Giving access to an IBM MQ object on UNIX, Linux, and Windows
Use the setmqaut control command, the SET AUTHREC MQSC command, or the MQCMD_SET_AUTH_REC PCF command to give users, and groups of users, access to IBM MQ objects. Note that on IBM MQ Appliance we can use only the SET AUTHREC command.
For a full definition of the setmqaut control command and its syntax, see setmqaut.
For a full definition of the SET AUTHREC MQSC command and its syntax, see SET AUTHREC.
For a full definition of the MQCMD_SET_AUTH_REC PCF command and its syntax, see Set Authority Record.
The queue manager must be running to use this command. When you have changed access for a principal, the changes are reflected immediately by the OAM.
To give users access to an object, we need to specify:- The name of the queue manager that owns the objects we are working with; if we do not specify the name of a queue manager, the default queue manager is assumed.
- The name and type of the object (to identify the object uniquely). You specify the name as a profile ; this is either the explicit name of the object, or a generic name, including wildcard characters. For a detailed description of generic profiles, and the use of wildcard characters within them, see Use OAM generic profiles on UNIX, Linux, and Windows.
- One or more principals and group names to which the authority applies.
If a user ID contains spaces, enclose it in quotation marks when we use this command. On Windows systems, we can qualify a user ID with a domain name. If the actual user ID contains an at sign (@) symbol, replace it with @@ to show that it is part of the user ID, not the delimiter between the user ID and the domain name.
- A list of authorizations. Each item in the list specifies a type of access that is to be granted
to that object (or revoked from it). Each authorization in the list is specified as a keyword,
prefixed with a plus sign (+) or a minus sign (-). Use a plus sign to add the specified
authorization, and a minus sign to remove the authorization. There must be no spaces between the +
or - sign and the keyword. We can specify any number of authorizations in a single command. For
example, the list of authorizations to permit a user or group to put messages on a queue and to
browse them, but to revoke access to get messages is:
+browse -get +put
Examples of using the setmqaut command
The following examples show how to use the setmqaut command to grant and revoke permission to use an object:
setmqaut -m saturn.queue.manager -t queue -n RED.LOCAL.QUEUE -g groupa +browse -get +putIn this example:
- saturn.queue.manager is the queue manager name
- queue is the object type
- RED.LOCAL.QUEUE is the object name
- groupa is the identifier of the group with authorizations that are to change
- +browse -get +put is the authorization list for the specified queue
- +browse adds authorization to browse messages on the queue (to issue MQGET with the browse option)
- -get removes authorization to get (MQGET) messages from the queue
- +put adds authorization to put (MQPUT) messages on the queue
The following command revokes put authority on the queue MyQueue from principal fvuser and from groups groupa and groupb. On UNIX and Linux systems, this command also revokes put authority for all principals in the same primary group as fvuser.
setmqaut -m saturn.queue.manager -t queue -n MyQueue -p fvuser -g groupa -g groupb -put
Use the setmqaut command with a different authorization service
If we are using your own authorization service instead of the OAM, we can specify the name of this service on the setmqaut command to direct the command to this service. You must specify this parameter if you have multiple installable components running at the same time; if we do not, the update is made to the first installable component for the authorization service. By default, this is the supplied OAM.
Usage notes for SET AUTHREC
The list of authorizations to add and the list of authorizations to remove must not overlap. For example, we cannot add display authority and remove display authority with the same command. This rule applies even if the authorities are expressed using different options. For example, the following command fails because DSP authority overlaps with ALLADM authority:SET AUTHREC PROFILE(*) OBJTYPE(QUEUE) PRINCIPAL(PRINC01) AUTHADD(DSP) AUTHRMV(ALLADM)The exception to this overlap behavior is with the ALL authority. The following command first adds ALL authorities then removes the SETID authority:
SET AUTHREC PROFILE(*) OBJTYPE(QUEUE) PRINCIPAL(PRINC01) AUTHADD(ALL) AUTHRMV(SETID)The following command first removes ALL authorities then adds the DSP authority:
SET AUTHREC PROFILE(*) OBJTYPE(QUEUE) PRINCIPAL(PRINC01) AUTHADD(DSP) AUTHRMV(ALL)
Regardless of the order in which they are provided on the command, the ALL are processed first.
Parent topic: Control access to objects by using the OAM on UNIX, Linux, and Windows