SET AUTHREC on Multiplatforms

Use the MQSC command SET AUTHREC to set authority records associated with a profile name.


Use MQSC commands

For information on how we use MQSC commands, see Performing local administration tasks using MQSC commands.

See setmqaut (grant or revoke authority) for more information on the options that we can select.


SET AUTHREC

SET AUTHREC PROFILE(profile-name)OBJTYPE(AUTHINFOCHANNELCLNTCONNCOMMINFOLISTENERNAMELISTPROCESSQUEUEQMGRRQMNAMESERVICETOPIC)PRINCIPAL(principal-name)GROUP(group-name) AUTHADD(,NONEALTUSRBROWSECHGCLRCONNECTCRTDLTDSPGETINQPUTPASSALLPASSIDSETSETALLSETIDSUBRESUMEPUBSYSTEMCTRLCTRLXALLALLADMALLMQI) AUTHRMV(,NONEALTUSRBROWSECHGCLRCONNECTCRTDLTDSPGETINQPUTPASSALLPASSIDSETSETALLSETIDSUBRESUMEPUBSYSTEMCTRLCTRLXALLALLADMALLMQI) SERVCOMP(service-component)


Parameter descriptions

    PROFILE(profile-name)
    The name of the object or generic profile for which to display the authority records. This parameter is required unless the OBJTYPE parameter is QMGR, in which case it can be omitted.

    See Use OAM generic profiles on UNIX, Linux, and Windows for more information on generic profiles and wildcard characters.

    OBJTYPE
    The type of object referred to by the profile. Specify one of the following values:

      AUTHINFO
      Authentication information record

      CHANNEL
      Channel

      CLNTCONN
      Client connection channel

      COMMINFO
      Communication information object

      LISTENER
      Listener

      NAMELIST
      Namelist

      PROCESS
      Process

      QUEUE
      Queue

      QMGR
      Queue manager

      RQMNAME
      Remote queue manager

      SERVICE
      Service

      TOPIC
      Topic

    PRINCIPAL(principal-name)
    A principal name. This is the name of a user for whom to set authority records for the specified profile. On IBM MQ for Windows, the name of the principal can optionally include a domain name, specified in this format: user@domain.

    You must specify either PRINCIPAL or GROUP.

    GROUP(group-name)
    A group name. This is the name of the user group for which to set authority records for the specified profile. We can specify one name only and it must be the name of an existing user group. For IBM MQ for Windows only, the group name can optionally include a domain name, specified in the following format:
    GroupName@domain
    

    We must specify either PRINCIPAL or GROUP.

    AUTHADD
    A list of authorizations to add in the authority records. Specify any combination of the following values:

      NONE
      No authorization

      ALTUSR
      Specify an alternative user ID on an MQI call

      BROWSE
      Retrieve a message from a queue by issuing an MQGET call with the BROWSE option

      CHG
      Change the attributes of the specified object, using the appropriate command set

      CLR
      Clear a queue or a topic

      CONNECT
      Connect an application to a queue manager by issuing an MQCONN call

      CRT
      Create objects of the specified type using the appropriate command set

      DLT
      Delete the specified object using the appropriate command set

      DSP
      Display the attributes of the specified object using the appropriate command set

      GET
      Retrieve a message from a queue by issuing an MQGET call

      INQ
      Make an inquiry on a specific queue by issuing an MQINQ call

      PUT
      Put a message on a specific queue by issuing an MQPUT call

      PASSALL
      Pass all context

      PASSID
      Pass the identity context

      SET
      Set attributes on a queue by issuing an MQSET call

      SETALL
      Set all context on a queue

      SETID
      Set the identity context on a queue

      SUB
      Create, alter, or resume a subscription to a topic using the MQSUB call

      RESUME
      Resume a subscription using the MQSUB call

      PUB
      Publish a message on a topic using the MQPUT call

      SYSTEM
      Give authority to principals or groups, who are authorized to carry out privileged operations on the queue manager, for internal system operations.

      CTRL
      Start and stop the specified channel, listener, or service, and ping the specified channel

      CTRLX
      Reset or resolve the specified channel

      ALL
      Use all operations relevant to the object
      all authority is equivalent to the union of the authorities alladm, allmqi, and system appropriate to the object type.

      ALLADM
      Perform all administration operations relevant to the object

      ALLMQI
      Use all MQI calls relevant to the object

    AUTHRMV
    A list of authorizations to remove from the authority records. Specify any combination of the following values:

      NONE
      No authorization

      ALTUSR
      Specify an alternative user ID on an MQI call

      BROWSE
      Retrieve a message from a queue by issuing an MQGET call with the BROWSE option

      CHG
      Change the attributes of the specified object, using the appropriate command set

      CLR
      Clear a queue or a topic

      CONNECT
      Connect an application to a queue manager by issuing an MQCONN call

      CRT
      Create objects of the specified type using the appropriate command set

      DLT
      Delete the specified object using the appropriate command set

      DSP
      Display the attributes of the specified object using the appropriate command set

      GET
      Retrieve a message from a queue by issuing an MQGET call

      INQ
      Make an inquiry on a specific queue by issuing an MQINQ call

      PUT
      Put a message on a specific queue by issuing an MQPUT call

      PASSALL
      Pass all context

      PASSID
      Pass the identity context

      SET
      Set attributes on a queue by issuing an MQSET call

      SETALL
      Set all context on a queue

      SETID
      Set the identity context on a queue

      SUB
      Create, alter, or resume a subscription to a topic using the MQSUB call

      RESUME
      Resume a subscription using the MQSUB call

      PUB
      Publish a message on a topic using the MQPUT call

      SYSTEM
      Use queue manager for internal system operations

      CTRL
      Start and stop the specified channel, listener, or service, and ping the specified channel

      CTRLX
      Reset or resolve the specified channel

      ALL
      Use all operations relevant to the object
      all authority is equivalent to the union of the authorities alladm, allmqi, and system appropriate to the object type.

      ALLADM
      Perform all administration operations relevant to the object

      ALLMQI
      Use all MQI calls relevant to the object

    Note: To use SETID or SETALL authority, authorizations must be granted on both the appropriate queue object and also on the queue manager object.

    SERVCOMP(service-component)
    The name of the authorization service for which information is to be set.

    If you specify this parameter, it specifies the name of the authorization service to which the authorizations apply. If you omit this parameter, the authority record is set using the registered authorization services in turn in accordance with the rules for chaining authorization services.


Usage notes for SET AUTHREC

The list of authorizations to add and the list of authorizations to remove must not overlap. For example, we cannot add display authority and remove display authority with the same command. This rule applies even if the authorities are expressed using different options. For example, the following command fails because DSP authority overlaps with ALLADM authority:
SET AUTHREC PROFILE(*) OBJTYPE(QUEUE) PRINCIPAL(PRINC01) AUTHADD(DSP) AUTHRMV(ALLADM)
The exception to this overlap behavior is with the ALL authority. The following command first adds ALL authorities then removes the SETID authority:
SET AUTHREC PROFILE(*) OBJTYPE(QUEUE) PRINCIPAL(PRINC01) AUTHADD(ALL) AUTHRMV(SETID)
The following command first removes ALL authorities then adds the DSP authority:
SET AUTHREC PROFILE(*) OBJTYPE(QUEUE) PRINCIPAL(PRINC01) AUTHADD(DSP) AUTHRMV(ALL)

Regardless of the order in which they are provided on the command, the ALL are processed first.

Parent topic: MQSC commands