Granting full administrative access to all resources on a queue manager

Grant full administrative access to all the resources on a queue manager, to each user or group of users with a business need for it.

Use the Add Role Based Authorities wizard or the appropriate commands for the operating system. On the following platforms, we can also use the SET AUTHREC command:

• IBM i
• Linux
• UNIX
• Windows

Note: On IBM MQ Appliance we can use only the SET AUTHREC command.

Procedure

• Using the wizard:
  1. In the IBM MQ Explorer Navigator pane, right-click the queue manager and click Object Authorities > Add Role Based Authorities The Add Role Based Authorities wizard opens.

• For UNIX and Linux systems, issue the following commands:

  setmqaut -m QMgrName -n '**' -t queue -g GroupName +alladm +browse
  setmqaut -m QMgrName -n @class -t queue -g GroupName +crt
  setmqaut -m QMgrName -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g GroupName +dsp +inq +put
  setmqaut -m QMgrName -n SYSTEM.MQEXPLORER.REPLY.MODEL -t queue -g GroupName +dsp +inq +get +put
  setmqaut -m QMgrName -n '**' -t topic -g GroupName +alladm
  setmqaut -m QMgrName -n @class -t topic -g GroupName +crt
  setmqaut -m QMgrName -n '**' -t channel -g GroupName +alladm
  setmqaut -m QMgrName -n @class -t channel -g GroupName +crt
  setmqaut -m QMgrName -n '**' -t clntconn -g GroupName +alladm
  setmqaut -m QMgrName -n @class -t clntconn -g GroupName +crt
  setmqaut -m QMgrName -n '**' -t authinfo -g GroupName +alladm
  setmqaut -m QMgrName -n @class -t authinfo -g GroupName +crt
  setmqaut -m QMgrName -n '**' -t listener -g GroupName +alladm
  setmqaut -m QMgrName -n @class -t listener -g GroupName +crt
  setmqaut -m QMgrName -n '**' -t namelist -g GroupName +alladm
  setmqaut -m QMgrName -n @class -t namelist -g GroupName +crt
  setmqaut -m QMgrName -n '**' -t process -g GroupName +alladm
  setmqaut -m QMgrName -n @class -t process -g GroupName +crt
  setmqaut -m QMgrName -n '**' -t service -g GroupName +alladm
  setmqaut -m QMgrName -n @class -t service -g GroupName +crt
  setmqaut -m QMgrName -t qmgr -g GroupName +alladm +connect
  

• For Windows systems, issue the same commands as for UNIX and Linux systems, but using the profile name @CLASS instead of @class.
• For IBM i, issue the following command:

  GRTMQMAUT OBJ(*ALL) OBJTYPE(*ALL) USER(' GroupName ') AUT(*ALLADM) MQMNAME(' QMgrName ')
  

• For z/OS, issue the following commands:

  RDEFINE MQADMIN QMgrName.*.** UACC(NONE)
  PERMIT QMgrName.*.** CLASS(MQADMIN) ID(GroupName) ACCESS(ALTER)
  

  The variable names have the following meanings:

  QMgrName

  The name of the queue manager.

  On z/OS, this value can also be the name of a queue sharing group.

  GroupName

  The name of the group to be granted access.

Parent topic: Granting required access to resources