How authorizations work

 

---

Overview

The authorization specification tables below define how authorizations work and the restrictions that apply. The tables apply to these situations:

• Applications that issue MQI calls
• Administration programs that issue MQSC commands as escape PCFs
• Administration programs that issue PCF commands

 

Authorizations for MQI calls

An application is allowed to issue specific MQI calls and options only if the user identifier under which it is running (or whose authorizations it is able to assume) has been granted the relevant authorization.

Four MQI calls might require authorization checks: MQCONN, MQOPEN, MQPUT1, and MQCLOSE.

For MQOPEN and MQPUT1, the authority check is made on the name of the object being opened, and not on the name, or names, resulting after a name has been resolved. For example, an application might be granted authority to open an alias queue without having authority to open the base queue to which the alias resolves. The rule is that the check is carried out on the first definition encountered during the process of resolving a name that is not a queue manager alias, unless the queue manager alias definition is opened directly; that is, its name appears in the ObjectName field of the object descriptor. Authority is always needed for the object being opened. In some cases additional queue-independent authority, obtained through an authorization for the queue manager object, is required.

Table 8, Table 9, Table 10, and Table 11 summarize the authorizations needed for each call. In the tables Not applicable means that authorization checking is not relevant to this operation; No check means that no authorization checking is performed.

Note:

You will find no mention of namelists or authentication information objects in these tables. This is because none of the authorizations apply to these objects, except for MQOO_INQUIRE, for which the same authorizations apply as for the other objects.

The special authorization MQZAO_ALL_MQI includes all the authorizations in the tables that are relevant to the object type, except MQZAO_DELETE and MQZAO_DISPLAY, which are classed as administration authorizations.

 

Table 8. Security authorization needed for MQCONN calls

Authorization required for:	Queue object (1)	Process object	Queue manager object
MQCONN	Not applicable	Not applicable	MQZAO_CONNECT

 

Table 9. Security authorization needed for MQOPEN calls

Authorization required for:	Queue object (1)	Process object	Queue manager object
MQOO_INQUIRE	MQZAO_INQUIRE	MQZAO_INQUIRE	MQZAO_INQUIRE
MQOO_BROWSE	MQZAO_BROWSE	Not applicable	No check
MQOO_INPUT_*	MQZAO_INPUT	Not applicable	No check
MQOO_SAVE_ ALL_CONTEXT (2)	MQZAO_INPUT	Not applicable	Not applicable
MQOO_OUTPUT (Normal queue) (3)	MQZAO_OUTPUT	Not applicable	Not applicable
MQOO_PASS_ IDENTITY_CONTEXT (4)	MQZAO_PASS_ IDENTITY_CONTEXT	Not applicable	No check
MQOO_PASS_ALL_ CONTEXT (4, 5)	MQZAO_PASS _ALL_CONTEXT	Not applicable	No check
MQOO_SET_ IDENTITY_CONTEXT (4, 5)	MQZAO_SET_ IDENTITY_CONTEXT	Not applicable	MQZAO_SET_ IDENTITY_CONTEXT (6)
MQOO_SET_ ALL_CONTEXT (4, 7)	MQZAO_SET_ ALL_CONTEXT	Not applicable	MQZAO_SET_ ALL_CONTEXT (6)
MQOO_OUTPUT (Transmission queue) (8)	MQZAO_SET_ ALL_CONTEXT	Not applicable	MQZAO_SET_ ALL_CONTEXT (6)
MQOO_SET	MQZAO_SET	Not applicable	No check
MQOO_ALTERNATE_ USER_AUTHORITY	(9)	(9)	MQZAO_ALTERNATE_ USER_AUTHORITY (9, 10)

 

Table 10. Security authorization needed for MQPUT1 calls

Authorization required for:	Queue object (1)	Process object	Queue manager object
MQPMO_PASS_ IDENTITY_CONTEXT	MQZAO_PASS_ IDENTITY_CONTEXT (11)	Not applicable	No check
MQPMO_PASS_ALL _CONTEXT	MQZAO_PASS_ ALL_CONTEXT (11)	Not applicable	No check
MQPMO_SET_ IDENTITY_CONTEXT	MQZAO_SET_ IDENTITY_CONTEXT (11)	Not applicable	MQZAO_SET_ IDENTITY_CONTEXT (6)
MQPMO_SET_ ALL_CONTEXT	MQZAO_SET_ ALL_CONTEXT (11)	Not applicable	MQZAO_SET_ ALL_CONTEXT (6)
(Transmission queue) (8)	MQZAO_SET_ ALL_CONTEXT	Not applicable	MQZAO_SET_ ALL_CONTEXT (6)
MQPMO_ALTERNATE_ USER_AUTHORITY	(12)	Not applicable	MQZAO_ALTERNATE_ USER_AUTHORITY (10)

 

Table 11. Security authorization needed for MQCLOSE calls

Authorization required for:	Queue object (1)	Process object	Queue manager object
MQCO_DELETE	MQZAO_DELETE (13)	Not applicable	Not applicable
MQCO_DELETE _PURGE	MQZAO_DELETE (13)	Not applicable	Not applicable

Notes for the tables:

1. If opening a model queue:

   • MQZAO_DISPLAY authority is needed for the model queue, in addition to the authority to open the model queue for the type of access for which you are opening.

   • MQZAO_CREATE authority is not needed to create the dynamic queue.

   • The user identifier used to open the model queue is automatically granted all the queue-specific authorities (equivalent to MQZAO_ALL) for the dynamic queue created.

2. MQOO_INPUT_* must also be specified. This is valid for a local, model, or alias queue.

3. This check is performed for all output cases, except transmission queues (see note 8).

4. MQOO_OUTPUT must also be specified.

5. MQOO_PASS_IDENTITY_CONTEXT is also implied by this option.

6. This authority is required for both the queue manager object and the particular queue.

7. MQOO_PASS_IDENTITY_CONTEXT, MQOO_PASS_ALL_CONTEXT, and MQOO_SET_IDENTITY_CONTEXT are also implied by this option.

8. This check is performed for a local or model queue that has a Usage queue attribute of MQUS_TRANSMISSION, and is being opened directly for output. It does not apply if a remote queue is being opened (either by specifying the names of the remote queue manager and remote queue, or by specifying the name of a local definition of the remote queue).

9. At least one of MQOO_INQUIRE (for any object type), or MQOO_BROWSE, MQOO_INPUT_*, MQOO_OUTPUT, or MQOO_SET (for queues) must also be specified. The check carried out is as for the other options specified, using the supplied alternate-user identifier for the specific-named object authority, and the current application authority for the MQZAO_ALTERNATE_USER_IDENTIFIER check.

10. This authorization allows any AlternateUserId to be specified.

11. An MQZAO_OUTPUT check is also carried out if the queue does not have a Usage queue attribute of MQUS_TRANSMISSION.

12. The check carried out is as for the other options specified, using the supplied alternate-user identifier for the specific-named queue authority, and the current application authority for the MQZAO_ALTERNATE_USER_IDENTIFIER check.

13. The check is carried out only if both of the following are true:

    • A permanent dynamic queue is being closed and deleted.

    • The queue was not created by the MQOPEN call that returned the object handle being used.

    Otherwise, there is no check.

 

Authorizations for MQSC commands in escape PCFs

Table 12 summarizes the authorizations needed for each MQSC command contained in Escape PCF.

Not applicable means that authorization checking is not relevant to this operation.

The user ID under which the program that submits the command is running must also have the following authorities:

• MQZAO_CONNECT authority to the queue manager

• DISPLAY authority on the queue manager in order to perform PCF commands

• Authority to issue the MQSC command within the text of the Escape PCF command

 

Table 12. MQSC commands and security authorization needed

Authorization required for:	Queue object	Process object	Queue manager object	Namelist object	Authentication information object
ALTER object	MQZAO_CHANGE	MQZAO_CHANGE	MQZAO_CHANGE	MQZAO_CHANGE	MQZAO_CHANGE
CLEAR QLOCAL	MQZAO_CLEAR	Not applicable	Not applicable	Not applicable	Not applicable
DEFINE object NOREPLACE (1)	MQZAO_CREATE (2)	MQZAO_CREATE (2)	Not applicable	MQZAO_CREATE (2)	MQZAO_CREATE (2)
DEFINE object REPLACE (1, 3)	MQZAO_CHANGE	MQZAO_CHANGE	Not applicable	MQZAO_CHANGE	MQZAO_CHANGE
DELETE object	MQZAO_DELETE	MQZAO_DELETE	Not applicable	MQZAO_DELETE	MQZAO_DELETE
DISPLAY object	MQZAO_DISPLAY	MQZAO_DISPLAY	MQZAO_DISPLAY	MQZAO_DISPLAY	MQZAO_DISPLAY

Notes for Table 12:

1. For DEFINE commands, MQZAO_DISPLAY authority is also needed for the LIKE object if one is specified, or on the appropriate SYSTEM.DEFAULT.xxx object if LIKE is omitted.

2. The MQZAO_CREATE authority is not specific to a particular object or object type. Create authority is granted for all objects for a specified queue manager, by specifying an object type of QMGR on the setmqaut command.

3. This applies if the object to be replaced already exists. If it does not, the check is as for DEFINE object NOREPLACE.

 

Authorizations for PCF commands

Table 13 summarizes the authorizations needed for each PCF command.

No check means that no authorization checking is carried out; Not applicable means that authorization checking is not relevant to this operation.

The user ID under which the program that submits the command is running must also have the following authorities:

• MQZAO_CONNECT authority to the queue manager

• DISPLAY authority on the queue manager in order to perform PCF commands

The special authorization MQZAO_ALL_ADMIN includes all the authorizations in Table 13 that are relevant to the object type, except MQZAO_CREATE, which is not specific to a particular object or object type

 

Table 13. PCF commands and security authorization needed

Authorization required for:	Queue object	Process object	Queue manager object	Namelist object	Authentication information object
Change object	MQZAO_CHANGE	MQZAO_CHANGE	MQZAO_CHANGE	MQZAO_CHANGE	MQZAO_CHANGE
Clear Queue	MQZAO_CLEAR	Not applicable	Not applicable	Not applicable	Not applicable
Copy object (without replace) (1)	MQZAO_CREATE (2)	MQZAO_CREATE (2)	Not applicable	MQZAO_CREATE (2)	MQZAO_CREATE (2)
Copy object (with replace) (1, 4)	MQZAO_CHANGE	MQZAO_CHANGE	Not applicable	MQZAO_CHANGE	MQZAO_CHANGE
Create object (without replace) (3)	MQZAO_CREATE (2)	MQZAO_CREATE (2)	Not applicable	MQZAO_CREATE (2)	MQZAO_CREATE (2)
Create object (with replace) (3, 4)	MQZAO_CHANGE	MQZAO_CHANGE	Not applicable	MQZAO_CHANGE	MQZAO_CHANGE
Delete object	MQZAO_DELETE	MQZAO_DELETE	Not applicable	MQZAO_DELETE	MQZAO_DELETE
Inquire object	MQZAO_DISPLAY	MQZAO_DISPLAY	MQZAO_DISPLAY	MQZAO_DISPLAY	MQZAO_DISPLAY
Inquire object names	No check	No check	No check	No check	No check
Reset queue statistics	MQZAO_DISPLAY and MQZAO_CHANGE	Not applicable	Not applicable	Not applicable	Not applicable

Notes:

1. For Copy commands, MQZAO_DISPLAY authority is also needed for the From object.

2. The MQZAO_CREATE authority is not specific to a particular object or object type. Create authority is granted for all objects for a specified queue manager, by specifying an object type of QMGR on the setmqaut command.

3. For Create commands, MQZAO_DISPLAY authority is also needed for the appropriate SYSTEM.DEFAULT.* object.

4. This applies if the object to be replaced already exists. If it does not, the check is as for Copy or Create without replace.