Use OAM generic profiles on UNIX, Linux, and Windows
Use OAM generic profiles to set, in a single operation, a user's privileges for many objects; rather than having to issue separate setmqaut commands, or SET AUTHREC commands, against each individual object when it is created. Note that on IBM MQ Appliance we can use only the SET AUTHREC command.
Use generic profiles in the setmqaut or SET AUTHREC commands, enables you to set a generic authority for all objects that fit that profile.
This collection of topics describes the use of generic profiles in more detail.
Use wildcard characters in OAM profiles
What makes a profile generic is the use of special characters (wildcard characters) in the profile name. For example, the question mark (?) wildcard character matches any single character in a name. So, if we specify ABC.?EF, the authorization you give to that profile applies to any objects with the names ABC.DEF, ABC.CEF, ABC.BEF, and so on.
The wildcard characters available are:
- ?
- Use the question mark (?) instead of any single character. For example, AB.?D applies to the objects AB.CD, AB.ED, and AB.FD.
- *
- Use the asterisk (*) as:
- A qualifier in a profile name to match any one qualifier in an object name. A qualifier is the part of an object name delimited by a period. For example, in ABC.DEF.GHI, the qualifiers are ABC, DEF, and GHI.
For example, ABC.*.JKL applies to the objects ABC.DEF.JKL, and ABC.GHI.JKL. (Note that it does not apply to ABC.JKL ; * used in this context always indicates one qualifier.)
- A character within a qualifier in a profile name to match zero or more characters within the qualifier in an object name.
For example, ABC.DE*.JKL applies to the objects ABC.DE.JKL, ABC.DEF.JKL, and ABC.DEGH.JKL.
- **
- Use the double asterisk (**) once in a profile name as:
- The entire profile name to match all object names. For example if we use -t prcs to identify processes, then use ** as the profile name, we change the authorizations for all processes.
- As either the beginning, middle, or ending qualifier in a profile name to match zero or more qualifiers in an object name. For example, **.ABC identifies all objects with the final qualifier ABC.
Note: When using wildcard characters on UNIX and Linux systems, you must enclose the profile name in single quotation marks.
Profile priorities
An important point to understand when using generic profiles is the priority that profiles are given when deciding what authorities to apply to an object being created. For example, suppose that you have issued the commands:setmqaut -n AB.* -t q +put -p fred setmqaut -n AB.C* -t q +get -p fredThe first gives put authority to all queues for the principal fred with names that match the profile AB.*; the second gives get authority to the same types of queue that match the profile AB.C*.Suppose that you now create a queue called AB.CD. According to the rules for wildcard matching, either setmqaut could apply to that queue. So, does it have put or get authority?
To find the answer, you apply the rule that, whenever multiple profiles can apply to an object, only the most specific applies. The way that you apply this rule is by comparing the profile names from left to right. Wherever they differ, a non-generic character is more specific then a generic character. So, in this example, the queue AB.CD has get authority (AB.C* is more specific than AB.*).
When we are comparing generic characters, the order of specificity is:
- ?
- *
- **
Dumping profile settings
For a full definition of the dmpmqaut control command and its syntax, see dmpmqaut.
For a full definition of the DISPLAY AUTHREC MQSC command and its syntax, see DISPLAY AUTHREC.
For a full definition of the MQCMD_INQUIRE_AUTH_RECS PCF command and its syntax, see Inquire Authority Records.
The following examples show the use of the dmpmqaut control command to dump authority records for generic profiles:
- This example dumps all authority records with a profile that matches queue a.b.c for principal user1.
dmpmqaut -m qm1 -n a.b.c -t q -p user1The resulting dump looks something like this:profile: a.b.* object type: queue entity: user1 type: principal authority: get, browse, put, inqNote: Although users on UNIX and Linux can use the -p option for the dmpmqaut command, they must use -g groupname instead when defining authorizations.- This example dumps all authority records with a profile that matches queue a.b.c.
dmpmqaut -m qmgr1 -n a.b.c -t qThe resulting dump looks something like this:profile: a.b.c object type: queue entity: Administrator type: principal authority: all - - - - - - - - - - - - - - - - - profile: a.b.* object type: queue entity: user1 type: principal authority: get, browse, put, inq - - - - - - - - - - - - - - - - - profile: a.** object type: queue entity: group1 type: group authority: get- This example dumps all authority records for profile a.b.*, of type queue.
dmpmqaut -m qmgr1 -n a.b.* -t qThe resulting dump looks something like this:profile: a.b.* object type: queue entity: user1 type: principal authority: get, browse, put, inq- This example dumps all authority records for queue manager qmX.
dmpmqaut -m qmXThe resulting dump looks something like this:profile: q1 object type: queue entity: Administrator type: principal authority: all - - - - - - - - - - - - - - - - - profile: q* object type: queue entity: user1 type: principal authority: get, browse - - - - - - - - - - - - - - - - - profile: name.* object type: namelist entity: user2 type: principal authority: get - - - - - - - - - - - - - - - - - profile: pr1 object type: process entity: group1 type: group authority: get- This example dumps all profile names and object types for queue manager qmX.
dmpmqaut -m qmX -lThe resulting dump looks something like this:profile: q1, type: queue profile: q*, type: queue profile: name.*, type: namelist profile: pr1, type: processNote: For IBM MQ for Windows only, all principals displayed include domain information, for example:
profile: a.b.* object type: queue entity: user1@domain1 type: principal authority: get, browse, put, inq
- Use wildcard characters in OAM profiles on UNIX, Linux, and Windows
Use wildcard characters in an object authority manager (OAM) profile name to make that profile applicable to more than one object.- Profile priorities on UNIX, Linux, and Windows
More than one generic profile can apply to a single object. Where this is the case, the most specific rule applies.- Dumping profile settings on UNIX, Linux, and Windows
Use the dmpmqaut control command, the DISPLAY AUTHREC MQSC command, or the MQCMD_INQUIRE_AUTH_RECS PCF command to dump the current authorizations associated with a specified profile. Note that on IBM MQ Appliance we can use only the DISPLAY AUTHREC command.Parent topic: Control access to objects by using the OAM on UNIX, Linux, and Windows