Granting read-only access to all resources on a queue manager

Grant read-only access to all the resources on a queue manager, to each user or group of users with a business need for it.


Use the Add Role Based Authorities wizard or the appropriate commands for the operating system. On the following platforms, we can also use the SET AUTHREC command:

  • IBM i
  • Linux
  • UNIX
  • Windows

Note: On IBM MQ Appliance we can use only the SET AUTHREC command.


Procedure

  • Using the wizard:
    1. In the IBM MQ Explorer Navigator pane, right-click the queue manager and click Object Authorities > Add Role Based Authorities The Add Role Based Authorities wizard opens.

  • For UNIX and Windows systems, issue the following commands:
    setmqaut -m QMgrName -n ** -t queue -g GroupName +browse +dsp
    setmqaut -m QMgrName -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g GroupName +dsp +inq +put
    setmqaut -m QMgrName -n SYSTEM.MQEXPLORER.REPLY.MODEL -t queue -g GroupName +dsp +inq +get +put
    setmqaut -m QMgrName -n ** -t topic -g GroupName +dsp
    setmqaut -m QMgrName -n ** -t channel -g GroupName +dsp +inq
    setmqaut -m QMgrName -n ** -t clntconn -g GroupName +dsp
    setmqaut -m QMgrName -n ** -t authinfo -g GroupName +dsp
    setmqaut -m QMgrName -n ** -t listener -g GroupName +dsp
    setmqaut -m QMgrName -n ** -t namelist -g GroupName +dsp
    setmqaut -m QMgrName -n ** -t process -g GroupName +dsp
    setmqaut -m QMgrName -n ** -t service -g GroupName +dsp
    setmqaut -m QMgrName -t qmgr -g GroupName +dsp +inq +connect
    
    The specific authorities to SYSTEM.ADMIN.COMMAND.QUEUE and SYSTEM.MQEXPLORER.REPLY.MODEL are necessary only if we want to use the IBM MQ Explorer.
  • For IBM i, issue the following commands:
    GRTMQMAUT OBJ(*ALL) OBJTYPE(*Q) USER('GroupName') AUT(*ADMDSP *BROWSE) MQMNAME('QMgrName')
    GRTMQMAUT OBJ(*ALL) OBJTYPE(*TOPIC) USER('GroupName') AUT(*ADMDSP) MQMNAME('QMgrName')
    GRTMQMAUT OBJ(*ALL) OBJTYPE(*CHL) USER('GroupName') AUT(*ADMDSP *INQ) MQMNAME('QMgrName')
    GRTMQMAUT OBJ(*ALL) OBJTYPE(*CLTCN) USER('GroupName') AUT(*ADMDSP) MQMNAME('QMgrName')
    GRTMQMAUT OBJ(*ALL) OBJTYPE(*AUTHINFO) USER('GroupName') AUT(*ADMDSP) MQMNAME('QMgrName')
    GRTMQMAUT OBJ(*ALL) OBJTYPE(*LSR) USER('GroupName') AUT(*ADMDSP)MQMNAME('QMgrName') 
    GRTMQMAUT OBJ(*ALL) OBJTYPE(*NMLIST) USER('GroupName') AUT(*ADMDSP) MQMNAME('QMgrName')
    GRTMQMAUT OBJ(*ALL) OBJTYPE(*PRC) USER('GroupName') AUT(*ADMDSP) MQMNAME('QMgrName')
    GRTMQMAUT OBJ(*ALL) OBJTYPE(*SVC) USER('GroupName') AUT(*ADMDSP) MQMNAME('QMgrName')
    GRTMQMAUT OBJ('object-name') OBJTYPE(*MQM) USER('GroupName') AUT(*ADMDSP *CONNECT *INQ) MQMNAME('QMgrName')
    
  • For z/OS, issue the following commands:
    RDEFINE MQQUEUE QMgrName.** UACC(NONE)
    PERMIT QMgrName.** CLASS(MQQUEUE) ID(GroupName) ACCESS(READ)
    RDEFINE MQTOPIC QMgrName.** UACC(NONE)
    PERMIT QMgrName.** CLASS(MQTOPIC) ID(GroupName) ACCESS(READ)
    RDEFINE MQPROC QMgrName.** UACC(NONE)
    PERMIT QMgrName.** CLASS(MQPROC) ID(GroupName) ACCESS(READ)
    RDEFINE MQNLIST QMgrName.** UACC(NONE)
    PERMIT QMgrName.** CLASS(MQNLIST) ID(GroupName) ACCESS(READ)
    RDEFINE MQCONN QMgrName.BATCH UACC(NONE)
    PERMIT QMgrName.BATCH CLASS(MQCONN) ID(GroupName) ACCESS(READ)
    RDEFINE MQCONN QMgrName.CICS UACC(NONE)
    PERMIT QMgrName.CICS CLASS(MQCONN) ID(GroupName) ACCESS(READ)
    RDEFINE MQCONN QMgrName.IMS UACC(NONE)
    PERMIT QMgrName.IMS CLASS(MQCONN) ID(GroupName) ACCESS(READ)
    RDEFINE MQCONN QMgrName.CHIN UACC(NONE)
    PERMIT QMgrName.CHIN CLASS(MQCONN) ID(GroupName) ACCESS(READ)
    
    The variable names have the following meanings:

      QMgrName
      The name of the queue manager.
      On z/OS, this value can also be the name of a queue sharing group.

      GroupName
      The name of the group to be granted access.

Parent topic: Granting required access to resources