Work with and without authority profiles on IBM i
Use this information to learn how to work with authority profiles and how to work without authority profiles.
We can work with authority profiles, as explained in Work with authority profiles, or without them, as explained here:
To work without authority profiles, use *NONE as an Authority parameter on GRTMQMAUT to create profiles without authority. This leaves any existing profiles unchanged.
On RVKMQMAUT, use *REMOVE as an Authority parameter to remove an existing authority profile.
Work with authority profiles
There are two commands associated with authority profiling:We can access these commands directly from the command line, or from the WRKMQM panel by:
- Typing in the queue manager name and pressing the Enter key to access the WRKMQM results panel.
- Selecting F23=More options on this panel.
Option 24 selects the results panel for the WRKMQMAUT command and option 25 selects the WRKMQMAUTI command, which is used with the SSL bindings layer.
WRKMQMAUT
This command allows you to work with the authority data held in the authority queue. Note: To run this command we must have *connect and *admdsp authority to the queue manager. However, to create or delete a profile, we need QMQMADM authority.If you output the information to the screen, a list of authority profile names, together with their types, is displayed. If you print the output, you receive a detailed list of all the authority data, the registered users, and their authorities.
Entering an object or profile name on this panel, and pressing ENTER takes you to the results panel for WRKMQMAUT .
If you select 4=Delete, you go to a new panel from which we can confirm that we want to delete all the user names registered to the generic authority profile name you specify. This option runs RVKMQMAUT with the option *REMOVE for all the users, and applies only to generic profile names.
If you select 12=Work with profile you go to the WRKMQMAUTD command results panel, as explained in WRKMQMAUTD.
WRKMQMAUTD
This command allows you to display all the users registered with a particular authority profile name and object type. To run this command we must have *connect and *admdsp authority to the queue manager. However, to grant, run, create, or delete a profile we need QMQMADM authority.
Selecting F24=More keys from the initial input panel, followed by option F9=All Parameters displays the Service Component Name as for GRTMQMAUT and RVKMQMAUT.
Note: The F11=Display Object Authorizations key toggles between the following types of authorities:
- Object authorizations
- Context authorizations
- MQI authorizations
The options on the screen are:
- 2=Grant
- Takes you to the GRTMQMAUT panel to add to the current authorities.
- 3=Revoke
- Takes you to the RVKMQMAUT panel to remove some of the current definitions
- 4=Delete
- Takes you to a panel that allows you to delete the authority data for specified users. This runs RVKMQMAUT with the option *REMOVE.
- 5=Display
- Takes you to the existing DSPMQMAUT command
- F6=Create
- Takes you to the GRTMQMAUT panel that allows you to create a profile authority record.
Parent topic: Set up security on IBM i