dmpmqaut (dump MQ authorizations)
Dump a list of current authorizations for a range of IBM MQ object types and profiles.
Purpose
Use the dmpmqaut command to dump the current authorizations to a specified object.
Syntax
Optional parameters
- -m QMgrName
- Dump authority records only for the queue manager specified. If you omit this parameter, only authority records for the default queue manager are dumped.
- -n Profile
- The name of the profile for which to dump authorizations. The profile name can be generic, using wildcard characters to specify a range of names as explained in Use OAM generic profiles on UNIX, Linux , and Windows systems.
- -l
- Dump only the profile name and type. Use this option to generate a terse list of all defined profile names and types.
- -a
- Generate set authority commands.
- -t ObjectType
- The type of object for which to dump authorizations. Possible values are:
Value Description authinfo An authentication information object, for use with TLS channel security channel or chl A channel clntconn or clcn A client connection channel listener or lstr A listener namelist or nl A namelist process or prcs A process queue or q A queue or queues matching the object name parameter qmgr A queue manager rqmname or rqmn A remote queue manager name service or srvc A service topic or top A topic - -s ServiceComponent
- If installable authorization services are supported, specifies the name of the authorization service for which to dump authorizations. This parameter is optional; if you omit it, the authorization inquiry is made to the first installable component for the service.
- -p PrincipalName
- This parameter applies to Windows only; UNIX systems keep only group authority records. The name of a
user for whom to dump authorizations to the specified object. The name of the principal can
optionally include a domain name, specified in the following format:
userid@domain
For more information about including domain names on the name of a principal, see Principals and groups.
- -g GroupName
- The name of the user group for which to dump authorizations. We can specify only one name,
which must be the name of an existing user group. For
IBM MQ for Windows only, the group name can optionally include a
domain name, specified in the following formats:
GroupName@domain domain\GroupName
- -e
- Display all profiles used to calculate the cumulative authority that the entity has to the
object specified in -n Profile. The variable
Profile must not contain any wildcard characters. The following parameters
must also be specified:
- -m QMgrName
- -n Profile
- -t ObjectType
- -x
- Display all profiles with the same name as specified in -n Profile. This option does not apply to the QMGR object, so a dump request of the form dmpmqaut -m QM -t QMGR ... -x is not valid.
Examples
The following examples show the use of dmpmqaut to dump authority records for generic profiles:- This example dumps all authority records with a profile that matches queue a.b.c for principal
user1.
dmpmqaut -m qm1 -n a.b.c -t q -p user1
The resulting dump would look something like this:profile: a.b.* object type: queue entity: user1 type: principal authority: get, browse, put, inq
Note: On UNIX, we cannot use the
-p option. You must use -g groupname
instead.
- This example dumps all authority records with a profile that matches queue a.b.c.
dmpmqaut -m qmgr1 -n a.b.c -t q
The resulting dump would look something like this:profile: a.b.c object type: queue entity: Administrator type: principal authority: all - - - - - - - - - - - - - - - - - profile: a.b.* object type: queue entity: user1 type: principal authority: get, browse, put, inq - - - - - - - - - - - - - - - - - profile: a.** object type: queue entity: group1 type: group authority: get
- This example dumps all authority records for profile a.b.*, of type queue.
dmpmqaut -m qmgr1 -n a.b.* -t q
The resulting dump would look something like this:profile: a.b.* object type: queue entity: user1 type: principal authority: get, browse, put, inq
- This example dumps all authority records for queue manager qmX.
dmpmqaut -m qmX
The resulting dump would look something like this:profile: q1 object type: queue entity: Administrator type: principal authority: all - - - - - - - - - - - - - - - - - profile: q* object type: queue entity: user1 type: principal authority: get, browse - - - - - - - - - - - - - - - - - profile: name.* object type: namelist entity: user2 type: principal authority: get - - - - - - - - - - - - - - - - - profile: pr1 object type: process entity: group1 type: group authority: get
- This example dumps all profile names and object types for queue manager qmX.
dmpmqaut -m qmX -l
The resulting dump would look something like this:profile: q1, type: queue profile: q*, type: queue profile: name.*, type: namelist profile: pr1, type: process
- For Windows only, all principals
displayed include domain information, for example:
profile: a.b.* object type: queue entity: user1@domain1 type: principal authority: get, browse, put, inq
- Each class of object has authority records for each group or principal. These records have the
profile name @CLASS and track the crt (create) authority common to
all objects of that class. If the crt authority for any object of that class is
changed then this record is updated. For example:
profile: @class object type: queue entity: test entity type: principal authority: crt
This shows that members of the group test have crt authority to the class queue. - For Windows only, members of the
Administrators
group are by default given full authority. This authority, however, is given automatically by the OAM, and is not defined by the authority records. The dmpmqaut command displays authority defined only by the authority records. Unless an authority record has been explicitly defined, therefore, running the dmpmqaut command against theAdministrators
group displays no authority record for that group.