Access authorities for IBM MQ objects on IBM i

Access authorities required for running IBM MQ CL commands.

IBM MQ for IBM i categorizes the product's CL commands into two groups:

    Group 1
    Users must be in the QMQMADM user group, or have *ALLOBJ authority, to process these commands. Users having either of these authorities can process all commands in all categories without requiring any extra authority. Note: These authorities override any OAM authority. These commands can be grouped as follows:

    • Command Server Commands

      • ENDMQMCSVR, End IBM MQ Command Server
      • STRMQMCSVR, Start IBM MQ Command Server

    • Dead-Letter Queue Handler Command

      • STRMQMDLQ, Start IBM MQ Dead-Letter Queue Handler

    • Listener Command

      • ENDMQMLSR, End IBM MQ listener
      • STRMQMLSR, Start non-object listener

    • Media Recovery Commands

    • Queue Manager Commands

      • CRTMQM, Create Message Queue Manager
      • DLTMQM, Delete Message Queue Manager
      • ENDMQM, End Message Queue Manager
      • STRMQM, Start Message Queue Manager

    • Security Commands

    • Trace Command

    • Transaction Commands

      • RSVMQMTRN, Resolve IBM MQ Transaction

    • Trigger Monitor Commands

      • STRMQMTRM, Start Trigger Monitor

    • IBM MQSC Commands

      • RUNMQSC, Run IBM MQSC Commands
      • STRMQMMQSC, Start IBM MQSC Commands

    Group 2
    The rest of the commands, for which two levels of authority are required:
    1. IBM i authority to run the command. An IBM MQ administrator sets this using the GRTOBJAUT command to override the *PUBLIC(*EXCLUDE) restriction for a user or group of users. For example: 
      GRTOBJAUT OBJ(QMQM/DSPMQMQ) OBJTYPE(*CMD) USER(MQUSER) AUT(*USE)
    2. IBM MQ authority to manipulate the IBM MQ objects associated with the command, or commands, given the correct IBM i authority in Step 1.

      This authority is controlled by the user having the appropriate OAM authority for the required action, set by an IBM MQ administrator using the GRTMQMAUT command

      For example: 
      GRTMQMAUT *connect authority to the queue manager + *admchg authority to
		the queue

    The commands can be grouped as follows:

    • Channel Commands

      • CHGMQMCHL, Change IBM MQ Channel

        This requires *connect authority to the queue manager and *admchg authority to the channel.

      • CPYMQMCHL, Copy IBM MQ Channel

        This requires *connect and *admcrt authority to the queue manager, *admdsp authority to the default channel type to be copied, and *admcrt authority to the channel object class.

        For example, copying a Sender channel, needs *admdsp authority to SYSTEM.DEF.SENDER channel

      • CRTMQMCHL, Create IBM MQ Channel

        This requires *connect and *admcrt authority to the queue manager, *admdsp authority to the default channel type to be created and *admcrt authority to the channel object class.

        For example, creating a Sender channel, needs *admdsp authority to SYSTEM.DEF.SENDER channel

      • DLTMQMCHL, Delete IBM MQ Channel

        This requires *connect authority to the queue manager and *admdlt authority to the channel.

      • RSVMQMCHL, Resolve IBM MQ Channel

        This requires *connect authority to the queue manager and *ctrlx authority to the channel.

    • Display commands

      To process the DSP commands we must grant the user *connect and *admdsp authority to the queue manager, together with any specific option listed:

      • DSPMQM, Display Message Queue Manager
      • DSPMQMAUT, Display IBM MQ Object Authority
      • DSPMQMAUTI, Display IBM MQ Authentication Information - *admdsp to the authentication information object
      • DSPMQMCHL, Display IBM MQ Channel - *admdsp to the channel
      • DSPMQMCSVR, Display IBM MQ Command Server
      • DSPMQMNL, Display IBM MQ Namelist - *admdsp to the namelist
      • DSPMQMOBJN, Display IBM MQ Object Names
      • DSPMQMPRC, Display IBM MQ Process - *admdsp to the process
      • DSPMQMQ, Display IBM MQ Queue - *admdsp to the queue
      • DSPMQMTOP, Display IBM MQ Topic - *admdsp to the topic

    • Work with commands

      To process the WRK commands and display the options panel we must grant the user *connect and *admdsp authority to the queue manager, together with any specific option listed:

      • WRKMQM, Work with Message Queue Managers
      • WRKMQMAUT, Work with IBM MQ Object Authority
      • WRKMQMAUTD, Work with IBM MQ Object Authority Data
      • WRKMQMAUTI, Work with IBM MQ Authentication Information

      • WRKMQMCHL, Work with IBM MQ Channel This requires the following authorities:

        • *admchg for the Change IBM MQ Channel command.
        • *admclr for the Clear IBM MQ Channel command.
        • *admcrt for the Create and Copy IBM MQ Channel command.
        • *admdlt for the Delete IBM MQ Channel command.
        • *admdsp for the Display IBM MQ Channel command.
        • *ctrl for the Start IBM MQ Channel command.
        • *ctrl for the End IBM MQ Channel command.
        • *ctrl for the Ping IBM MQ Channel command.
        • *ctrlx for the Reset IBM MQ Channel command.
        • *ctrlx for the Resolve IBM MQ Channel command.

      • WRKMQMCHST, Work with IBM MQ Channel Status

        This requires *admdsp authority to the channel.

      • WRKMQMCL, Work with IBM MQ Clusters
      • WRKMQMCLQ, Work with IBM MQ Cluster Queues
      • WRKMQMCLQM, Work with IBM MQ Cluster Queue Manager
      • WRKMQMLSR, Work with IBM MQ Listener
      • WRKMQMMSG, Work with IBM MQ Messages

        This requires *browse authority to the queue

      • WRKMQMNL, Work with IBM MQ Namelists This requires the following authorities:

        • *admchg for the Change IBM MQ Namelist command.
        • *admcrt for the Create and Copy IBM MQ Namelist command.
        • *admdlt for the Delete IBM MQ Namelist command.
        • *admdsp for the Display IBM MQ Namelist command.

      • WRKMQMPRC, Work with IBM MQ Processes This requires the following authorities:

        • *admchg for the Change IBM MQ Process command.
        • *admcrt for the Create and Copy IBM MQ Process command.
        • *admdlt for the Delete IBM MQ Process command.
        • *admdsp for the Display IBM MQ Process command.

      • WRKMQMQ, Work with IBM MQ queues This requires the following authorities:

        • *admchg for the Change IBM MQ Queue command.
        • *admclr for the Clear IBM MQ Queue command.
        • *admcrt for the Create and Copy IBM MQ Queue command.
        • *admdlt for the Delete IBM MQ Queue command.
        • *admdsp for the Display IBM MQ Queue command.

      • WRKMQMQSTS, Work with IBM MQ Queue Status
      • WRKMQMTOP, Work with IBM MQ Topics This requires the following authorities

        • *admchg for the Change IBM MQ Topic command.
        • *admcrt for the Create and Copy IBM MQ Topic command.
        • *admdlt for the Delete IBM MQ Topic command.
        • *admdsp for the Display IBM MQ Topic command.

      • WRKMQMSUB, Work with IBM MQ Subscriptions

    • Other Channel commands

      To process the channel commands we must grant the user the specific authorities listed:

      • ENDMQMCHL, End IBM MQ Channel

        This requires *connect authority to the queue manager and *allmqi authority to the transmission queue associated with the channel.

      • ENDMQMLSR, End IBM MQ Listener

        This requires *connect authority to the queue manager and *ctrl authority to the named listener object.

      • PNGMQMCHL, Ping IBM MQ Channel

        This requires *connect and *inq authority to the queue manager and *ctrl authority to the channel object.

      • RSTMQMCHL, Reset IBM MQ Channel

        This requires *connect authority to the queue manager.

      • STRMQMCHL, Start IBM MQ Channel

        This requires *connect authority to the queue manager and *ctrl authority to the channel object.

      • STRMQMCHLI, Start IBM MQ Channel Initiator

        This requires *connect and *inq authority to the queue manager, and *allmqi authority to the initiation queue associated with the transmission queue of the channel.

      • STRMQMLSR, Start IBM MQ Listener

        This requires *connect authority to the queue manager and *ctrl authority to the named listener object.

    • Other commands:

      To process the following commands we must grant the user the specific authorities listed:

      • CCTMQM, Connect to Message Queue Manager

        This requires no IBM MQ object authority.

      • CHGMQM, Change Message Queue Manager

        This requires *connect and *admchg authority to the queue manager.

      • CHGMQMAUTI, Change IBM MQ Authentication Information

        This requires *connect authority to the queue manager and *admchg and *admdsp authority to the authentication information object.

      • CHGMQMNL, Change IBM MQ Namelist

        This requires *connect authority to the queue manager and *admchg authority to the namelist.

      • CHGMQMPRC, Change IBM MQ Process

        This requires *connect authority to the queue manager and *admchg authority to the process.

      • CHGMQMQ, Change IBM MQ Queue

        This requires *connect authority to the queue manager and *admchg authority to the queue.

      • CLRMQMQ, Clear IBM MQ Queue

        This requires *connect authority to the queue manager and *admclr authority to the queue.

      • CPYMQMAUTI, Copy IBM MQ Authentication Information

        This requires *connect authority to the queue manager and *admdsp authority to the authentication information object and *admcrt authority to the authentication information object class.

      • CPYMQMNL, Copy IBM MQ Namelist

        This requires *connect and *admcrt authority to the queue manager.

      • CPYMQMPRC, Copy IBM MQ Process

        This requires *connect and *admcrt authority to the queue manager.

      • CPYMQMQ, Copy IBM MQ Queue

        This requires *connect and *admcrt authority to the queue manager.

      • CRTMQMAUTI, Create IBM MQ Authentication Information

        This requires *connect authority to the queue manager and *admdsp authority to the authentication information object and *admcrt authority to the authentication information object class.

      • CRTMQMNL, Create IBM MQ Namelist

        This requires *connect and *admcrt authority to the queue manager and *admdsp authority to the default namelist.

      • CRTMQMPRC, Create IBM MQ Process

        This requires *connect and *admcrt authority to the queue manager and *admdsp authority to the default process.

      • CRTMQMQ, Create IBM MQ Queue

        This requires *connect and *admcrt authority to the queue manager and *admdsp authority to the default queue.

      • CVTMQMDTA, Convert IBM MQ Data Type Command

        This requires no IBM MQ object authority.

      • DLTMQMAUTI, Delete IBM MQ Authentication Information

        This requires *connect authority to the queue manager and *ctrlx authority to the authentication information object.

      • DLTMQMNL, Delete IBM MQ Namelist

        This requires *connect authority to the queue manager and *admdlt authority to the namelist.

      • DLTMQMPRC, Delete IBM MQ Process

        This requires *connect authority to the queue manager and *admdlt authority to the process.

      • DLTMQMQ, Delete IBM MQ Queue

        This requires *connect authority to the queue manager and *admdlt authority to the queue.

      • DSCMQM, Disconnect from Message Queue Manager

        This requires no IBM MQ object authority.

      • RFRMQMAUT, Refresh Security

        This requires *connect authority to the queue manager.

      • RFRMQMCL, Refresh Cluster

        This requires *connect authority to the queue manager.

      • RSMMQMCLQM, Resume Cluster Queue Manager

        This requires *connect authority to the queue manager.

      • RSTMQMCL, Reset Cluster

        This requires *connect authority to the queue manager.

      • SPDMQMCLQM, Suspend Cluster Queue Manager

        This requires *connect authority to the queue manager.

Parent topic: IBM MQ authorities on IBM i