Revoke MQ Object Authority (RVKMQMAUT)

Where allowed to run: All environments (*ALL)
Threadsafe: Yes

The Revoke MQ Authority (RVKMQMAUT) command is used to reset, or take away specific or all authority for the named objects from the users named in the command.

The RVKMQMAUT command can be used by anyone in the QMQMADM group, that is, anyone whose user profile specifies QMQMADM as a primary or supplemental group profile.

Parameters

Keyword	Description	Choices	Notes
OBJ	Object name	Character value	Required, Positional 1
OBJTYPE	Object type	ALL, Q, ALSQ, LCLQ, MDLQ, RMTQ, AUTHINFO, MQM, NMLIST, PRC, LSR, SVC, CHL, CLTCN, TOPIC, RMTMQMNAME	Required, Positional 2
USER	User names	Single values: *PUBLIC, Other values (up to 50 repetitions): Name	Required, Positional 3
AUT	Authority	Values (up to 22 repetitions): ALTUSR, BROWSE, CONNECT, GET, INQ, PUT, SET, PUB, SUB, RESUME, PASSALL, PASSID, SETALL, SETID, ADMCHG, ADMCLR, ADMCRT, ADMDLT, ADMDSP, ALL, ALLADM, ALLMQI, REMOVE, CTRL, CTRLX, SYSTEM	Required, Positional 4
MQMNAME	Message Queue Manager name	Character value, *DFT	Optional, Positional 5
SRVCOMP	Service Component name	Character value, *DFT	Optional, Positional 6

Object name (OBJ)

Specifies the name of the objects for which specific authorities are revoked.

The possible values are:

*ALL

All objects of the type specified by the value of the OBJTYPE parameter at the time the command is issued. *ALL cannot represent a generic profile.

object-name

Specify the name of an MQ object for which specific authority is given to one or more users.

generic profile

Specify the generic profile of the objects to be selected. A generic profile is a character string containing one or more generic characters anywhere in the string. This profile is used to match the object name of the object under consideration at the time of use. The generic characters are (?), (*) and (**).

? matches a single character in an object name.

* matches any string contained within a qualifier, where a qualifier is the string between fullstops (.). For example ABC* matches ABCDEF but not ABCDEF.XYZ.

** matches one or more qualifiers. For example ABC.**.XYZ matches ABC.DEF.XYZ and ABC.DEF.GHI.XYZ, ** can only appear once in a generic profile.

You are recommended to specify the name required within quotation marks. Using this format ensures that your selection is precisely what you entered.

Object type (OBJTYPE)

Specifies the type of the objects for which specific authorities are revoked.

*ALL: All MQ object types.

*Q: All queue object types.
*ALSQ: Alias queue.
*LCLQ: Local queue.
*MDLQ: Model queue.
*RMTQ: Remote queue.
*AUTHINFO: Authentication Information object.
*MQM: Message Queue Manager.
*NMLIST: Namelist object.
*PRC: Process definition.
*CHL: Channel object.
*CLTCN: Client Connection Channel object.
*LSR: Listener object.
*SVC: Service object.
*TOPIC: Topic object.
*RMTMQMNAME: Remote queue manager name.

User names (USER)

Specifies the user names of one or more users whose specific authorities to the named object are being removed. If a user was given the authority by USER(*PUBLIC) being specified in the Grant MQ Authority (GRTMQMAUT) command, the same authorities are revoked by *PUBLIC being specified in this parameter. Users given specific authority by having their names identified in the GRTMQMAUT command must have their names specified on this parameter to remove the same authorities.

The possible values are:

*PUBLIC: The specified authorities are taken away from users who do not have specific authority for the object, who are not on the authorization list, and whose user group has no authority. Users who have specific authority still retain their authorities to the object.
user-profile-name: Specify the user names of one or more users who are having the specified authorities revoked. The authorities listed in the AUT parameter are being specifically taken away from each identified user. This parameter cannot be used to remove public authority from specific users; only authorities that were specifically given to them can be specifically revoked. We can specify up to 50 user profile names.

Authority (AUT)

Specifies the authority being reset or taken away from the users specified in the USER parameter. We can specify values for AUT as a list of specific and general authorities in any order, where the general authorities can be:

*REMOVE, which deletes the profile. It is not the same as *ALL, because *ALL leaves the profile in existence with no authorities. *REMOVE cannot be specified with user QMQMADM unless the object is a generic profile or with user QMQM when the object type is *MQM.

*ALL, which confers all authorities to the specified users.

*ALLADM, which confers all of *ADMCHG, *ADMCLR, *ADMCRT, *ADMDLT, *ADMDSP, *CTRL and *CTRLX.

*ALLMQI, which confers all of *ALTUSR, *BROWSE, *CONNECT, *GET, *INQ, *PUT, *SET, *PUB, *SUB and *RESUME.

Authorizations for different object types

*ALL: All authorizations. Applies to all objects.
*ADMCHG: Change an object. Applies to all objects except remote queue manager name.
*ADMCLR: Clear a queue. Applies to queues only.
*ADMCRT: Create an object. Applies to all objects except remote queue manager name.
*ADMDLT: Delete an object. Applies to all objects except remote queue manager name.
*ADMDSP: Display the attributes of an object. Applies to all objects except remote queue manager name.
*ALLADM: Perform administration operations on an object. Applies to all objects except remote queue manager name.
*ALLMQI: Use all MQI calls applicable to an object. Applies to all objects.
*ALTUSR: Allow another user's authority to be used for MQOPEN and MQPUT1 calls. Applies to queue manager objects only.
*BROWSE: Retrieve a message from a queue by issuing an MQGET call with the BROWSE option. Applies to queue objects only.
*CONNECT: Connect the application to a queue manager by issuing an MQCONN call. Applies to queue manager objects only.
*CTRL: Control startup and shutdown of channels, listeners and services.
*CTRLX: Reset sequence number and resolve indoubt channels.
*GET: Retrieve a message from a queue using an MGET call. Applies to queue objects only.
*INQ: Make an inquiry on an object using an MQINQ call. Applies to all objects except remote queue manager name.
*PASSALL: Pass all context on a queue. Applies to queue objects only.
*PASSID: Pass identity context on a queue. Applies to queue objects only.
*PUT: Put a message on a queue using an MQPUT call. Applies to queue objects and remote queue manager names only.
*SET: Set the attributes of an object using an MQSET call. Applies to queue, queue manager, and process objects only.
*SETALL: Set all context on an object. Applies to queue and queue manager objects only.
*SETID: Set identity context on an object. Applies to queue and queue manager objects only.
*SYSTEM: Connect the application to a queue manager for system operations. Applies to queue manager objects only.

Authorizations for MQI calls

*ALTUSR: Allow another user's authority to be used for MQOPEN and MQPUT1 calls.
*BROWSE: Retrieve a message from a queue by issuing an MQGET call with the BROWSE option.
*CONNECT: Connect the application to the specified queue manager by issuing an MQCONN call.
*GET: Retrieve a message from a queue by issuing an MQGET call.
*INQ: Make an inquiry on a specific queue by issuing an MQINQ call.
*PUT: Put a message on a specific queue by issuing an MQPUT call.
*SET: Set attributes on a queue from the MQI by issuing an MQSET call.
*PUB: Open a topic to publish a message using the MQPUT call.
*SUB: Create, Alter or Resume a subscription to a topic using the MQSUB call.
*RESUME: Resume a subscription using the MQSUB call.

If you open a queue for multiple options, we must be authorized for each of them.

Authorizations for context

*PASSALL: Pass all context on the specified queue. All the context fields are copied from the original request.
*PASSID: Pass identity context on the specified queue. The identity context is the same as that of the request.
*SETALL: Set all context on the specified queue. This is used by special system utilities.
*SETID: Set identity context on the specified queue. This is used by special system utilities.

Authorizations for MQSC and PCF commands

*ADMCHG: Change the attributes of the specified object.
*ADMCLR: Clear the specified queue (PCF Clear queue command only).
*ADMCRT: Create objects of the specified type.
*ADMDLT: Delete the specified object.
*ADMDSP: Display the attributes of the specified object.
*CTRL: Control startup and shutdown of channels, listeners and services.
*CTRLX: Reset sequence number and resolve indoubt channels.

Authorizations for generic operations

*ALL: Use all operations applicable to the object.; all authority is equivalent to the union of the authorities alladm, allmqi, and system appropriate to the object type.
*ALLADM: Perform all administration operations applicable to the object.
*ALLMQI: Use all MQI calls applicable to the object.
*REMOVE: Delete the authority profile to the specified object.

Message Queue Manager name (MQMNAME)

Specifies the name of the queue manager.

*DFT: Use the default queue manager.
queue-manager-name: Specify the name of the queue manager.

Service Component name (SRVCOMP)

Specifies the name of the installed authorization service to which the authorizations apply.

The possible values are:

*DFT: Use the first installed authorization component.
Authorization-service-component-name: The component name of the required authorization service as specified in the Queue manager's qm.ini file.

Examples

None

Error messages

Unknown

Parent topic: CL commands reference for IBM i