Use the OAM to control access to objects
Overview
Use setmqaut to give users and groups access to MQ objects. The queue manager must be running to use this command. When you have changed access for a principal, the changes are reflected immediately by the OAM.
To give users access to an object, you need to specify:
- The name of the queue manager that owns the objects you are working with; if you do not specify the name of a queue manager, the default queue manager is assumed.
- The name and type of the object (to identify the object uniquely). You specify the name as a profile; this is either the explicit name of the object, or a generic name, including wildcard characters.
- One or more principals and group names to which the authority applies.
If a user ID contains spaces, enclose it in single quotes when you use this command. If the actual user ID contains an @ symbol, replace this with @@ to show that it is part of the user ID, not the delimiter between the user ID and the domain name.
- A list of authorizations. Each item in the list specifies a type of access that is to be granted to that object (or revoked from it). Each authorization in the list is specified as a keyword, prefixed with a plus sign (+) or a minus sign (-). Use a plus sign to add the specified authorization, and a minus sign to remove the authorization. There must be no spaces between the + or - sign and the keyword.
You can specify any number of authorizations in a single command. For example, the list of authorizations to permit a user or group to put messages on a queue and to browse them, but to revoke access to get messages is:
+browse -get +put
Examples of using the command
The following examples show how to use the setmqaut command to grant and revoke permission to use an object:
setmqaut -m saturn.queue.manager -t queue -n RED.LOCAL.QUEUE -g groupa +browse -get +putIn this example:
- saturn.queue.manager is the queue manager name
- queue is the object type
- RED.LOCAL.QUEUE is the object name
- groupa is the identifier of the group whose authorizations are to change
- +browse -get +put is the authorization list for the specified queue
- +browse adds authorization to browse messages on the queue (to issue MQGET with the browse option)
- -get removes authorization to get (MQGET) messages from the queue
- +put adds authorization to put (MQPUT) messages on the queue
The following command revokes put authority on the queue MyQueue from principal fvuser and from groups groupa and groupb. On UNIX systems, this command also revokes put authority for all principals in the same primary group as fvuser.
setmqaut -m saturn.queue.manager -t queue -n MyQueue -p fvuser -g groupa -g groupb -put
Using the command with a different authorization service
If you are using your own authorization service instead of the OAM, you can specify the name of this service on the setmqaut command to direct the command to this service. You must specify this parameter if you have multiple installable components running at the same time; if you do not, the update is made to the first installable component for the authorization service. By default, this is the supplied OAM.
Using OAM generic profiles
OAM generic profiles enable you to set the authority a user has to many objects at once, rather than having to issue separate setmqaut commands against each individual object when it is created. Using generic profiles in the setmqaut command enables you to set a generic authority for all objects that fit that profile.
The rest of this section describes the use of generic profiles in more detail:
Using wildcard characters
What makes a profile generic is the use of special characters (wildcard characters) in the profile name. For example, the ? wildcard character matches any single character in a name. So, if you specify ABC.?EF, the authorization you give to that profile applies to any objects with the names ABC.DEF, ABC.CEF, ABC.BEF, and so on.
The wildcard characters available are:
- ?
- Use the question mark (?) instead of any single character. For example, AB.?D would apply to the objects AB.CD, AB.ED, and AB.FD.
- *
- Use the asterisk (*) as:
- A qualifier in a profile name to match any one qualifier in an object name. A qualifier is the part of an object name delimited by a period. For example, in ABC.DEF.GHI, the qualifiers are ABC, DEF, and GHI.
For example, ABC.*.JKL would apply to the objects ABC.DEF.JKL, and ABC.GHI.JKL. (Note that it would not apply to ABC.JKL; * used in this context always indicates one qualifier.)
- A character within a qualifier in a profile name to match zero or more characters within the qualifier in an object name.
For example, ABC.DE*.JKL would apply to the objects ABC.DE.JKL, ABC.DEF.JKL, and ABC.DEGH.JKL.
- **
- Use the double asterisk (**) once in a profile name as:
- The entire profile name to match all object names. For example if you use -t prcs to identify processes, then use ** as the profile name, you change the authorizations for all processes.
- As either the beginning, middle, or ending qualifier in a profile name to match zero or more qualifiers in an object name. For example, **.ABC identifies all objects with the final qualifier ABC.
- Note:
- When using wildcard characters on UNIX systems, enclose the profile name in quotes.
Profile priorities
An important point to understand when using generic profiles is the priority that profiles are given when deciding what authorities to apply to an object being created. For example, suppose that you have issued the commands:
setmqaut -n AB.* -t q +put -p fred
setmqaut -n AB.C* -t q +get -p fredThe first gives put authority to all queues for the principal fred with names that match the profile AB.*; the second gives get authority to the same types of queue that match the profile AB.C*.
Suppose that you now create a queue called AB.CD. According to the rules for wildcard matching, either setmqaut could apply to that queue. So, does it have put or get authority?
To find the answer, you apply the rule that, whenever multiple profiles can apply to an object, only the most specific applies. The way that you apply this rule is by comparing the profile names from left to right. Wherever they differ, a non-generic character is more specific then a generic character. So, in the example above, the queue AB.CD has get authority (AB.C* is more specific than AB.*).
When you are comparing generic characters, the order of specificity is:
- ?
- *
- **
Dumping profile settings
The dmpmqaut command enables you to dump the current authorizations associated with a specified profile.
The following examples show the use of dmpmqaut to dump authority records for generic profiles:
- This example dumps all authority records with a profile that matches queue a.b.c for principal user1.
dmpmqaut -m VANCOUVER -n a.b.c -t q -p user1The resulting dump would look something like this:
profile: a.b.* object type: queue entity: user1 type: principal authority: get, browse, put, inq
- Note:
- UNIX users cannot use the -p option; they must use -g groupname instead.
- This example dumps all authority records with a profile that matches queue a.b.c.
dmpmqaut -m qmgr1 -n a.b.c -t qThe resulting dump would look something like this:
profile: a.b.c object type: queue entity: Administrator type: principal authority: all - - - - - - - - - - - - - - - - - profile: a.b.* object type: queue entity: user1 type: principal authority: get, browse, put, inq - - - - - - - - - - - - - - - - - profile: a.** object type: queue entity: group1 type: group authority: get- This example dumps all authority records for profile a.b.*, of type queue.
dmpmqaut -m qmgr1 -n a.b.* -t qThe resulting dump would look something like this:
profile: a.b.* object type: queue entity: user1 type: principal authority: get, browse, put, inq- This example dumps all authority records for queue manager qmX.
dmpmqaut -m qmXThe resulting dump would look something like this:
profile: q1 object type: queue entity: Administrator type: principal authority: all - - - - - - - - - - - - - - - - - profile: q* object type: queue entity: user1 type: principal authority: get, browse - - - - - - - - - - - - - - - - - profile: name.* object type: namelist entity: user2 type: principal authority: get - - - - - - - - - - - - - - - - - profile: pr1 object type: process entity: group1 type: group authority: get- This example dumps all profile names and object types for queue manager qmX.
dmpmqaut -m qmX -lThe resulting dump would look something like this:
profile: q1, type: queue profile: q*, type: queue profile: name.*, type: namelist profile: pr1, type: processFor detailed information on the command, see dmpmqaut (dump authority).
- Note:
- For MQ for Windows only, all principals displayed include domain information, for example:
profile: a.b.* object type: queue entity: user1@domain1 type: principal authority: get, browse, put, inq
Displaying access settings
Use the dspmqaut command to view the authorizations that a specific principal or group has for a particular object. The queue manager must be running to use this command. When you change access for a principal using setmqaut, the changes are reflected immediately by the OAM. The flags have the same meaning as those in the setmqaut command. Authorization can be displayed for only one group or principal at a time. See dspmqaut (display authority) for a formal specification of this command.
For example, the following command displays the authorizations that the group GpAdmin has to a process definition named Annuities on queue manager QueueMan1.
dspmqaut -m QueueMan1 -t process -n Annuities -g GpAdmin
Changing and revoking access to a MQ object
To change the level of access that a user or group has to an object, use the setmqaut command. To revoke the access of a particular user that is a member of a group that has authorization, remove the user from the group, as described in Creating and managing groups.
The user ID that creates a MQ object is granted full control authorities to that object. If you remove this user ID from the local mqm group (or the Administrators group on Windows systems) these authorities are not revoked. Use the setmqaut command to revoke access to an object for the user ID that created it, after removing it from the mqm or Administrators group.
Preventing security access checks
If you decide that you do not want to perform security checks (for example, in a test environment), you can disable the OAM in one of two ways:
- Set the operating system environment variable MQSNOAUT as follows, before you create a queue manager (if you do this, you cannot add an OAM later):
On UNIX systems:
export MQSNOAUT=yes- Edit the queue manager configuration file to remove the service.
WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.