+

Search Tips | Advanced Search

Granting limited administrative access to some channels

Grant partial administrative access to some channels on a queue manager, to each group of users with a business need for it.


About this task

To grant limited administrative access to some channels for some actions, use the appropriate commands for the operating system. On the following platforms, we can also use the SET AUTHREC command:

  • IBM i
  • Linux
  • UNIX
  • Windows

Note: On IBM MQ Appliance we can use only the SET AUTHREC command.


Procedure

  • On UNIX, Linux, and Windows: 
    setmqaut -m QMgrName -n ObjectProfile -t channel -g GroupName ReqdAction
  • On IBM i: 
    GRTMQMAUT OBJ(' ObjectProfile ') OBJTYPE(*CHL) USER(GroupName) AUT(ReqdAction) MQMNAME(' QMgrName ')
  • On z/OS : 
    RDEFINE MQADMIN QMgrName.CHANNEL. ObjectProfile UACC(NONE)
PERMIT QMgrName.CHANNEL. ObjectProfile CLASS(MQADMIN) ID(GroupName) ACCESS(ALTER)
    These commands grant access to the specified channel. To determine which MQSC commands the user can perform on the channel, issue the following commands for each MQSC command: 
    RDEFINE MQCMDS QMgrName. ReqdAction.CHANNEL UACC(NONE)
PERMIT QMgrName. ReqdAction.CHANNEL CLASS(MQCMDS) ID(GroupName) ACCESS(ALTER)
    To permit the user to use the DISPLAY CHANNEL command, issue the following commands: 
    RDEFINE MQCMDS QMgrName.DISPLAY.CHANNEL UACC(NONE)
PERMIT QMgrName.DISPLAY.CHANNEL CLASS(MQCMDS) ID(GroupName) ACCESS(READ)
    The variable names have the following meanings:

      QMgrName
      The name of the queue manager.

      On z/OS, this value can also be the name of a queue sharing group.

      ObjectProfile
      The name of the object or generic profile for which to change authorizations.

      GroupName
      The name of the group to be granted access.

      ReqdAction
      The action we are allowing the group to take:

      • On UNIX, Linux, and Windows, any combination of the following authorizations: +chg, +clr, +crt, +dlt, +dsp. +ctrl, +ctrlx. The authorization +alladm is equivalent to +chg +clr +dlt +dsp.
      • On IBM i, any combination of the following authorizations: *ADMCHG, *ADMCLR, *ADMCRT, *ADMDLT, *ADMDSP, *CTRL, *CTRLx. The authorization *ALLADM is equivalent to all these individual authorizations.
      • On z/OS, one of the values ALTER, CLEAR, DEFINE, DELETE, or MOVE.

Parent topic: Granting required access to resources

Last updated: 2020-10-04