+

Search Tips | Advanced Search

Use the access authorization commands on IBM i

Use this information to learn about the access authorization commands, and use the command examples.


Use the GRTMQMAUT command

If we have the required authorization, we can use the GRTMQMAUT command to grant authorization of a user profile or user group to access a particular object. The following examples illustrate how the GRTMQMAUT command is used: 

  1. GRTMQMAUT OBJ(RED.LOCAL.QUEUE) OBJTYPE(*LCLQ) USER(GROUPA) +
          AUT(*BROWSE *PUT) MQMNAME('saturn.queue.manager')
    In this example:

    • RED.LOCAL.QUEUE is the object name.
    • *LCLQ (local queue) is the object type.
    • GROUPA is the name of a user profile on the system for which authorizations are to change. This profile can be used as a group profile for other users.
    • *BROWSE and *PUT are the authorizations being granted to the specified queue.

      *BROWSE adds authorization to browse messages on the queue (to issue MQGET with the browse option).

      *PUT adds authorization to put (MQPUT) messages on the queue.

    • saturn.queue.manager is the queue manager name.

  2. The following command grants to users JACK and JILL all applicable authorizations, to all process definitions, for the default queue manager. 
    GRTMQMAUT OBJ(*ALL) OBJTYPE(*PRC) USER(JACK JILL) AUT(*ALL)
  3. The following command grants user GEORGE authority to put a message on the queue ORDERS, on the queue manager TRENT. 
    GRTMQMAUT OBJ(TRENT) OBJTYPE(*MQM) USER(GEORGE) AUT(*CONNECT) MQMNAME (TRENT)
GRTMQMAUT OBJ(ORDERS) OBJTYPE(*Q) USER(GEORGE) AUT(*PUT) MQMNAME (TRENT)


Use the RVKMQMAUT command

If we have the required authorization, we can use the RVKMQMAUT command to remove previously granted authorization of a user profile or user group to access a particular object. The following examples illustrate how the RVKMQMAUT command is used: 

  1. RVKMQMAUT OBJ(RED.LOCAL.QUEUE) OBJTYPE(*LCLQ) USER(GROUPA) +
AUT(*PUT) MQMNAME('saturn.queue.manager')
    The authority to put messages to the specified queue, that was granted in the previous example, is removed for GROUPA. 
  2. RVKMQMAUT OBJ(PAY*) OBJTYPE(*Q) USER(*PUBLIC) AUT(*GET) +
MQMNAME(PAYROLLQM)
    Authority to get messages from any queue with a name starting with the characters PAY, owned by queue manager PAYROLLQM, is removed from all users of the system unless they, or a group to which they belong, have been separately authorized.


Use the DSPMQMAUT command

The display MQM authority ( DSPMQMAUT ) command shows, for the specified object and user, the list of authorizations that the user has for the object. The following example illustrates how the command is used: 
DSPMQMAUT OBJ(ADMINNL) OBJTYPE(*NMLIST) USER(JOE) OUTPUT(*PRINT) +
MQMNAME(ADMINQM)


Use the RFRMQMAUT command

The refresh MQM security ( RFRMQMAUT ) command enables you to update the OAM's authorization group information immediately, reflecting changes made at the operating system level, without needing to stop and restart the queue manager. The following example illustrates how the command is used: 
RFRMQMAUT MQMNAME(ADMINQM)
Parent topic: IBM MQ authorities on IBM i

Last updated: 2020-10-04