setmqaut (grant or revoke authority)
Purpose
Use the setmqaut command to change the authorizations to a profile, object, or class of objects. Authorizations can be granted to, or revoked from, any number of principals or groups.
For more information about authorization service components, see Installable services, Service components, and Authorization service.
Syntax
>>-setmqaut--+----------------+-- -n --Profile------------------> '- -m --QMgrName-' >-- -t --ObjectType--+------------------------+-----------------> '- -s --ServiceComponent-' .-------------------------. V | >----+- -p --PrincipalName-+-+----------------------------------> '- -g --GroupName-----' .---------------------------------------. V | >----+-| MQI authorizations |------------+-+------------------->< +-| Context authorizations |--------+ +-| Administration authorizations |-+ +-| Generic authorizations |--------+ +- +remove -------------------------+ '- -remove -------------------------' MQI authorizations .--------------------. V | |------+- +altusr --+---+---------------------------------------| +- -altusr --+ +- +browse --+ +- -browse --+ +- +connect -+ +- -connect -+ +- +get -----+ +- -get -----+ +- +inq -----+ +- -inq -----+ +- +put -----+ +- -put -----+ +- +set -----+ '- -set -----' Context authorizations .--------------------. V | |------+- +passall -+---+---------------------------------------| +- -passall -+ +- +passid --+ +- -passid --+ +- +setall --+ +- -setall --+ +- +setid ---+ '- -setid ---'
Administration authorizations .------------------. V | |------+- +chg ---+---+-----------------------------------------| +- -chg ---+ +- +clr ---+ +- -clr ---+ +- +crt ---+ +- -crt ---+ +- +dlt ---+ +- -dlt ---+ +- +dsp ---+ +- -dsp ---+ +- +ctrl --+ +- -ctrl --+ +- +ctrlx -+ '- -ctrlx -' Generic authorizations .-------------------. V | |------+- +all ----+---+----------------------------------------| +- -all ----+ +- +alladm -+ +- -alladm -+ +- +allmqi -+ +- -allmqi -+ '- +none ---'
Description
Use setmqaut both to grant an authorization, that is, give a principal or user group permission to perform an operation, and to revoke an authorization, that is, remove the permission to perform an operation. You must specify the principals and user groups to which the authorizations apply, the queue manager, object type, and the profile name identifying the object or objects.
The authorizations that can be given are categorized as follows:
- Authorizations for issuing MQI calls
- Authorizations for MQI context
- Authorizations for issuing commands for administration tasks
- Generic authorizations
Each authorization to be changed is specified in an authorization list as part of the command. Each item in the list is a string prefixed by a plus sign (+) or a minus sign (-). For example, if you include +put in the authorization list, you grant authority to issue MQPUT calls against a queue. Alternatively, if you include -put in the authorization list, you revoke the authority to issue MQPUT calls.
We can specify any number of principals, user groups, and authorizations in a single command, but specify at least one principal or user group.
If a principal is a member of more than one user group, the principal effectively has the combined authorities of all those user groups. On Windows systems, the principal also has all the authorities that have been granted to it explicitly using the setmqaut command.
On UNIX systems, all authorities are held by user groups internally, not by principals. This has the following implications:
- If you use the setmqaut command to grant an authority to a principal, the authority is actually granted to the primary user group of the principal. This means that the authority is effectively granted to all members of that user group.
- If you use the setmqaut command to revoke an authority from a principal, the authority is actually revoked from the primary user group of the principal. This means that the authority is effectively revoked from all members of that user group.
To alter authorizations for a cluster sender channel that has been automatically generated by a repository, see WebSphere MQ Queue Manager Clusters. This book describes how the authority is inherited from a cluster receiver channel object.
Required parameters
- -t ObjectType
- The type of object for which to change authorizations.
Possible values are:
authinfo An authentication information object channel or chl A channel clntconn or clcn A client connection channel lstr or listener A listener namelist or nl A namelist process or prcs A process queue or q A queue qmgr A queue manager srvc or service A service - -n Profile
- The name of the profile for which to change authorizations. The authorizations apply to all WebSphere MQ objects with names that match the profile name specified. The profile name can be generic, using wildcard characters to specify a range of names as explained in Using OAM generic profiles.
If you give an explicit profile name (without any wildcard characters), the object identified must exist.
This parameter is required, unless you are changing the authorizations of a queue manager, in which case not include it. To change the authorizations of a queue manager use the queue manager name, for example
setmqaut -m QMGR -t qmgr -p user1 +connectwhere QMGR is the name of the queue manager and user1 is the user requesting the change.
Optional parameters
- -m QMgrName
- The name of the queue manager of the object for which to change authorizations. The name can contain up to 48 characters.
This parameter is optional if you are changing the authorizations of your default queue manager.
- -p PrincipalName
- The name of the principal for which to change authorizations.
For WebSphere MQ for Windows only, the name of the principal can optionally include a domain name, specified in the following format:
userid@domainFor more information about including domain names on the name of a principal, see Principals and groups.
You must have at least one principal or group.
- -g GroupName
- The name of the user group for which to change authorizations. We can specify more than one group name, but each name must be prefixed by the -g flag. On Windows systems, we can use only local groups.
- -s ServiceComponent
- The name of the authorization service to which the authorizations apply (if your system supports installable authorization services). This parameter is optional; if you omit it, the authorization update is made to the first installable component for the service.
- +remove or -remove
- Remove the specified profile. The authorizations associated with the profile no longer apply to WebSphere MQ objects with names that match the profile.
This option cannot be used with the option -t qmgr.
- Authorizations
- The authorizations to be granted or revoked. Each item in the list is prefixed by a plus sign (+), indicating that authority is to be granted, or a minus sign (-), indicating that authority is to be revoked.
For example, to grant authority to issue MQPUT calls, specify +put in the list. To revoke the authority to issue MQPUT calls, specify -put.
Table 1 shows the authorities that can be given to the different object types.
Specifying authorities for different object types Authority Queue Process Queue manager Namelist Auth info Clntconn Channel Listener Service all Yes Yes Yes Yes Yes Yes Yes Yes Yes alladm Yes Yes Yes Yes Yes Yes Yes Yes Yes allmqi Yes Yes Yes Yes Yes No No No No none Yes Yes Yes Yes Yes Yes Yes Yes Yes altusr No No Yes No No No No No No browse Yes No No No No No No No No chg Yes Yes Yes Yes Yes Yes Yes Yes Yes clr Yes No No No No No No No No connect No No Yes No No No No No No crt Yes Yes Yes Yes Yes Yes Yes Yes Yes ctrl No No No No No No Yes Yes Yes ctrlx No No No No No No Yes No No dlt Yes Yes Yes Yes Yes Yes Yes Yes Yes dsp Yes Yes Yes Yes Yes Yes Yes Yes Yes get Yes No No No No No No No No put Yes No No No No No No No No inq Yes Yes Yes Yes Yes No No No No passall Yes No No No No No No No No passid Yes No No No No No No No No set Yes Yes Yes No No No No No No setall Yes No Yes No No No No No No setid Yes No Yes No No No No No No
Return codes
0 Successful operation 36 Invalid arguments supplied 40 Queue manager not available 49 Queue manager stopping 69 Storage not available 71 Unexpected error 72 Queue manager name error 133 Unknown object name 145 Unexpected object name 146 Object name missing 147 Object type missing 148 Invalid object type 149 Entity name missing 150 Authorization specification missing 151 Invalid authorization specification
Examples
- This example shows a command that specifies that the object on which authorizations are being given is the queue orange.queue on queue manager saturn.queue.manager. If the queue does not exist, the command fails.
setmqaut -m saturn.queue.manager -n orange.queue -t queue -g tango +inq +alladmThe authorizations are given to a user group called tango, and the associated authorization list specifies that the user group can:
- Issue MQINQ calls
- Perform all administration operations on that object
- In this example, the authorization list specifies that a user group called foxy:
- Cannot issue any MQI calls to the specified queue
- Can perform all administration operations on the specified queue
If the queue does not exist, the command fails.
setmqaut -m saturn.queue.manager -n orange.queue -t queue -g foxy -allmqi +alladm- This example gives user1 full access to all queues with names beginning a.b. on queue manager qmgr1. The profile is persistent and applies to any object with a name that matches the profile.
setmqaut -m qmgr1 -n a.b.* -t q -p user1 +all- This example deletes the specified profile.
setmqaut -m qmgr1 -n a.b.* -t q -p user1 -remove- This example creates a profile with no authority.
setmqaut -m qmgr1 -n a.b.* -t q -p user1 +none
Related commands
dmpmqaut Dump authority dspmqaut Display authority
- Authorizations for MQI calls
- Authorizations for context
- Authorizations for commands
- Authorizations for generic operations
Parent topic:
The control commands
fa15980_
Home