Granting WebSphere MQ authorities to WebSphere MQ objects

WebSphere MQ for iSeries categorizes the product's CL commands into two groups:

Group 1

Users must be in the QMQMADM user group, or have *ALLOBJ authority, to process these commands. Users having either of these authorities can process all commands in all categories without requiring any extra authority.
Note:
These authorities override any OAM authority.

These commands can be grouped as follows:

  • Command Server Commands

    • ENDMQMCSVR, End WebSphere MQ Command Server

    • STRMQMCSVR, Start WebSphere MQ Command Server

  • Dead-Letter Queue Handler Command

    • STRMQMDLQ, Start WebSphere MQ Dead-Letter Queue Handler

  • Media Recovery Commands

    • RCDMQMIMG, Record WebSphere MQ Object Image

    • RCRMQMOBJ, Recreate WebSphere MQ Object

    • WRKMQMTRN, Work with WebSphere MQ Transactions

  • Queue Manager Commands

    • CRTMQM, Create Message Queue Manager

    • DLTMQM, Delete Message Queue Manager

    • ENDMQM, End Message Queue Manager

    • STRMQM, Start Message Queue Manager

  • Security Commands

    • GRTMQMAUT, Grant WebSphere MQ Object Authority

    • RVKMQMAUT, Revoke WebSphere MQ Object Authority

  • Trace Command

    • TRCMQM, Trace WebSphere MQ Job

  • Transaction Commands

    • RSVMQMTRN, Resolve WebSphere MQ Transaction

  • Trigger Monitor Commands

    • STRMQMTRM, Start Trigger Monitor

  • WebSphere MQSC Commands

    • RUNMQSC, Run WebSphere MQSC Commands

    • STRMQMMQSC, Start WebSphere MQSC Commands

Group 2

The rest of the commands, for which two levels of authority are required:

  1. OS/400 authority to run the command. A WebSphere MQ administrator sets this using the GRTOBJAUT command to override the *PUBLIC(*EXCLUDE) restriction for a user or group of users.

    For example: 

    GRTOBJAUT OBJ(DSPMQMQ) OBJTYPE(*CMD) USER(MQUSER) AUT(*USE)

  2. WebSphere MQ authority to manipulate the WebSphere MQ objects associated with the command, or commands, given the correct OS/400 authority in Step 1.

    This authority is controlled by the user having the appropriate OAM authority for the required action, set by a WebSphere MQ administrator using the GRTMQMAUT command

    For example: 

    CHGMQMQ *connect authority to the queue manager + *admchg authority to 
  the queue

The commands can be grouped as follows:

  • Authentication Information Commands

  • Channel Commands

    • CHGMQMCHL, Change WebSphere MQ Channel

    • CPYMQMCHL, Copy WebSphere MQ Channel

    • CRTMQMCHL, Create WebSphere MQ Channel

    • DLTMQMCHL, Delete WebSphere MQ Channel

    • RSVMQMCHL, Resolve WebSphere MQ Channel

  • Display commands

    To process the DSP commands grant the user

    *connect and *admdsp authority to the queue manager, together with any specific option listed:

    • DSPMQM, Display Message Queue Manager

    • DSPMQMAUT, Display WebSphere MQ Object Authority

    • DSPMQMAUTI, Display WebSphere MQ Authentication Information

    • DSPMQMCHL, Display WebSphere MQ Channel

    • DSPMQMCSVR, Display WebSphere MQ Command Server

    • DSPMQMNL, Display WebSphere MQ Namelist -

      *admdsp to the namelist

    • DSPMQMOBJN, Display WebSphere MQ Object Names

    • DSPMQMPRC, Display WebSphere MQ Process -

      *admdsp to the process

    • DSPMQMQ, Display WebSphere MQ Queue -

      *admdsp to the queue

  • Work with commands

    To process the WRK commands and display the options panel grant the user

    *connect and *admdsp authority to the queue manager, together with any specific option listed:

    • WRKMQM, Work with Message Queue Managers

    • WRKMQMAUT, Work with WebSphere MQ Object Authority

    • WRKMQMAUTD, Work with WebSphere MQ Object Authority Data

    • WRKMQMAUTI, Work with WebSphere MQ Authentication Information

    • WRKMQMCHL, Work with WebSphere MQ Channel

    • WRKMQMCHST, Work with WebSphere MQ Channel Status

    • WRKMQMCL, Work with WebSphere MQ Clusters

    • WRKMQMCLQM, Work with WebSphere MQ Cluster Queue Manager

    • WRKMQMLSR, Work with WebSphere MQ Listener

    • WRKMQMMSG, Work with WebSphere MQ Messages

      This requires

      *browse authority to the queue

    • WRKMQMNL, Work with WebSphere MQ Namelists

      This requires the following authorities:

      • *admchg for the Change WebSphere MQ Namelist command.

      • *admcpy for the Copy WebSphere MQ Namelist command.

      • *admcrt for the Create WebSphere MQ Namelist command.

      • *admdlt for the Delete WebSphere MQ Namelist command.

      • *admdsp for the Display WebSphere MQ Namelist command.

    • WRKMQMPRC, Work with WebSphere MQ Processes

      This requires the following authorities:

      • *admchg for the Change WebSphere MQ Process command.

      • *admcpy for the Copy WebSphere MQ Process command.

      • *admcrt for the Create WebSphere MQ Process command.

      • *admdlt for the Delete WebSphere MQ Process command.

      • *admdsp for the Display WebSphere MQ Process command.

    • WRKMQMQ, Work with WebSphere MQ queues

      This requires the following authorities:

      • *admchg for the Change WebSphere MQ Queue command.

      • *admclr for the Clear WebSphere MQ Queue command.

      • *admcpy for the Copy WebSphere MQ Queue command.

      • *admcrt for the Create WebSphere MQ Queue command.

      • *admdlt for the Delete WebSphere MQ Queue command.

      • *admdsp for the Display WebSphere MQ Queue command.

    • WRKMQMQSTS, Work with WebSphere MQ Queue Status

  • Other Channel commands

    To process the channel commands grant the user the specific authorities listed:

    • ENDMQMCHL, End WebSphere MQ Channel

      This requires

      *connect authority to the queue manager and

      *allmqi authority to the transmission queue associated with the channel.

    • ENDMQMLSR, End WebSphere MQ Listener

      This requires no WebSphere MQ object authority.

    • PNGMQMCHL, Ping WebSphere MQ Channel

      This requires

      *connect and *inqauthority to the queue manager.

    • RSTMQMCHL, Reset WebSphere MQ Channel

      This requires

      *connect authority to the queue manager.

    • STRMQMCHL, Start WebSphere MQ Channel

      This requires

      *connect authority to the queue manager and

      *allmqi authority to the transmission queue associated with the channel.

    • STRMQMCHLI, Start WebSphere MQ Channel Initiator

      This requires

      *connect and *inq authority to the queue manager, and *allmqi authority to the initiation queue associated with the transmission queue of the channel.

    • STRMQMLSR, Start WebSphere MQ Listener

      This requires no WebSphere MQ object authority.

  • Other commands:

    To process the following commands grant the user the specific authorities listed:

    • CCTMQM, Connect to Message Queue Manager

      This requires no WebSphere MQ object authority.

    • CHGMQM, Change Message Queue Manager

      This requires

      *connect and *admchg authority to the queue manager.

    • CHGMQMNL, Change WebSphere MQ Namelist

      This requires

      *connect authority to the queue manager and *admchg authority to the namelist.

    • CHGMQMPRC, Change WebSphere MQ Process

      This requires

      *connect authority to the queue manager and *admchg authority to the process.

    • CHGMQMQ, Change WebSphere MQ Queue

      This requires

      *connect authority to the queue manager and

      *admchg authority to the queue.

    • CLRMQMQ, Clear WebSphere MQ Queue

      This requires

      *connect authority to the queue manager and

      *admchg authority to the queue.

    • CPYMQMNL, Copy WebSphere MQ Namelist

      This requires

      *connect and *admcrtauthority to the queue manager.

    • CPYMQMPRC, Copy WebSphere MQ Process

      This requires

      *connect and *admcrtauthority to the queue manager.

    • CPYMQMQ, Copy WebSphere MQ Queue

      This requires

      *connect and *admcrtauthority to the queue manager.

    • CRTMQMNL, Create WebSphere MQ Namelist

      This requires

      *connect and *admcrtauthority to the queue manager and *admdsp authority to the default namelist.

    • CRTMQMPRC, Create WebSphere MQ Process

      This requires

      *connect and *admcrtauthority to the queue manager and *admdsp authority to the default process.

    • CRTMQMQ, Create WebSphere MQ Queue

      This requires

      *connect and *admcrtauthority to the queue manager and *admdsp authority to the default queue.

    • CVTMQMDTA, Convert WebSphere MQ Data Type Command

      This requires no WebSphere MQ object authority.

    • DLTMQMNL, Delete WebSphere MQ Namelist

      This requires

      *connect authority to the queue manager and *admdlt authority to the namelist.

    • DLTMQMPRC, Delete WebSphere MQ Process

      This requires

      *connect authority to the queue manager and *admdlt authority to the process.

    • DLTMQMQ, Delete WebSphere MQ Queue

      This requires

      *connect authority to the queue manager and

      *admdlt authority to the queue.

    • DSCMQM, Disconnect from Message Queue Manager

      This requires no WebSphere MQ object authority.

    • RFRMQMAUT, Refresh Security

      This requires

      *connect authority to the queue manager.

    • RFRMQMCL, Refresh Cluster

      This requires

      *connect authority to the queue manager.

    • RSMMQMCLQM, Resume Cluster Queue Manager

      This requires

      *connect authority to the queue manager.

    • RSTMQMCL, Reset Cluster

      This requires

      *connect authority to the queue manager.

    • SPDMQMCLQM, Suspend Cluster Queue Manager

      This requires

      *connect authority to the queue manager.

 

Access authorizations

Authorizations defined by the AUT keyword on the GRTMQMAUT and RVKMQMAUT commands can be categorized as follows:

The following tables list the different authorities, using the AUT parameter for MQI calls, Context calls, MQSC and PCF commands, and generic operations.

Table 4. Authorizations for MQI calls
AUT Description
*ALTUSR Allow another user's authority to be used for MQOPEN and MQPUT1 calls.
*BROWSE Retrieve a message from a queue by issuing an MQGET call with the BROWSE option.
*CONNECT Connect the application to the specified queue manager by issuing an MQCONN call.
*GET Retrieve a message from a queue by issuing an MQGET call.
*INQ Make an inquiry on a specific queue by issuing an MQINQ call.
*PUT Put a message on a specific queue by issuing an MQPUT call.
*SET Set attributes on a queue from the MQI by issuing an MQSET call.
If you open a queue for multiple options, be authorized for each of them.
Table 5. Authorizations for context calls
AUT Description
*PASSALL Pass all context on the specified queue. All the context fields are copied from the original request.
*PASSID Pass identity context on the specified queue. The identity context is the same as that of the request.
*SETALL Set all context on the specified queue. This is used by special system utilities.
*SETID Set identity context on the specified queue. This is used by special system utilities.
Table 6. Authorizations for MQSC and PCF calls
AUT Description
*ADMCHG Change the attributes of the specified object.
*ADMCLR Clear the specified queue (PCF Clear queue command only).
*ADMCRT Create objects of the specified type.
*ADMDLT Delete the specified object.
*ADMDSP Display the attributes of the specified object.
Table 7. Authorizations for generic operations
AUT Description
*ALL Use all operations applicable to the object.
*ALLADM Perform all administration operations applicable to the object.
*ALLMQI Use all MQI calls applicable to the object.
*CTRL Control startup and shutdown of channels, listeners, and services.
*CTRLX Reset sequence number and resolve indoubt channels.

 

Using the GRTMQMAUT command

Provided that you have the required authorization, we can use the GRTMQMAUT command to grant authorization of a user profile or user group to access a particular object. The following examples illustrate how the GRTMQMAUT command is used: 

  1. GRTMQMAUT OBJ(RED.LOCAL.QUEUE) OBJTYPE(*LCLQ) USER(GROUPA) +
          AUT(*BROWSE *PUT) MQMNAME('saturn.queue.manager')

    In this example:

    • RED.LOCAL.QUEUE is the object name.

    • *LCLQ (local queue) is the object type.

    • GROUPA is the name of a user profile on the system whose authorizations are to change. This can be used as a group profile for other users.

    • *BROWSE and *PUT are the authorizations being granted to the specified queue.

      *BROWSE adds authorization to browse messages on the queue (to issue MQGET with the browse option).

      *PUT adds authorization to put (MQPUT) messages on the queue.

    • saturn.queue.manager is the queue manager name.

  2. The following command grants to users JACK and JILL all applicable authorizations, to all process definitions, for the default queue manager. 

        GRTMQMAUT OBJ(*ALL) OBJTYPE(*PRC) USER(JACK JILL) AUT(*ALL)

  3. The following command grants user

    GEORGE authority to put a message on the queue

    ORDERS, on the queue manager TRENT. 

      GRTMQMAUT OBJ(TRENT) OBJTYPE(*MQM) USER(GEORGE) AUT(*CONNECT) MQMNAME (TRENT)
  GRTMQMAUT OBJ(ORDERS) OBJTYPE(*Q) USER(GEORGE) AUT(*PUT) MQMNAME (TRENT)

 

Using the RVKMQMAUT command

Provided that you have the required authorization, we can use the RVKMQMAUT command to remove previously granted authorization of a user profile or user group to access a particular object. The following examples illustrate how the RVKMQMAUT command is used: 

  1.     RVKMQMAUT OBJ(RED.LOCAL.QUEUE) OBJTYPE(*LCLQ) USER(GROUPA) +
    AUT(*PUT) MQMNAME('saturn.queue.manager')
    The authority to put messages to the specified queue, that was granted in the previous example, is removed for

    GROUPA. 

  2.     RVKMQMAUT OBJ(PAY*) OBJTYPE(*Q) USER(*PUBLIC) AUT(*GET) +
    MQMNAME(PAYROLLQM)
    Authority to get messages from any queue whose name starts with the characters

    PAY, owned by queue manager PAYROLLQM, is removed from all users of the system unless they, or a group to which they belong, have been separately authorized.

 

Using the DSPMQMAUT command

The display MQM authority (DSPMQMAUT) command shows, for the specified object and user, the list of authorizations that the user has for the object. The following example illustrates how the command is used: 

    DSPMQMAUT OBJ(ADMINNL) OBJTYPE(*NMLIST) USER(JOE) OUTPUT(*PRINT) +
    MQMNAME(ADMINQM)

 

Using the RFRMQMAUT command

The refresh MQM security (RFRMQMAUT) command enables you to update the OAM's authorization group information immediately, reflecting changes made at the operating system level, without needing to stop and restart the queue manager. The following example illustrates how the command is used: 

    RFRMQMAUT MQMNAME(ADMINQM)