Granting limited administrative access to a queue manager
Grant partial administrative access to a queue manager, to each group of users with a business need for it.
To grant limited administrative access to perform some actions on the queue manager, use
the appropriate commands for the operating system. On the following platforms, we can also use the
SET AUTHREC command:
- IBM i
- Linux
- UNIX
- Windows
Note: On IBM MQ Appliance we can use
only the SET AUTHREC command.
Procedure
-
On UNIX, Linux, and Windows:
setmqaut -m QMgrName -n ObjectProfile -t qmgr -g GroupName ReqdAction
-
On IBM i:
GRTMQMAUT OBJ(' ObjectProfile ') OBJTYPE(*MQM) USER(GroupName) AUT(ReqdAction) MQMNAME(' QMgrName ')
-
On z/OS :
To determine which MQSC commands we can perform on the queue manager, issue the following
commands for each MQSC command:
RDEFINE MQCMDS QMgrName. ReqdAction.QMGR UACC(NONE) PERMIT QMgrName. ReqdAction.QMGR CLASS(MQCMDS) ID(GroupName) ACCESS(ALTER)
To permit the user to use the DISPLAY QMGR command, issue the following commands:RDEFINE MQCMDS QMgrName.DISPLAY.QMGR UACC(NONE) PERMIT QMgrName.DISPLAY.QMGR CLASS(MQCMDS) ID(GroupName) ACCESS(READ)
The variable names have the following meanings:- QMgrName
- The name of the queue manager.
- ObjectProfile
- The name of the object or generic profile for which to change authorizations.
- GroupName
- The name of the group to be granted access.
- ReqdAction
- The action we are allowing the group to take:
- On UNIX, Linux, and Windows, any combination of the following authorizations: +chg, +clr, +crt, +dlt, +dsp. The
authorization +alladm is equivalent to +chg +clr +dlt +dsp.
Although +set is an MQI authorization and not normally considered administrative, granting +set on the queue manager can indirectly lead to full administrative authority. Do not grant +set to ordinary users and applications.
- On IBM i, any combination of the following authorizations: *ADMCHG, *ADMCLR, *ADMCRT, *ADMDLT, *ADMDSP. The authorization *ALLADM is equivalent to all these individual authorizations.
- On UNIX, Linux, and Windows, any combination of the following authorizations: +chg, +clr, +crt, +dlt, +dsp. The
authorization +alladm is equivalent to +chg +clr +dlt +dsp.
Parent topic: Granting required access to resources