SET AUTHREC on Multiplatforms
Use the MQSC command SET AUTHREC to set authority records associated with a profile name.
Use MQSC commands
For information on how we use MQSC commands, see Performing local administration tasks using MQSC commands.
See setmqaut (grant or revoke authority) for more information on the options that we can select.
SET AUTHREC
Parameter descriptions
- PROFILE(profile-name)
- The name of the object or generic profile for which to display the authority records. This
parameter is required unless the OBJTYPE parameter is QMGR, in
which case it can be omitted.
See Use OAM generic profiles on UNIX, Linux, and Windows for more information on generic profiles and wildcard characters.
- OBJTYPE
- The type of object referred to by the profile. Specify one of the following values:
- AUTHINFO
- Authentication information record
- CHANNEL
- Channel
- CLNTCONN
- Client connection channel
- COMMINFO
- Communication information object
- LISTENER
- Listener
- NAMELIST
- Namelist
- PROCESS
- Process
- QUEUE
- Queue
- QMGR
- Queue manager
- RQMNAME
- Remote queue manager
- SERVICE
- Service
- TOPIC
- Topic
- PRINCIPAL(principal-name)
- A principal name. This is the name of a user for whom to set authority records for the specified
profile. On IBM MQ for Windows, the name of the principal can
optionally include a domain name, specified in this format: user@domain.
You must specify either PRINCIPAL or GROUP.
- GROUP(group-name)
- A group name. This is the name of the user group for which to set authority records for the
specified profile. We can specify one name only and it must be the name of an existing user group.
For IBM MQ for Windows only,
the group name can optionally include a domain name, specified in the following format:
GroupName@domain
We must specify either PRINCIPAL or GROUP.
- AUTHADD
- A list of authorizations to add in the authority records. Specify any combination of the
following values:
- NONE
- No authorization
- ALTUSR
- Specify an alternative user ID on an MQI call
- BROWSE
- Retrieve a message from a queue by issuing an MQGET call with the BROWSE option
- CHG
- Change the attributes of the specified object, using the appropriate command set
- CLR
- Clear a queue or a topic
- CONNECT
- Connect an application to a queue manager by issuing an MQCONN call
- CRT
- Create objects of the specified type using the appropriate command set
- DLT
- Delete the specified object using the appropriate command set
- DSP
- Display the attributes of the specified object using the appropriate command set
- GET
- Retrieve a message from a queue by issuing an MQGET call
- INQ
- Make an inquiry on a specific queue by issuing an MQINQ call
- PUT
- Put a message on a specific queue by issuing an MQPUT call
- PASSALL
- Pass all context
- PASSID
- Pass the identity context
- SET
- Set attributes on a queue by issuing an MQSET call
- SETALL
- Set all context on a queue
- SETID
- Set the identity context on a queue
- SUB
- Create, alter, or resume a subscription to a topic using the MQSUB call
- RESUME
- Resume a subscription using the MQSUB call
- PUB
- Publish a message on a topic using the MQPUT call
- SYSTEM
- Give authority to principals or groups, who are authorized to carry out privileged operations on the queue manager, for internal system operations.
- CTRL
- Start and stop the specified channel, listener, or service, and ping the specified channel
- CTRLX
- Reset or resolve the specified channel
- ALL
- Use all operations relevant to the object
- ALLADM
- Perform all administration operations relevant to the object
- ALLMQI
- Use all MQI calls relevant to the object
- AUTHRMV
- A list of authorizations to remove from the authority records. Specify any combination of the
following values:
- NONE
- No authorization
- ALTUSR
- Specify an alternative user ID on an MQI call
- BROWSE
- Retrieve a message from a queue by issuing an MQGET call with the BROWSE option
- CHG
- Change the attributes of the specified object, using the appropriate command set
- CLR
- Clear a queue or a topic
- CONNECT
- Connect an application to a queue manager by issuing an MQCONN call
- CRT
- Create objects of the specified type using the appropriate command set
- DLT
- Delete the specified object using the appropriate command set
- DSP
- Display the attributes of the specified object using the appropriate command set
- GET
- Retrieve a message from a queue by issuing an MQGET call
- INQ
- Make an inquiry on a specific queue by issuing an MQINQ call
- PUT
- Put a message on a specific queue by issuing an MQPUT call
- PASSALL
- Pass all context
- PASSID
- Pass the identity context
- SET
- Set attributes on a queue by issuing an MQSET call
- SETALL
- Set all context on a queue
- SETID
- Set the identity context on a queue
- SUB
- Create, alter, or resume a subscription to a topic using the MQSUB call
- RESUME
- Resume a subscription using the MQSUB call
- PUB
- Publish a message on a topic using the MQPUT call
- SYSTEM
- Use queue manager for internal system operations
- CTRL
- Start and stop the specified channel, listener, or service, and ping the specified channel
- CTRLX
- Reset or resolve the specified channel
- ALL
- Use all operations relevant to the object
- ALLADM
- Perform all administration operations relevant to the object
- ALLMQI
- Use all MQI calls relevant to the object
Note: To use SETID or SETALL authority, authorizations must be granted on both the appropriate queue object and also on the queue manager object.
- SERVCOMP(service-component)
- The name of the authorization service for which information is to be set.
If you specify this parameter, it specifies the name of the authorization service to which the authorizations apply. If you omit this parameter, the authority record is set using the registered authorization services in turn in accordance with the rules for chaining authorization services.
Usage notes for SET AUTHREC
The list of authorizations to add and the list of authorizations to remove must not overlap. For example, we cannot add display authority and remove display authority with the same command. This rule applies even if the authorities are expressed using different options. For example, the following command fails because DSP authority overlaps with ALLADM authority:SET AUTHREC PROFILE(*) OBJTYPE(QUEUE) PRINCIPAL(PRINC01) AUTHADD(DSP) AUTHRMV(ALLADM)The exception to this overlap behavior is with the ALL authority. The following command first adds ALL authorities then removes the SETID authority:
SET AUTHREC PROFILE(*) OBJTYPE(QUEUE) PRINCIPAL(PRINC01) AUTHADD(ALL) AUTHRMV(SETID)The following command first removes ALL authorities then adds the DSP authority:
SET AUTHREC PROFILE(*) OBJTYPE(QUEUE) PRINCIPAL(PRINC01) AUTHADD(DSP) AUTHRMV(ALL)
Regardless of the order in which they are provided on the command, the ALL are processed first.
Parent topic: MQSC commands