Home

 

setmqaut (grant or revoke authority)

 

 

Purpose

Use the setmqaut command to change the authorizations to a profile, object, or class of objects. Authorizations can be granted to, or revoked from, any number of principals or groups.

For more information about authorization service components, see Installable services, Service components, and Authorization service.

 

Syntax


>>-setmqaut--+----------------+-- -n --Profile------------------>     '- -m --QMgrName-'     >-- -t --ObjectType--+------------------------+----------------->     '- -s --ServiceComponent-'       .-------------------------.       V |    >----+- -p --PrincipalName-+-+---------------------------------->     '- -g --GroupName-----'        .---------------------------------------.       V |    >----+-| MQI authorizations |------------+-+-------------------><     +-| Context authorizations |--------+         +-| Administration authorizations |-+         +-| Generic authorizations |--------+         +- +remove -------------------------+         '- -remove -------------------------'     MQI authorizations    .--------------------.       V |    |------+- +altusr --+---+---------------------------------------|     +- -altusr --+         +- +browse --+         +- -browse --+         +- +connect -+         +- -connect -+         +- +get -----+         +- -get -----+         +- +inq -----+         +- -inq -----+         +- +put -----+         +- -put -----+         +- +set -----+         '- -set -----'     Context authorizations    .--------------------.       V |    |------+- +passall -+---+---------------------------------------|     +- -passall -+         +- +passid --+         +- -passid --+         +- +setall --+         +- -setall --+         +- +setid ---+         '- -setid ---'    


Administration authorizations    .------------------.       V |    |------+- +chg ---+---+-----------------------------------------|     +- -chg ---+         +- +clr ---+         +- -clr ---+         +- +crt ---+         +- -crt ---+         +- +dlt ---+         +- -dlt ---+         +- +dsp ---+         +- -dsp ---+         +- +ctrl --+         +- -ctrl --+         +- +ctrlx -+         '- -ctrlx -'     Generic authorizations    .-------------------.       V |    |------+- +all ----+---+----------------------------------------|     +- -all ----+         +- +alladm -+         +- -alladm -+         +- +allmqi -+         +- -allmqi -+         '- +none ---'    

 

Description

Use setmqaut both to grant an authorization, that is, give a principal or user group permission to perform an operation, and to revoke an authorization, that is, remove the permission to perform an operation. You must specify the principals and user groups to which the authorizations apply, the queue manager, object type, and the profile name identifying the object or objects.

The authorizations that can be given are categorized as follows:

Each authorization to be changed is specified in an authorization list as part of the command. Each item in the list is a string prefixed by a plus sign (+) or a minus sign (-). For example, if you include +put in the authorization list, you grant authority to issue MQPUT calls against a queue. Alternatively, if you include -put in the authorization list, you revoke the authority to issue MQPUT calls.

We can specify any number of principals, user groups, and authorizations in a single command, but specify at least one principal or user group.

If a principal is a member of more than one user group, the principal effectively has the combined authorities of all those user groups. On Windows systems, the principal also has all the authorities that have been granted to it explicitly using the setmqaut command.

On UNIX systems, all authorities are held by user groups internally, not by principals. This has the following implications:

To alter authorizations for a cluster sender channel that has been automatically generated by a repository, see WebSphere MQ Queue Manager Clusters. This book describes how the authority is inherited from a cluster receiver channel object.

 

Required parameters

-t ObjectType

The type of object for which to change authorizations.

Possible values are:

  authinfo An authentication information object
  channel or chl A channel
  clntconn or clcn A client connection channel
  lstr or listener A listener
  namelist or nl A namelist
  process or prcs A process
  queue or q A queue
  qmgr A queue manager
  srvc or service A service

-n Profile

The name of the profile for which to change authorizations. The authorizations apply to all WebSphere MQ objects with names that match the profile name specified. The profile name can be generic, using wildcard characters to specify a range of names as explained in Using OAM generic profiles.

If you give an explicit profile name (without any wildcard characters), the object identified must exist.

This parameter is required, unless you are changing the authorizations of a queue manager, in which case not include it. To change the authorizations of a queue manager use the queue manager name, for example

setmqaut -m QMGR -t qmgr -p user1 +connect
where QMGR is the name of the queue manager and user1 is the user requesting the change.

 

Optional parameters

-m QMgrName

The name of the queue manager of the object for which to change authorizations. The name can contain up to 48 characters.

This parameter is optional if you are changing the authorizations of your default queue manager.

-p PrincipalName

The name of the principal for which to change authorizations.

For WebSphere MQ for Windows only, the name of the principal can optionally include a domain name, specified in the following format:

userid@domain

For more information about including domain names on the name of a principal, see Principals and groups.

You must have at least one principal or group.

-g GroupName

The name of the user group for which to change authorizations. We can specify more than one group name, but each name must be prefixed by the -g flag. On Windows systems, we can use only local groups.

-s ServiceComponent

The name of the authorization service to which the authorizations apply (if your system supports installable authorization services). This parameter is optional; if you omit it, the authorization update is made to the first installable component for the service.

+remove or -remove

Remove the specified profile. The authorizations associated with the profile no longer apply to WebSphere MQ objects with names that match the profile.

This option cannot be used with the option -t qmgr.

Authorizations

The authorizations to be granted or revoked. Each item in the list is prefixed by a plus sign (+), indicating that authority is to be granted, or a minus sign (-), indicating that authority is to be revoked.

For example, to grant authority to issue MQPUT calls, specify +put in the list. To revoke the authority to issue MQPUT calls, specify -put.

Table 1 shows the authorities that can be given to the different object types.

Specifying authorities for different object types
Authority Queue Process Queue manager Namelist Auth info Clntconn Channel Listener Service
all Yes Yes Yes Yes Yes Yes Yes Yes Yes
alladm Yes Yes Yes Yes Yes Yes Yes Yes Yes
allmqi Yes Yes Yes Yes Yes No No No No
none Yes Yes Yes Yes Yes Yes Yes Yes Yes
altusr No No Yes No No No No No No
browse Yes No No No No No No No No
chg Yes Yes Yes Yes Yes Yes Yes Yes Yes
clr Yes No No No No No No No No
connect No No Yes No No No No No No
crt Yes Yes Yes Yes Yes Yes Yes Yes Yes
ctrl No No No No No No Yes Yes Yes
ctrlx No No No No No No Yes No No
dlt Yes Yes Yes Yes Yes Yes Yes Yes Yes
dsp Yes Yes Yes Yes Yes Yes Yes Yes Yes
get Yes No No No No No No No No
put Yes No No No No No No No No
inq Yes Yes Yes Yes Yes No No No No
passall Yes No No No No No No No No
passid Yes No No No No No No No No
set Yes Yes Yes No No No No No No
setall Yes No Yes No No No No No No
setid Yes No Yes No No No No No No

 

Return codes

0 Successful operation
36 Invalid arguments supplied
40 Queue manager not available
49 Queue manager stopping
69 Storage not available
71 Unexpected error
72 Queue manager name error
133 Unknown object name
145 Unexpected object name
146 Object name missing
147 Object type missing
148 Invalid object type
149 Entity name missing
150 Authorization specification missing
151 Invalid authorization specification

 

Examples

  1. This example shows a command that specifies that the object on which authorizations are being given is the queue orange.queue on queue manager saturn.queue.manager. If the queue does not exist, the command fails.
    setmqaut -m saturn.queue.manager -n orange.queue -t queue
             -g tango +inq +alladm
    The authorizations are given to a user group called tango, and the associated authorization list specifies that the user group can:

    • Issue MQINQ calls

    • Perform all administration operations on that object

  2. In this example, the authorization list specifies that a user group called foxy:

    • Cannot issue any MQI calls to the specified queue

    • Can perform all administration operations on the specified queue

    If the queue does not exist, the command fails.

    setmqaut -m saturn.queue.manager -n orange.queue -t queue
             -g foxy -allmqi +alladm

  3. This example gives user1 full access to all queues with names beginning a.b. on queue manager qmgr1. The profile is persistent and applies to any object with a name that matches the profile.
    setmqaut -m qmgr1 -n a.b.* -t q -p user1 +all

  4. This example deletes the specified profile.
    setmqaut -m qmgr1 -n a.b.* -t q -p user1 -remove

  5. This example creates a profile with no authority.
    setmqaut -m qmgr1 -n a.b.* -t q -p user1 +none

 

Related commands

dmpmqaut Dump authority
dspmqaut Display authority

 

Parent topic:

The control commands


fa15980_


 

Home