Grant MQ Object Authority (GRTMQMAUT)

Where allowed to run: Threadsafe:
All environments (*ALL) Yes

The Grant MQ Authority (GRTMQMAUT) command is used to grant specific authority for the MQ objects named in the command to another user or group of users.

Authority can be given to:

  • Named users.
  • Users (*PUBLIC) who do not have authority specifically given to them.
  • Groups of users who do not have any authority to the object.

The GRTMQMAUT command can be used by anyone in the QMQMADM group, that is, anyone whose user profile specifies QMQMADM as a primary or supplemental group profile.


Parameters

Keyword Description Choices Notes
OBJ Object name Character value Required, Positional 1
OBJTYPE Object type *ALL, *Q, *ALSQ, *LCLQ, *MDLQ, *RMTQ, *AUTHINFO, *MQM, *NMLIST, *PRC, *LSR, *SVC, *CHL, *CLTCN, *TOPIC, *RMTMQMNAME Required, Positional 2
USER User names Single values: *PUBLIC, Other values (up to 50 repetitions): Name Required, Positional 3
AUT Authority Values (up to 22 repetitions): *ALTUSR, *BROWSE, *CONNECT, *GET, *INQ, *PUT, *SET, *PUB, *SUB, *RESUME, *PASSALL, *PASSID, *SETALL, *SETID, *ADMCHG, *ADMCLR, *ADMCRT, *ADMDLT, *ADMDSP, *ALL, *ALLADM, *ALLMQI, *NONE, *CTRL, *CTRLX, *SYSTEM Required, Positional 4
MQMNAME Message Queue Manager name Character value, *DFT Optional, Positional 5
SRVCOMP Service Component name Character value, *DFT Optional, Positional 6


Object name (OBJ)

Specifies the name of the objects for which specific authorities are granted.

The possible values are:

    *ALL
    All objects of the type specified by the value of the OBJTYPE parameter at the time the command is issued. *ALL cannot represent a generic profile.

    object-name
    Specify the name of an MQ object for which specific authority is given to one or more users.

    generic profile
    Specify the generic profile of the objects to be selected. A generic profile is a character string containing one or more generic characters anywhere in the string. This profile is used to match the object name of the object under consideration at the time of use. The generic characters are (?), (*) and (**).

    ? matches a single character in an object name.

    * matches any string contained within a qualifier, where a qualifier is the string between periods (.). For example ABC* matches ABCDEF but not ABCDEF.XYZ.

    ** matches one or more qualifiers. For example ABC.**.XYZ matches ABC.DEF.XYZ and ABC.DEF.GHI.XYZ, ** can appear only once in a generic profile.

    Specify the name required within quotation marks to ensure that your selection is precisely what you entered.


Object type (OBJTYPE)

Specifies the type of the objects for which specific authorities are granted.

    *ALL
    All MQ object types.

    *Q
    All queue object types.

    *ALSQ
    Alias queue.

    *LCLQ
    Local queue.

    *MDLQ
    Model queue.

    *RMTQ
    Remote queue.

    *AUTHINFO
    Authentication Information object.

    *MQM
    Message Queue Manager.

    *NMLIST
    Namelist object.

    *PRC
    Process definition.

    *CHL
    Channel object.

    *CLTCN
    Client Connection Channel object.

    *LSR
    Listener object.

    *SVC
    Service object.

    *TOPIC
    Topic object.

    *RMTMQMNAME
    Remote queue manager name.


User names (USER)

Specifies the name or names of users to whom authorities for the named object are being given. If user names are specified, the authorities are given specifically to those users. Authority given by this command can be revoked specifically by the Revoke MQ Authority (RVKMQMAUT) command.

    *PUBLIC
    All users of the system.

    user-profile-name
    Specify the names of one or more users who are to be granted specific authority for the object. These names can also be group names. We can specify up to 50 user profile names.


Authority (AUT)

Specifies the authority being given to the named users. Values for AUT can be specified as a list of specific and general authorities in any order, where the general authorities can be:

*NONE, which creates a profile for the user with no authority to the specified object, or leaves the authority unchanged if a profile already exists.

*ALL, which confers all authorities to the specified users.

*ALLADM, which confers all of *ADMCHG, *ADMCLR, *ADMCRT, *ADMDLT, *ADMDSP, *CTRL and *CTRLX.

*ALLMQI, which confers all of *ALTUSR, *BROWSE, *CONNECT, *GET, *INQ, *PUT, *SET, *PUB, *SUB and *RESUME.

Authorizations for different object types

    *ALL
    All authorizations. Applies to all objects.

    *ADMCHG
    Change an object. Applies to all objects except remote queue manager name.

    *ADMCLR
    Clear a queue. Applies to queues only.

    *ADMCRT
    Create an object. Applies to all objects except remote queue manager name.

    *ADMDLT
    Delete an object. Applies to all objects except remote queue manager name.

    *ADMDSP
    Display the attributes of an object. Applies to all objects except remote queue manager name.

    *ALLADM
    Perform administration operations on an object. Applies to all objects except remote queue manager name.

    *ALLMQI
    Use all MQI calls applicable to an object. Applies to all objects.

    *ALTUSR
    Allow another user's authority to be used for MQOPEN and MQPUT1 calls. Applies to queue manager objects only.

    *BROWSE
    Retrieve a message from a queue by issuing an MQGET call with the BROWSE option. Applies to queue objects only.

    *CONNECT
    Connect the application to a queue manager by issuing an MQCONN call. Applies to queue manager objects only.

    *CTRL
    Control startup and shutdown of channels, listeners and services.

    *CTRLX
    Reset sequence number and resolve indoubt channels.

    *GET
    Retrieve a message from a queue using an MGET call. Applies to queue objects only.

    *INQ
    Make an inquiry on an object using an MQINQ call. Applies to all objects except remote queue manager name.

    *PASSALL
    Pass all context on a queue. Applies to queue objects only.

    *PASSID
    Pass identity context on a queue. Applies to queue objects only.

    *PUT
    Put a message on a queue using an MQPUT call. Applies to queue objects and remote queue manager names only.

    *SET
    Set the attributes of an object using an MQSET call. Applies to queue, queue manager, and process objects only.

    *SETALL
    Set all context on an object. Applies to queue and queue manager objects only.

    *SETID
    Set identity context on an object. Applies to queue and queue manager objects only.

    *SYSTEM
    Connect the application to a queue manager for system operations. Applies to queue manager objects only.

Authorizations for MQI calls

    *ALTUSR
    Allow another user's authority to be used for MQOPEN and MQPUT1 calls.

    *BROWSE
    Retrieve a message from a queue by issuing an MQGET call with the BROWSE option.

    *CONNECT
    Connect the application to the specified queue manager by issuing an MQCONN call.

    *GET
    Retrieve a message from a queue by issuing an MQGET call.

    *INQ
    Make an inquiry on a specific queue by issuing an MQINQ call.

    *PUT
    Put a message on a specific queue by issuing an MQPUT call.

    *SET
    Set attributes on a queue from the MQI by issuing an MQSET call.

    *PUB
    Open a topic to publish a message using the MQPUT call.

    *SUB
    Create, Alter or Resume a subscription to a topic using the MQSUB call.

    *RESUME
    Resume a subscription using the MQSUB call.

If you open a queue for multiple options, you must be authorized for each of them.

Authorizations for context

    *PASSALL
    Pass all context on the specified queue. All the context fields are copied from the original request.

    *PASSID
    Pass identity context on the specified queue. The identity context is the same as that of the request.

    *SETALL
    Set all context on the specified queue. This is used by special system utilities.

    *SETID
    Set identity context on the specified queue. This is used by special system utilities.

Authorizations for MQSC and PCF commands

    *ADMCHG
    Change the attributes of the specified object.

    *ADMCLR
    Clear the specified queue (PCF Clear queue command only).

    *ADMCRT
    Create objects of the specified type.

    *ADMDLT
    Delete the specified object.

    *ADMDSP
    Display the attributes of the specified object.

    *CTRL
    Control startup and shutdown of channels, listeners and services.

    *CTRLX
    Reset sequence number and resolve indoubt channels.

Authorizations for generic operations

    *ALL
    Use all operations applicable to the object.
    all authority is equivalent to the union of the authorities alladm, allmqi, and system appropriate to the object type.

    *ALLADM
    Perform all administration operations applicable to the object.

    *ALLMQI
    Use all MQI calls applicable to the object.


Message Queue Manager name (MQMNAME)

Specifies the name of the queue manager.

    *DFT
    Use the default queue manager.

    queue-manager-name
    Specify the name of the queue manager.


Service Component name (SRVCOMP)

Specifies the name of the installed authorization service to which the authorizations apply.

The possible values are:

    *DFT
    Use the first installed authorization component.

    Authorization-service-component-name
    The component name of the required authorization service as specified in the queue manager qm.ini file.


Examples

None


Error messages

Unknown