Authorization specification tables on IBM i
Use this information to determine what authorization is required to use particular API calls, and particular options of those calls, on queue objects, process objects, and queue manager objects.
The authorization specification tables starting in Table 1 define precisely how the authorizations work and the restrictions that apply. The tables apply to these situations:- Applications that issue MQI calls
- Administration programs that issue MQSC commands as escape PCFs
- Administration programs that issue PCF commands
In this section, the information is presented as a set of tables that specify the following data:
- Action to be performed
- MQI option, MQSC command, or PCF command.
- Access control object
- Queue, process definition, queue manager, namelist, channel, client connection channel, listener, service, or authentication information object.
- Authorization required
- Expressed as an MQZAO_ constant.
In the tables, the constants prefixed by MQZAO_ correspond to the keywords in the authorization list for the GRTMQMAUT and RVKMQMAUT commands for the particular entity. For example, MQZAO_BROWSE corresponds to the keyword *BROWSE ; similarly, the keyword MQZAO_SET_ALL_CONTEXT corresponds to the keyword *SETALL, and so on. These constants are defined in the header file cmqzc.h, which is supplied with the product.
MQI authorizations
An application is allowed to issue specific MQI calls and options only if the user identifier under which it is running (or whose authorizations it is able to assume) has been granted the relevant authorization.
Four MQI calls require authorization checks: MQCONN, MQOPEN, MQPUT1, and MQCLOSE.
For MQOPEN and MQPUT1, the authority check is made on the name of the object being opened, and not on the name, or names, resulting after a name has been resolved. For example, an application can be granted authority to open an alias queue without having authority to open the base queue to which the alias resolves. The rule is that the check is carried out on the first definition encountered during the process of name resolution that is not a queue manager alias, unless the queue manager alias definition is opened directly; that is, its name appears in the ObjectName field of the object descriptor. Authority is always needed for the particular object being opened; in some cases additional queue-independent authority, obtained through an authorization for the queue manager object, is required.
Table 1, Table 2, Table 3, and Table 4 summarize the authorizations needed for each call. Note: These tables do not mention namelists, channels, client connection channels, listeners, services, or authentication information objects. This is because none of the authorizations apply to these objects, except for MQOO_INQUIRE, for which the same authorizations apply as for the other objects.| Authorization required for: | Queue object ( 1 ) | Process object | Queue manager object |
|---|---|---|---|
| MQCONN option | Not applicable | Not applicable | MQZAO_CONNECT |
| Authorization required for: | Queue object ( 1 ) | Process object | Queue manager object |
|---|---|---|---|
| MQOO_INQUIRE | MQZAO_INQUIRE ( 2 ) | MQZAO_INQUIRE ( 2 ) | MQZAO_INQUIRE ( 2 ) |
| MQOO_BROWSE | MQZAO_BROWSE | Not applicable | No check |
| MQOO_INPUT_* | MQZAO_INPUT | Not applicable | No check |
| MQOO_SAVE_ ALL_CONTEXT ( 3 ) | MQZAO_INPUT | Not applicable | Not applicable |
| MQOO_OUTPUT (Normal queue) ( 4 ) | MQZAO_OUTPUT | Not applicable | Not applicable |
| MQOO_PASS_ IDENTITY_CONTEXT ( 5 ) | MQZAO_PASS_ IDENTITY_CONTEXT | Not applicable | No check |
| MQOO_PASS_ALL_ CONTEXT ( 5, 6 ) | MQZAO_PASS _ALL_CONTEXT | Not applicable | No check |
| MQOO_SET_ IDENTITY_CONTEXT ( 5, 6 ) | MQZAO_SET_ IDENTITY_CONTEXT | Not applicable | MQZAO_SET_ IDENTITY_CONTEXT ( 7 ) |
| MQOO_SET_ ALL_CONTEXT ( 5, 8 ) | MQZAO_SET_ ALL_CONTEXT | Not applicable | MQZAO_SET_ ALL_CONTEXT ( 7 ) |
| MQOO_OUTPUT (Transmission queue) ( 9 ) | MQZAO_SET_ ALL_CONTEXT | Not applicable | MQZAO_SET_ ALL_CONTEXT ( 7 ) |
| MQOO_SET | MQZAO_SET | Not applicable | No check |
| MQOO_ALTERNATE_ USER_AUTHORITY | ( 10 ) | ( 10 ) | MQZAO_ALTERNATE_ USER_AUTHORITY ( 10, 11 ) |
| Authorization required for: | Queue object ( 1 ) | Process object | Queue manager object |
|---|---|---|---|
| MQPMO_PASS_ IDENTITY_CONTEXT | MQZAO_PASS_ IDENTITY_CONTEXT ( 12 ) | Not applicable | No check |
| MQPMO_PASS_ALL _CONTEXT | MQZAO_PASS_ ALL_CONTEXT ( 12 ) | Not applicable | No check |
| MQPMO_SET_ IDENTITY_CONTEXT | MQZAO_SET_ IDENTITY_CONTEXT ( 12 ) | Not applicable | MQZAO_SET_ IDENTITY_CONTEXT ( 7 ) |
| MQPMO_SET_ ALL_CONTEXT | MQZAO_SET_ ALL_CONTEXT ( 12 ) | Not applicable | MQZAO_SET_ ALL_CONTEXT ( 7 ) |
| (Transmission queue) ( 9 ) | MQZAO_SET_ ALL_CONTEXT | Not applicable | MQZAO_SET_ ALL_CONTEXT ( 7 ) |
| MQPMO_ALTERNATE_ USER_AUTHORITY | ( 13 ) | Not applicable | MQZAO_ALTERNATE_ USER_AUTHORITY ( 11 ) |
| Authorization required for: | Queue object ( 1 ) | Process object | Queue manager object |
|---|---|---|---|
| MQCO_DELETE | MQZAO_DELETE ( 14 ) | Not applicable | Not applicable |
| MQCO_DELETE _PURGE | MQZAO_DELETE ( 14 ) | Not applicable | Not applicable |
- If a model queue is being opened:
- MQZAO_DISPLAY authority is needed for the model queue, in addition to the authority to open the model queue for the type of access for which we are opening.
- MQZAO_CREATE authority is not needed to create the dynamic queue.
- The user identifier used to open the model queue is automatically granted all the queue-specific authorities (equivalent to MQZAO_ALL) for the dynamic queue created.
- Either the queue, process, namelist, or queue manager object is checked, depending on the type of object being opened.
- MQOO_INPUT_* must also be specified. This option is valid for a local, model, or alias queue.
- This check is performed for all output cases, except the case specified in note 9.
- MQOO_OUTPUT must also be specified.
- MQOO_PASS_IDENTITY_CONTEXT is also implied by this option.
- This authority is required for both the queue manager object and the particular queue.
- MQOO_PASS_IDENTITY_CONTEXT, MQOO_PASS_ALL_CONTEXT, and MQOO_SET_IDENTITY_CONTEXT are also implied by this option.
- This check is performed for a local or model queue that has a Usage queue attribute of MQUS_TRANSMISSION, and is being opened directly for output. It does not apply if a remote queue is being opened (either by specifying the names of the remote queue manager and remote queue, or by specifying the name of a local definition of the remote queue).
- At least one of MQOO_INQUIRE (for any object type), or (for queues) MQOO_BROWSE, MQOO_INPUT_*, MQOO_OUTPUT, or MQOO_SET must also be specified. The check carried out is as for the other options specified, using the supplied alternate-user identifier for the specific-named object authority, and the current application authority for the MQZAO_ALTERNATE_USER_IDENTIFIER check.
- This authorization allows any AlternateUserId to be specified.
- An MQZAO_OUTPUT check is also carried out if the queue does not have a Usage queue attribute of MQUS_TRANSMISSION.
- The check carried out is as for the other options specified, using the supplied alternate-user identifier for the named queue authority, and the current application authority for the MQZAO_ALTERNATE_USER_IDENTIFIER check.
- The check is carried out only if both of the following statements are true:
- A permanent dynamic queue is being closed and deleted.
- The queue was not created by the MQOPEN that returned the object handle being used.
Otherwise, there is no check.
General notes:
- The special authorization MQZAO_ALL_MQI includes all the following authorizations that are
relevant to the object type:
- MQZAO_CONNECT
- MQZAO_INQUIRE
- MQZAO_SET
- MQZAO_BROWSE
- MQZAO_INPUT
- MQZAO_OUTPUT
- MQZAO_PASS_IDENTITY_CONTEXT
- MQZAO_PASS_ALL_CONTEXT
- MQZAO_SET_IDENTITY_CONTEXT
- MQZAO_SET_ALL_CONTEXT
- MQZAO_ALTERNATE_USER_AUTHORITY
- MQZAO_DELETE (see note 14 ) and MQZAO_DISPLAY are classed as administration authorizations. They are not therefore included in MQZAO_ALL_MQI.
- No check means that no authorization checking is carried out.
- Not applicable means that authorization checking is not relevant to this operation. For example, we cannot issue an MQPUT call to a process object.
- Authorizations for MQSC commands in escape PCFs on IBM i
These authorizations allow a user to issue administration commands as an escape PCF message. These methods allow a program to send an administration command as a message to a queue manager, for execution on behalf of that user. - Authorizations for PCF commands on IBM i
These authorizations allow a user to issue administration commands as PCF commands. These methods allow a program to send an administration command as a message to a queue manager, for execution on behalf of that user.
Parent topic: Set up security on IBM i