Granting authority to put messages to a remote cluster queue

Grant the authority to put messages to a remote cluster queue or set of queues, to each group of users with a business need for it.


To put a message on a remote cluster queue, we can either put it on a local definition of a remote queue, or a fully qualified remote queue. If we are using a local definition of a remote queue, we need authority to put to the local object: see Granting authority to put messages to a local queue. If we are using a fully qualified remote queue, we need authority to put to the remote queue. Grant this authority using the appropriate commands for the operating system.

The default behavior is to perform access control against the SYSTEM.CLUSTER.TRANSMIT.QUEUE. Note that this behavior applies, even if we are using multiple transmission queues.

The specific behavior described in this topic applies only when you have configured the ClusterQueueAccessControl attribute in the qm.ini file to be RQMName, as described in the Security stanza topic, and restarted the queue manager.

On the following platforms, we can also use the SET AUTHREC command:

  • IBM i
  • Linux
  • UNIX
  • Windows

Note: On IBM MQ Appliance we can use only the SET AUTHREC command.


Procedure

  • For UNIX, Linux, and Windows systems, issue the following command: 
    setmqaut -m QMgrName -t rqmname -n 
ObjectProfile -g GroupName +put

    Note that we can use the rqmname object for remote cluster queues only.

  • For IBM i, issue the following command: 
    GRTMQMAUT OBJTYPE(*RMTMQMNAME) OBJ('
ObjectProfile') USER(GroupName) AUT(*PUT) MQMNAME('
QMgrName')

    Note that we can use the RMTMQMNAME object for remote cluster queues only.

  • For z/OS, issue the following commands: 
    RDEFINE MQQUEUE QMgrName. ObjectProfile UACC(NONE)
PERMIT QMgrName.QUEUE. ObjectProfile CLASS(MQQUEUE)
ID(GroupName) ACCESS(UPDATE)

    Note that we can use the name of the remote queue manager (or queue sharing group) for remote cluster queues only.

    The variable names have the following meanings:

      QMgrName
      The name of the queue manager. On z/OS, this value can also be the name of a queue sharing group.

      ObjectProfile
      The name of the remote queue manager or generic profile for which to change authorizations.

      GroupName
      The name of the group to be granted access.

Parent topic: Granting required access to resources