setmqaut (set or reset authority)
Purpose
Use the setmqaut command to change the authorizations to a profile, object or class of objects. Authorizations can be granted to, or revoked from, any number of principals or groups.
See also:
Syntax
>>-setmqaut--+--------------+-- -n Profile-- -t ObjectType------> '- -m queue_manager-' >--+----------------------+--+-----------+----------------------> '- -s ServiceComponent-' '- -remove -' .-----------------------. V | >----+- -p PrincipalName-+-+------------------------------------> '- -g GroupName-----' .---------------------------------------. V | >----+-| MQI authorizations |------------+-+------------------->< +-| Context authorizations |--------+ +-| Administration authorizations |-+ '-| Generic authorizations |--------' MQI authorizations .--------------------. V | |------+- +altusr --+---+---------------------------------------| +- -altusr --+ +- +browse --+ +- -browse --+ +- +connect -+ +- -connect -+ +- +get -----+ +- -get -----+ +- +inq -----+ +- -inq -----+ +- +put -----+ +- -put -----+ +- +set -----+ '- -set -----' Context authorizations .--------------------. V | |------+- +passall -+---+---------------------------------------| +- -passall -+ +- +passid --+ +- -passid --+ +- +setall --+ +- -setall --+ +- +setid ---+ '- -setid ---'Administration authorizations .----------------. V | |------+- +chg -+---+-------------------------------------------| +- -chg -+ +- +clr -+ +- -clr -+ +- +crt -+ +- -crt -+ +- +dlt -+ +- -dlt -+ +- +dsp -+ '- -dsp -' Generic authorizations .-------------------. V | |------+- +all ----+---+----------------------------------------| +- -all ----+ +- +alladm -+ +- -alladm -+ +- +allmqi -+ +- -allmqi -+ '- +none ---'
Overview
Use setmqaut both to set an authorization, that is, give a user group or principal permission to perform an operation, and to reset an authorization, that is, remove the permission to perform an operation. You must specify the user groups and principals to which the authorizations apply, the queue manager, object type, and the profile name identifying the object or objects. You can specify any number of groups and principals in a single command.
In WebSphere MQ for UNIX systems, if you specify a set of authorizations for a principal, the same authorizations are given to all principals in the same primary group.
The authorizations that can be given are categorized as follows:
- Authorizations for issuing MQI calls
- Authorizations for MQI context
- Authorizations for issuing commands for administration tasks
- Generic authorizations
Each authorization to be changed is specified in an authorization list as part of the command. Each item in the list is a string prefixed by + or -. For example, if you include +put in the authorization list, you give authority to issue MQPUT calls against a queue. Alternatively, if you include -put in the authorization list, you remove the authorization to issue MQPUT calls.
Authorizations can be specified in any order provided that they do not clash. For example, specifying allmqi with set causes a clash.
You can specify as many groups or authorizations as you require in a single command.
If a user ID is a member of more than one group, the authorizations that apply are the union of the authorizations of each group to which that user ID belongs.
Required parameters
- -t ObjectType
- The type of object for which to change authorizations.
Possible values are:
- q or queue
- prcs or process
- qmgr
- nl or namelist
- authinfo (for use with SSL channel security)
- -n Profile
- The name of the profile for which to change authorizations. The authorizations apply to all WebSphere MQ objects with names that match the profile name specified. The profile name can be generic, using wildcard characters to specify a range of names as explained in Using OAM generic profiles.
If you give an explicit profile name (without any wildcard characters), the object identified must exist.
This parameter is required, unless you are changing the authorizations of your default queue manager, in which case you must not include it.
Optional parameters
- -m queue_manager
- The name of the queue manager of the object for which to change authorizations. The name can contain up to 48 characters.
This parameter is optional if you are changing the authorizations of your default queue manager.
- -p PrincipalName
- The name of the principal for which to change authorizations.
For WebSphere MQ for Windows only, the name of the principal can optionally include a domain name, specified in the following format:
userid@domainFor more information about including domain names on the name of a principal, see "Principals and groups".
You must have at least one principal or group.
- -g GroupName
- The name of the user group for which to change authorizations. You can specify more than one group name, but each name must be prefixed by the -g flag. On Windows systems, you can use only local groups.
- -s ServiceComponent
- The name of the authorization service to which the authorizations apply (if your system supports installable authorization services). This parameter is optional; if you omit it, the authorization update is made to the first installable component for the service.
- -remove
- Removes a profile. The authorizations associated with the profile no longer apply to WebSphere MQ objects with names that match the profile name specified.
- Authorizations
- The authorizations to be given or removed. Each item in the list is prefixed by a + indicating that authority is to be given, or a -, indicating that authority is to be removed.
For example, to give authority to issue an MQPUT call from the MQI, specify +put in the list. To remove authority to issue an MQPUT call, specify -put.
Authorities that can be given to the different object types include:
Authority Queue Process Queue manager Namelist all Yes Yes Yes Yes Yes alladm Yes Yes Yes Yes Yes allmqi Yes Yes Yes Yes Yes none Yes Yes Yes Yes Yes altusr No No Yes No No browse Yes No No No No chg Yes Yes Yes Yes Yes clr Yes No No No No connect No No Yes No No crt Yes Yes Yes Yes Yes dlt Yes Yes Yes Yes Yes dsp Yes Yes Yes Yes Yes get Yes No No No No put Yes No No No No inq Yes Yes Yes Yes Yes passall Yes No No No No passid Yes No No No No set Yes No No No No setall Yes No No No No setid Yes No No No No
Authorizations for MQI calls
altusr Use another user's authority for MQOPEN and MQPUT1 calls. browse Retrieve a message from a queue using an MQGET call with the BROWSE option. connect Connect the application to the specified queue manager using an MQCONN call. get Retrieve a message from a queue using an MQGET call. inq Make an inquiry on a specific queue using an MQINQ call. put Put a message on a specific queue using an MQPUT call. set Set attributes on a queue from the MQI using an MQSET call. If you open a queue for multiple options, you have to be authorized for each option.
Authorizations for context
passall Pass all context on the specified queue. All the context fields are copied from the original request. passid Pass identity context on the specified queue. The identity context is the same as that of the request. setall Set all context on the specified queue. This is used by special system utilities. setid Set identity context on the specified queue. This is used by special system utilities.
Authorizations for commands
chg Change the attributes of the specified object. clr Clear the specified queue (PCF Clear queue command only). crt Create objects of the specified type. dlt Delete the specified object. dsp Display the attributes of the specified object.
Authorizations for generic operations
all Use all operations applicable to the object. alladm Use all administration operations applicable to the object. allmqi Use all MQI calls applicable to the object. none No authority. Use this to create profiles without authority.
Return codes
0 Successful operation 36 Invalid arguments supplied 40 Queue manager not available 49 Queue manager stopping 69 Storage not available 71 Unexpected error 72 Queue manager name error 133 Unknown object name 145 Unexpected object name 146 Object name missing 147 Object type missing 148 Invalid object type 149 Entity name missing 150 Authorization specification missing 151 Invalid authorization specification
Examples
- This example shows a command that specifies that the object on which authorizations are being given is the queue orange.queue on queue manager saturn.queue.manager. If the queue does not exist, the command fails.
The authorizations are given to user group tango and the associated authorization list specifies that user group tango can:setmqaut -m saturn.queue.manager -n orange.queue -t queue -g tango +inq +alladm
- Issue MQINQ calls
- Perform all administration operations on that object
- In this example, the authorization list specifies that user group foxy:
If the queue does not exist, the command fails.
- Cannot issue any calls from the MQI to the specified queue
- Can perform all administration operations on the specified queue
setmqaut -m saturn.queue.manager -n orange.queue -t queue -g foxy -allmqi +alladm- This example gives user1 full access to all queues with names beginning a.b on queue manager qmgr1. The profile is persistent, and will apply to any object with a name that matches the profile name.
setmqaut -m qmgr1 -n a.b.* -t q -p user1 +all- This example deletes the specified profile.
setmqaut -m qmgr1 -n a.b.* -t q -p user1 -remove- This example creates a profile with no authority.
setmqaut -m qmgr1 -n a.b.* -t q -p user1 +none
Related commands
dmpmqaut Dump authority dspmqaut Display authority
WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.