 / IBM MQ / Securing / Authorizing access to objects /
Controlling access to objects by using the OAM on AIX, Linux, and Windows /
Using OAM generic profiles on AIX, Linux, and Windows
IBM MQ 9.2 / IBM MQ / Securing / Authorizing access to objects /
Controlling access to objects by using the OAM on AIX, Linux, and Windows /
Using OAM generic profiles on AIX, Linux, and Windows
+ begin excerpt
Using wildcard characters in OAM profiles
What makes a profile generic is the use of special characters (wildcard characters) in the profile name. For example, the question mark (?) wildcard character matches any single character in a name. So, if you specify ABC.?EF, the authorization you give to that profile applies to any objects with the names ABC.DEF, ABC.CEF, ABC.BEF, and so on.
The wildcard characters available are:
1) Use the question mark (?) instead of any single character. For example, AB.?D applies to the objects AB.CD, AB.ED, and AB.FD.
2) Use a single asterisk (*) as:
- A qualifier in a profile name to match any ONE (1) qualifier in an object name. A qualifier is the part of an object name delimited by a period. For example, in ABC.DEF.GHI, the qualifiers are ABC, DEF, and GHI.
For example, ABC.*.JKL applies to the objects ABC.DEF.JKL, and ABC.GHI.JKL.
(Note that it does not apply to ABC.JKL, nor ABC.DEF.JKL.MNO ; * used in this context always indicates one qualifier.)
For example, ABC.*.JKL applies to the objects ABC.DEF.JKL, and ABC.GHI.JKL.
(Note that it does not apply to ABC.JKL, nor ABC.DEF.JKL.MNO ; * used in this context always indicates one qualifier.)
For more qualifiers see the next item.
- A character within a qualifier in a profile name to match zero or more characters within the qualifier in an object name.
For example, ABC.DE*.JKL applies to the objects ABC.DE.JKL, ABC.DEF.JKL, and ABC.DEGH.JKL.
For example, ABC.DE*.JKL applies to the objects ABC.DE.JKL, ABC.DEF.JKL, and ABC.DEGH.JKL.
3) Use the double asterisk (**) once in a profile name as:
- The entire profile name to match all object names. For example if you use -t prcs to identify processes, then use ** as the profile name, you change the authorizations for all processes.
- As either the beginning, middle, or ending qualifier in a profile name to match zero or more qualifiers in an object name. For example, **.ABC identifies all objects with the final qualifier ABC.
Note: When using wildcard characters on UNIX and Linux systems, you must enclose the profile name in single quotation marks.
+ end excerpt
Note: When using wildcard characters on UNIX and Linux systems, you must enclose the profile name in single quotation marks.
+ end excerpt
++ Additional information
The double asterisk ** can only be used as a complete qualifier:
**.DEF
ABC.**
A*.**
.
But not as:
A**
... otherwise you will get:
AMQ7226E: The profile name is invalid.
**.DEF
ABC.**
A*.**
.
But not as:
A**
... otherwise you will get:
AMQ7226E: The profile name is invalid.
.
.
Examples: 1 and 3 are valid, but 2 is not correct.
.
mqm@riggioni1.fyre.ibm.com: /home/mqm
(1) setmqaut -m QMGR1 -n "Q*" -t q -g mquser +passall +passid +setall +setid +browse +get +inq +put +set
The setmqaut command completed successfully.
mqm@riggioni1.fyre.ibm.com: /home/mqm
(1) setmqaut -m QMGR1 -n "Q*" -t q -g mquser +passall +passid +setall +setid +browse +get +inq +put +set
The setmqaut command completed successfully.
(2) setmqaut -m QMGR1 -n "Q**" -t q -g mquser +passall +passid +setall +setid +browse +get +inq +put +set
AMQ7226E: The profile name is invalid.
AMQ7226E: The profile name is invalid.
(3) setmqaut -m QMGR1 -n "Q*.**" -t q -g mquser +passall +passid +setall +setid +browse +get +inq +put +set
The setmqaut command completed successfully.
.
Notes:
Attempt id 1 should cover cases like:
Q1
QUEPASA
but not
Q.R.S
.
Attempt id 3 should cover cases like:
Q.R.S.T
Q1.R.S
QUEPASA.R
The setmqaut command completed successfully.
.
Notes:
Attempt id 1 should cover cases like:
Q1
QUEPASA
but not
Q.R.S
.
Attempt id 3 should cover cases like:
Q.R.S.T
Q1.R.S
QUEPASA.R
+++ end +++
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"ARM Category":[{"code":"a8m0z00000008QDAAY","label":"Security-\u003EAuthorization"}],"ARM Case Number":"TS005270523","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
22 September 2023
UID
ibm16435255