Set Authority Record on Multiplatforms

The Set Authority Record (MQCMD_SET_AUTH_REC) command sets the authorizations of a profile, object, or class of objects. Authorizations can be granted to, or revoked from, any number of principals or groups.

Required parameters

ProfileName (MQCFST)

Profile name (parameter identifier: MQCACF_AUTH_PROFILE_NAME).

The authorizations apply to all IBM MQ objects with names that match the profile name specified. We can define a generic profile. If you specify an explicit profile name, the object must exist.

The maximum length of the string is MQ_AUTH_PROFILE_NAME_LENGTH.

ObjectType (MQCFIN)

The type of object for which to set authorizations (parameter identifier: MQIACF_OBJECT_TYPE). The value can be any of the following values:

MQOT_AUTH_INFO: Authentication information.
MQOT_CHANNEL: Channel object.
MQOT_CLNTCONN_CHANNEL: Client-connection channel object.
MQOT_COMM_INFO: Communication information object
MQOT_LISTENER: Listener object.
MQOT_NAMELIST: Namelist.
MQOT_PROCESS: Process.
MQOT_Q: Queue, or queues, that match the object name parameter.
MQOT_Q_MGR: Queue manager.
MQOT_REMOTE_Q_MGR_NAME: Remote queue manager.
MQOT_SERVICE: Service object.
MQOT_TOPIC: Topic object.

Note: The required parameters must be in the order ProfileName followed by ObjectType.

Optional parameters

AuthorityAdd (MQCFIL)

Authority values to set (parameter identifier: MQIACF_AUTH_ADD_AUTHS). This parameter is a list of authority values to set for the named profile. The values can be:

MQAUTH_NONE: The entity has authority set to 'none'.
MQAUTH_ALT_USER_AUTHORITY: Specify an alternate user ID on an MQI call.
MQAUTH_BROWSE: Retrieve a message from a queue by issuing an MQGET call with the BROWSE option.
MQAUTH_CHANGE: Change the attributes of the specified object, using the appropriate command set.
MQAUTH_CLEAR: Clear a queue.
MQAUTH_CONNECT: Connect the application to the specified queue manager by issuing an MQCONN call.
MQAUTH_CREATE: Create objects of the specified type using the appropriate command set.
MQAUTH_DELETE: Delete the specified object using the appropriate command set.
MQAUTH_DISPLAY: Display the attributes of the specified object using the appropriate command set.
MQAUTH_INPUT: Retrieve a message from a queue by issuing an MQGET call.
MQAUTH_INQUIRE: Make an inquiry on a specific queue by issuing an MQINQ call.
MQAUTH_OUTPUT: Put a message on a specific queue by issuing an MQPUT call.
MQAUTH_PASS_ALL_CONTEXT: Pass all context.
MQAUTH_PASS_IDENTITY_CONTEXT: Pass the identity context.
MQAUTH_SET: Set attributes on a queue from the MQI by issuing an MQSET call.
MQAUTH_SET_ALL_CONTEXT: Set all context on a queue.
MQAUTH_SET_IDENTITY_CONTEXT: Set the identity context on a queue.
MQAUTH_CONTROL: For listeners and services, start and stop the specified channel, listener, or service.; For channels, start, stop, and ping the specified channel.; For topics, define, alter, or delete subscriptions.
MQAUTH_CONTROL_EXTENDED: Reset or resolve the specified channel.
MQAUTH_PUBLISH: Publish to the specified topic.
MQAUTH_SUBSCRIBE: Subscribe to the specified topic.
MQAUTH_RESUME: Resume a subscription to the specified topic.
MQAUTH_SYSTEM: Use queue manager for internal system operations.
MQAUTH_ALL: Use all operations applicable to the object.
MQAUTH_ALL_ADMIN: Use all administration operations applicable to the object.
MQAUTH_ALL_MQI: Use all MQI calls applicable to the object.

The contents of the AuthorityAdd and AuthorityRemove lists must be mutually exclusive. We must specify a value for either AuthorityAdd or AuthorityRemove. An error occurs if we do not specify either.

AuthorityRemove (MQCFIL)

Authority values to remove (parameter identifier: MQIACF_AUTH_REMOVE_AUTHS). This parameter is a list of authority values to remove from the named profile. The values can be:

MQAUTH_NONE: The entity has authority set to 'none'.
MQAUTH_ALT_USER_AUTHORITY: Specify an alternate user ID on an MQI call.
MQAUTH_BROWSE: Retrieve a message from a queue by issuing an MQGET call with the BROWSE option.
MQAUTH_CHANGE: Change the attributes of the specified object, using the appropriate command set.
MQAUTH_CLEAR: Clear a queue.
MQAUTH_CONNECT: Connect the application to the specified queue manager by issuing an MQCONN call.
MQAUTH_CREATE: Create objects of the specified type using the appropriate command set.
MQAUTH_DELETE: Delete the specified object using the appropriate command set.
MQAUTH_DISPLAY: Display the attributes of the specified object using the appropriate command set.
MQAUTH_INPUT: Retrieve a message from a queue by issuing an MQGET call.
MQAUTH_INQUIRE: Make an inquiry on a specific queue by issuing an MQINQ call.
MQAUTH_OUTPUT: Put a message on a specific queue by issuing an MQPUT call.
MQAUTH_PASS_ALL_CONTEXT: Pass all context.
MQAUTH_PASS_IDENTITY_CONTEXT: Pass the identity context.
MQAUTH_SET: Set attributes on a queue from the MQI by issuing an MQSET call.
MQAUTH_SET_ALL_CONTEXT: Set all context on a queue.
MQAUTH_SET_IDENTITY_CONTEXT: Set the identity context on a queue.
MQAUTH_CONTROL: For listeners and services, start and stop the specified channel, listener, or service.; For channels, start, stop, and ping the specified channel.; For topics, define, alter, or delete subscriptions.
MQAUTH_CONTROL_EXTENDED: Reset or resolve the specified channel.
MQAUTH_PUBLISH: Publish to the specified topic.
MQAUTH_SUBSCRIBE: Subscribe to the specified topic.
MQAUTH_RESUME: Resume a subscription to the specified topic.
MQAUTH_SYSTEM: Use queue manager for internal system operations.
MQAUTH_ALL: Use all operations applicable to the object.
MQAUTH_ALL_ADMIN: Use all administration operations applicable to the object.
MQAUTH_ALL_MQI: Use all MQI calls applicable to the object.

The contents of the AuthorityAdd and AuthorityRemove lists must be mutually exclusive. We must specify a value for either AuthorityAdd or AuthorityRemove. An error occurs if we do not specify either.

GroupNames (MQCFSL)

Group names (parameter identifier: MQCACF_GROUP_ENTITY_NAMES).

The names of groups having their authorizations set. At least one group name or principal name must be specified. An error occurs if neither are specified.

Each member in this list can be a maximum length of MQ_ENTITY_NAME_LENGTH.

PrincipalNames (MQCFSL)

Principal names (parameter identifier: MQCACF_PRINCIPAL_ENTITY_NAMES).

The names of principals having their authorizations set. At least one group name or principal name must be specified. An error occurs if neither are specified.

Each member in this list can be a maximum length of MQ_ENTITY_NAME_LENGTH.

ServiceComponent (MQCFST)

Service component (parameter identifier: MQCACF_SERVICE_COMPONENT).

If installable authorization services are supported, this parameter specifies the name of the authorization service to which the authorizations apply.

If we omit this parameter, the authorization inquiry is made to the first installable component for the service.

The maximum length of the string is MQ_SERVICE_COMPONENT_LENGTH.

Error codes

This command might return the following error codes in the response format header, in addition to the values shown in Error codes applicable to all commands.

Reason (MQLONG)

The value can be any of the following values:

MQRC_UNKNOWN_ENTITY: Userid not authorized, or unknown.
MQRCCF_AUTH_VALUE_ERROR: Invalid authorization.
MQRCCF_AUTH_VALUE_MISSING: Authorization missing.
MQRCCF_ENTITY_NAME_MISSING: Entity name missing.
MQRCCF_OBJECT_TYPE_MISSING: Object type missing.
MQRCCF_PROFILE_NAME_ERROR: Invalid profile name.

Parent topic: Definitions of the Programmable Command Formats