dspmqaut (display object authorization)

dspmqaut displays the authorizations of a specific IBM MQ object.


Purpose

Use the dspmqaut command to display the current authorizations to a specified object.

If a user ID is a member of more than one group, this command displays the combined authorizations of all the groups.

Only one group or principal can be specified.

For more information about authorization service components, see Installable services, Service components, and Authorization service interface.


Syntax

dspmqaut -m QMgrName -n Profile -t ObjectType -g GroupName -p PrincipalName -s ServiceComponent


Required parameters

    -n Profile
    The name of the profile for which to display authorizations. The authorizations apply to all IBM MQ objects with names that match the profile name specified.

    This parameter is required, unless we are displaying the authorizations of a queue manager. In this case we must not include it and instead specify the queue manager name using the -m parameter.

    -t ObjectType
    The type of object on which to make the inquiry. Possible values are:

    Object Type Description
    authinfo An authentication information object, for use with TLS channel security
    channel or chl A channel
    clntconn or clcn A client connection channel
    listener or lstr A Listener
    namelist or nl A namelist
    process or prcs A process
    queue or q A queue or queues matching the object name parameter
    qmgr A queue manager
    rqmname or rqmn A remote queue manager name
    service or srvc A service
    topic or top A topic


Optional parameters

    -m QMgrName
    The name of the queue manager on which to make the inquiry. This parameter is optional if we are displaying the authorizations of our default queue manager.

    -g GroupName
    The name of the user group on which to make the inquiry. We can specify only one name, which must be the name of an existing user group. For IBM MQ for Windows only, the group name can optionally include a domain name, specified in the following formats:
    GroupName@domain
    domain\GroupName
    

    -p PrincipalName
    The name of a user for whom to display authorizations to the specified object. For IBM MQ for Windows only, the name of the principal can optionally include a domain name, specified in the following format:
    userid@domain
    
    For more information about including domain names on the name of a principal, see Principals and groups.

    -s ServiceComponent
    If installable authorization services are supported, specifies the name of the authorization service to which the authorizations apply. This parameter is optional; if you omit it, the authorization inquiry is made to the first installable component for the service.


Returned parameters

Returns an authorization list, which can contain none, one, or more authorization values. Each authorization value returned means that any user ID in the specified group or principal has the authority to perform the operation defined by that value.

Table 2 shows the authorities that can be given to the different object types.

Authority Queue Process Queue manager Remote queue manager name Namelist Topic Auth info Clntconn Channel Listener Service
all Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
alladm Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes
allmqi Yes Yes Yes Yes Yes Yes Yes No No No No
none Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
altusr No No Yes No No No No No No No No
browse Yes No No No No No No No No No No
chg Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes
clr Yes No No No No Yes No No No No No
connect No No Yes No No No No No No No No
crt Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes
ctrl No No No No No Yes No No Yes Yes Yes
ctrlx No No No No No No No No Yes No No
dlt Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes
dsp Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes
get Yes No No No No No No No No No No
pub No No No No No Yes No No No No No
put Yes No No Yes No Yes No No No No No
inq Yes Yes Yes No Yes No Yes No No No No
passall Yes No No No No Yes No No No No No
passid Yes No No No No Yes No No No No No
resume No No No No No Yes No No No No No
set Yes Yes Yes No No No No No No No No
setall Yes No Yes No No Yes No No No No No
setid Yes No Yes No No Yes No No No No No
sub No No No No No Yes No No No No No
system No No Yes No No No No No No No No

The following list defines the authorizations associated with each value:

Value Description
all Use all operations relevant to the object. all authority is equivalent to the union of the authorities alladm, allmqi, and system appropriate to the object type.
alladm Perform all administration operations relevant to the object
allmqi Use all MQI calls relevant to the object
altusr Specify an alternative user ID on an MQI call
browse Retrieve a message from a queue by issuing an MQGET call with the BROWSE option
chg Change the attributes of the specified object, using the appropriate command set
clr Clear a queue (PCF command Clear queue only) or a topic
ctrl Start, and stop the specified channel, listener, or service, and ping the specified channel.
ctrlx Reset or resolve the specified channel
connect Connect the application to the specified queue manager by issuing an MQCONN call
crt Create objects of the specified type using the appropriate command set
dlt Delete the specified object using the appropriate command set
dsp Display the attributes of the specified object using the appropriate command set
get Retrieve a message from a queue by issuing an MQGET call
inq Make an inquiry on a specific queue by issuing an MQINQ call
passall Pass all context
passid Pass the identity context
pub Publish a message on a topic using the MQPUT call.
put Put a message on a specific queue by issuing an MQPUT call
resume Resume a subscription using the MQSUB call.
set Set attributes on a queue from the MQI by issuing an MQSET call
setall Set all context
setid Set the identity context
sub Create, alter, or resume a subscription to a topic using the MQSUB call.
system Use queue manager for internal system operations
The authorizations for administration operations, where supported, apply to these command sets:


Return codes

Return code Description
0 Successful operation
26 Queue manager running as a standby instance.
36 Invalid arguments supplied
40 Queue manager not available
49 Queue manager stopping
58 Inconsistent use of installations detected
69 Storage not available
71 Unexpected error
72 Queue manager name error
133 Unknown object name
145 Unexpected object name
146 Object name missing
147 Object type missing
148 Invalid object type
149 Entity name missing


Examples

  • The following example shows a command to display the authorizations on queue manager saturn.queue.manager associated with user group staff:
    dspmqaut -m saturn.queue.manager -t qmgr -g staff
    
    The results from this command are:
    Entity staff has the following authorizations for object:
            get
            browse
            put
            inq
            set
            connect
            altusr
            passid
            passall
            setid
    
  • The following example displays the authorities user1 has for queue a.b.c:
    dspmqaut -m qmgr1 -n a.b.c -t q -p user1
    
    The results from this command are:
    Entity user1 has the following authorizations for object:
            get
            put