Granting authority to set context
Grant the authority to set context on a message that is being put, to each group of users with a business need for it.
To grant the authority to set context on some queues, use the appropriate commands for the operating system.
On the following platforms, we can also use the
SET AUTHREC command:
- IBM i
- Linux
- UNIX
- Windows
Note: On IBM MQ Appliance we can use
only the SET AUTHREC command.
Procedure
-
For UNIX, Linux, and Windows systems, issue one of the following commands:
- To set identity context only:
setmqaut -m QMgrName -n ObjectProfile -t queue -g GroupName +setid
- To set all context:
setmqaut -m QMgrName -n ObjectProfile -t queue -g GroupName +setall
Note: To use setid or setall authority, authorizations must be granted on both the appropriate queue object and also on the queue manager object.
- To set identity context only:
-
For IBM i, issue one of the following commands:
- To set identity context only:
GRTMQMAUT OBJ(' ObjectProfile ') OBJTYPE(*Q) USER(GroupName) AUT(*SETID) MQMNAME(' QMgrName ')
- To set all context:
GRTMQMAUT OBJ(' ObjectProfile ') OBJTYPE(*Q) USER(GroupName) AUT(*SETALL) MQMNAME(' QMgrName ')
- To set identity context only:
-
For z/OS, issue one of the following sets of commands:
- To set identity context only:
RDEFINE MQQUEUE QMgrName. ObjectProfile UACC(NONE) PERMIT QMgrName. ObjectProfile CLASS(MQQUEUE) ID(GroupName) ACCESS(UPDATE)
- To set all context:
RDEFINE MQQUEUE QMgrName. ObjectProfile UACC(NONE) PERMIT QMgrName. ObjectProfile CLASS(MQQUEUE) ID(GroupName) ACCESS(CONTROL)
The variable names have the following meanings:
- QMgrName
- The name of the queue manager. On z/OS, this value can also be the name of a queue sharing group.
- ObjectProfile
- The name of the object or generic profile for which to change authorizations.
- GroupName
- The name of the group to be granted access.
- To set identity context only:
Parent topic: Granting required access to resources