dspmqaut (display authority)

dspmqaut (display authority)

Purpose

Use the dspmqaut command to display the current authorizations to a specified object.
If a user ID is a member of more than one group, this command displays the combined authorizations of all the groups.
Only one group or principal can be specified.
For more information about authorization service components, see "Installable services", "Service components", and Chapter 20, Authorization service.

Syntax
>>-dspmqaut--+--------------+-- -n ObjectName-- -t ObjectType--->
             '- -m queue_manager-'
 
>--+- -g GroupName-----+--+----------------------+-------------><
   '- -p PrincipalName-'  '- -s ServiceComponent-'
 
 
Required parameters

-n ObjectName
The name of a queue manager, queue, or process definition on which to make the inquiry.
You must include this parameter, unless the inquiry relates to the queue manager itself, in which case omit it.

-t ObjectType
The type of object on which to make the inquiry. Possible values are:

queue or q A queue or queues matching the object name parameter

qmgr A queue manager object

process or prcs A process

namelist or nl A namelist

authinfo Authentication information object, for use with SSL channel security

Optional parameters
-m queue_manager
The name of the queue manager on which to make the inquiry. This parameter is optional if you are setting the authorizations of your default queue manager.

-g GroupName
The name of the user group on which to make the inquiry. You can specify only one name, which must be the name of an existing user group. On Windows systems, you can use only local groups.

-p PrincipalName
The name of a user for whom to display authorizations to the specified object.
For WebSphere MQ for Windows only, the name of the principal can optionally include a domain name, specified in the following format:
userid@domain
For more information about including domain names on the name of a principal, see "Principals and groups".
-s ServiceComponent
If installable authorization services are supported, specifies the name of the authorization service to which the authorizations apply. This parameter is optional; if you omit it, the authorization inquiry is made to the first installable component for the service.
Returned parameters
Returns an authorization list, which can contain none, one, or more authorization values. Each authorization value returned means that any user ID in the specified group or principal has the authority to perform the operation defined by that value.
Table 21 shows the authorities that can be given to the different object types.

Table 21. Security authorities from the dspmqaut command

Authority Queue Process Queue manager Namelist

all Yes Yes Yes Yes Yes

alladm Yes Yes Yes Yes Yes

allmqi Yes Yes Yes Yes Yes

altusr No No Yes No No

browse Yes No No No No

chg Yes Yes Yes Yes Yes

clr Yes No No No No

connect No No Yes No No

crt Yes Yes Yes Yes Yes

dlt Yes Yes Yes Yes Yes

dsp Yes Yes Yes Yes Yes

get Yes No No No No

inq Yes Yes Yes Yes Yes

passall Yes No No No No

passid Yes No No No No

put Yes No No No No

set Yes Yes Yes No Yes

setall Yes No Yes No No

setid Yes No Yes No No

The following list defines the authorizations associated with each value:

all Use all operations relevant to the object.

alladm Perform all administration operations relevant to the object.

allmqi Use all MQI calls relevant to the object.

altusr Specify an alternate user ID on an MQI call.

browse Retrieve a message from a queue by issuing an MQGET call with the BROWSE option.

chg Change the attributes of the specified object, using the appropriate command set.

clr Clear a queue (PCF command Clear queue only).

connect Connect the application to the specified queue manager by issuing an MQCONN call.

crt Create objects of the specified type using the appropriate command set.

dlt Delete the specified object using the appropriate command set.

dsp Display the attributes of the specified object using the appropriate command set.

get Retrieve a message from a queue by issuing an MQGET call.

inq Make an inquiry on a specific queue by issuing an MQINQ call.

passall Pass all context.

passid Pass the identity context.

put Put a message on a specific queue by issuing an MQPUT call.

set Set attributes on a queue from the MQI by issuing an MQSET call.

setall Set all context on a queue.

setid Set the identity context on a queue.

The authorizations for administration operations, where supported, apply to these command sets:

Control commands
MQSC commands
PCF commands

Return codes

0 Successful operation

36 Invalid arguments supplied

40 Queue manager not available

49 Queue manager stopping

69 Storage not available

71 Unexpected error

72 Queue manager name error

133 Unknown object name

145 Unexpected object name

146 Object name missing

147 Object type missing

148 Invalid object type

149 Entity name missing

Examples
The following example shows a command to display the authorizations on queue manager saturn.queue.manager associated with user group staff:
dspmqaut -m saturn.queue.manager -t qmgr -g staff
The results from this command are:
Entity staff has the following authorizations for object:
        get
        browse
        put
        inq
        set
        connect
        altusr
        passid
        passall
        setid
The following example displays the authorities user1 has for queue a.b.c:
dspmqaut -m qmgr1 -n a.b.c -t q -p user1
The results from this command are:
Entity user1 has the following authorizations for object:
        get
        put      
Related commands

dmpmqaut Dump authority

setmqaut Set or reset authority

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.

queue or q	A queue or queues matching the object name parameter
qmgr	A queue manager object
process or prcs	A process
namelist or nl	A namelist
authinfo	Authentication information object, for use with SSL channel security

Authority	Queue	Process	Queue manager	Namelist
all	Yes	Yes	Yes	Yes	Yes
alladm	Yes	Yes	Yes	Yes	Yes
allmqi	Yes	Yes	Yes	Yes	Yes
altusr	No	No	Yes	No	No
browse	Yes	No	No	No	No
chg	Yes	Yes	Yes	Yes	Yes
clr	Yes	No	No	No	No
connect	No	No	Yes	No	No
crt	Yes	Yes	Yes	Yes	Yes
dlt	Yes	Yes	Yes	Yes	Yes
dsp	Yes	Yes	Yes	Yes	Yes
get	Yes	No	No	No	No
inq	Yes	Yes	Yes	Yes	Yes
passall	Yes	No	No	No	No
passid	Yes	No	No	No	No
put	Yes	No	No	No	No
set	Yes	Yes	Yes	No	Yes
setall	Yes	No	Yes	No	No
setid	Yes	No	Yes	No	No

all	Use all operations relevant to the object.
alladm	Perform all administration operations relevant to the object.
allmqi	Use all MQI calls relevant to the object.
altusr	Specify an alternate user ID on an MQI call.
browse	Retrieve a message from a queue by issuing an MQGET call with the BROWSE option.
chg	Change the attributes of the specified object, using the appropriate command set.
clr	Clear a queue (PCF command Clear queue only).
connect	Connect the application to the specified queue manager by issuing an MQCONN call.
crt	Create objects of the specified type using the appropriate command set.
dlt	Delete the specified object using the appropriate command set.
dsp	Display the attributes of the specified object using the appropriate command set.
get	Retrieve a message from a queue by issuing an MQGET call.
inq	Make an inquiry on a specific queue by issuing an MQINQ call.
passall	Pass all context.
passid	Pass the identity context.
put	Put a message on a specific queue by issuing an MQPUT call.
set	Set attributes on a queue from the MQI by issuing an MQSET call.
setall	Set all context on a queue.
setid	Set the identity context on a queue.

0	Successful operation
36	Invalid arguments supplied
40	Queue manager not available
49	Queue manager stopping
69	Storage not available
71	Unexpected error
72	Queue manager name error
133	Unknown object name
145	Unexpected object name
146	Object name missing
147	Object type missing
148	Invalid object type
149	Entity name missing