Inquire Authority Records on Multiplatforms

The Inquire Authority Records (MQCMD_INQUIRE_AUTH_RECS) command retrieves authority records associated with a profile name.


Required parameters

    Options (MQCFIN)
    Options to control the set of authority records that is returned (parameter identifier: MQIACF_AUTH_OPTIONS). This parameter is required and we must include one of the following two values:

      MQAUTHOPT_NAME_ALL_MATCHING
      Return all profiles the names of which match the specified ProfileName. This means that a ProfileName of ABCD results in the profiles ABCD, ABC*, and AB* being returned (if ABC* and AB* have been defined as profiles).

      MQAUTHOPT_NAME_EXPLICIT
      Return only those profiles the names of which exactly match the ProfileName. No matching generic profiles are returned unless the ProfileName is, itself, a generic profile. We cannot specify this value and MQAUTHOPT_ENTITY_SET.

    and one of the following two values:

      MQAUTHOPT_ENTITY_EXPLICIT
      Return all profiles the entity fields of which match the specified EntityName. No profiles are returned for any group in which EntityName is a member; only the profile defined for the specified EntityName.

      MQAUTHOPT_ENTITY_SET
      Return the profile the entity field of which matches the specified EntityName and the profiles pertaining to any groups in which EntityName is a member that contribute to the cumulative authority for the specified entity. We cannot specify this value and MQAUTHOPT_NAME_EXPLICIT.

    We can also optionally specify:

      MQAUTHOPT_NAME_AS_WILDCARD
      Interpret ProfileName as a filter on the profile name of the authority records. If we do not specify this attribute and ProfileName contains wildcard characters, it is interpreted as a generic profile and only those authority records where the generic profile names match the value of ProfileName are returned.

      We cannot specify MQAUTHOPT_NAME_AS_WILDCARD if you also specify MQAUTHOPT_ENTITY_SET.

    ProfileName (MQCFST)
    Profile name (parameter identifier: MQCACF_AUTH_PROFILE_NAME).

    This parameter is the name of the profile for which to retrieve authorizations. Generic profile names are supported. A generic name is a character string followed by an asterisk (*), for example ABC*, and it selects all profiles having names that start with the selected character string. An asterisk on its own matches all possible names.

    If we have defined a generic profile, we can return information about it by not setting MQAUTHOPT_NAME_AS_WILDCARD in Options.

    If you set Options to MQAUTHOPT_NAME_AS_WILDCARD, the only valid value for ProfileName is a single asterisk (*). This means that all authority records that satisfy the values specified in the other parameters are returned.

    Do not specify ProfileName if the value of ObjectType is MQOT_Q_MGR.

    The profile name is always returned regardless of the attributes requested.

    The maximum length of the string is MQ_AUTH_PROFILE_NAME_LENGTH.

    ObjectType (MQCFIN)
    The type of object referred to by the profile (parameter identifier: MQIACF_OBJECT_TYPE). The value can be any of the following values:

      MQOT_ALL
      All object types. MQOT_ALL is the default if we do not specify a value for ObjectType.

      MQOT_AUTH_INFO
      Authentication information.

      MQOT_CHANNEL
      Channel object.

      MQOT_CLNTCONN_CHANNEL
      Client-connection channel object.

      MQOT_COMM_INFO
      Communication information object

      MQOT_LISTENER
      Listener object.

      MQOT_NAMELIST
      Namelist.

      MQOT_PROCESS
      Process.

      MQOT_Q
      Queue, or queues, that match the object name parameter.

      MQOT_Q_MGR
      Queue manager.

      MQOT_REMOTE_Q_MGR_NAME
      Remote queue manager.

      MQOT_SERVICE
      Service object.

      MQOT_TOPIC
      Topic object.


Optional parameters

    EntityName (MQCFST)
    Entity name (parameter identifier: MQCACF_ENTITY_NAME). Depending on the value of EntityType, this parameter is either:

    • A principal name. This name is the name of a user for whom to retrieve authorizations to the specified object. On IBM MQ for Windows, the name of the principal can optionally include a domain name, specified in this format: user@domain.
    • A group name. This name is the name of the user group on which to make the inquiry. We can specify one name only and this name must be the name of an existing user group. For IBM MQ for Windows only, the group name can optionally include a domain name, specified in the following formats:
      GroupName@domain
      domain\GroupName
      

    The maximum length of the string is MQ_ENTITY_NAME_LENGTH.

    EntityType (MQCFIN)
    Entity type (parameter identifier: MQIACF_ENTITY_TYPE). The value can be:

      MQZAET_GROUP
      The value of the EntityName parameter refers to a group name.

      MQZAET_PRINCIPAL
      The value of the EntityName parameter refers to a principal name.

    ProfileAttrs (MQCFIL)
    Profile attributes (parameter identifier: MQIACF_AUTH_PROFILE_ATTRS). The attribute list might specify the following value on its own - the default value if the parameter is not specified:

      MQIACF_ALL
      All attributes.

    or a combination of the following:

      MQCACF_ENTITY_NAME
      Entity name.

      MQIACF_AUTHORIZATION_LIST
      Authorization list.

      MQIACF_ENTITY_TYPE
      Entity type. Note: If an entity is specified by using the parameters MQCACF_ENTITY_NAME and MQIACF_ENTITY_TYPE, then all the required parameters must be passed in first.

    ServiceComponent (MQCFST)
    Service component (parameter identifier: MQCACF_SERVICE_COMPONENT).

    If installable authorization services are supported, this parameter specifies the name of the authorization service from which to retrieve authorization.

    If we omit this parameter, the authorization inquiry is made to the first installable component for the service.

    The maximum length of the string is MQ_SERVICE_COMPONENT_LENGTH.


Error codes

This command might return the following error codes in the response format header, in addition to the values shown in Error codes applicable to all commands.

    Reason (MQLONG)
    The value can be any of the following values:

      MQRC_OBJECT_TYPE_ERROR
      Invalid object type.

      MQRC_UNKNOWN_ENTITY
      User ID not authorized, or unknown.

      MQRCCF_CFST_CONFLICTING_PARM
      Conflicting parameters.

      MQRCCF_PROFILE_NAME_ERROR
      Invalid profile name.

      MQRCCF_ENTITY_NAME_MISSING
      Entity name missing.

      MQRCCF_OBJECT_TYPE_MISSING
      Object type missing.

      MQRCCF_PROFILE_NAME_MISSING
      Profile name missing.

Parent topic: Definitions of the Programmable Command Formats