Authority to work with WebSphere MQ objects on i5/OS, <a href="http://www.setgetweb.com/p/WAS60/MQ/com.ibm.mq.amqzag.doc_6.0.2.12/fa10900_.htm">UNIX systems</a>, and Windows systems

Authority to work with WebSphere MQ objects on i5/OS, UNIX systems, and Windows systems

On i5/OS, UNIX systems, and Windows systems, the authorization service provides the access control when an application issues an MQI call to access a WebSphere MQ object that is a queue manager, queue, process, or namelist. This includes checks for alternate user authority and the authority to set or pass context information.
The authorization service also provides authority checks when a PCF command operates on one of these WebSphere MQ objects or an authentication information object. The equivalent MQSC command encapsulated within an Escape PCF command is treated in the same way.
On i5/OS, unless the user is a member of the QMQMADM group or has *ALLOBJ authority, the authorization service also provides authority checks when a user issues a CL command in Group 2 that operates on any of these WebSphere MQ objects or an authentication information object.
The authorization service is an installable service, which means that it is implemented by one or more installable service components. Each component is invoked using a documented interface. This enables users and vendors to provide components to augment or replace those provided by the WebSphere MQ products.
The authorization service component provided with WebSphere MQ is called the Object Authority Manager (OAM). The OAM is automatically enabled for each queue manager you create.
The OAM maintains an access control list (ACL) for each WebSphere MQ object it is controlling access to. On UNIX systems, only group IDs can appear in an ACL. This means that all members of a group have the same authorities. On i5/OS and on Windows systems, both user IDs and group IDs can appear in an ACL. This means that authorities can be granted to individual users as well as to groups.
The OAM can authenticate a user and change appropriate identity context fields. You enable this by specifying a connection security parameters structure (MQCSP) on an MQCONNX call. The structure is passed to the OAM Authenticate User function (MQZ_AUTHENTICATE_USER), which sets appropriate identity context fields. In the case of an MQCONNX connection from a WebSphere MQ client, the information in the MQCSP is flowed to the queue manager to which the client is connecting over the client-connection and server-connection channel. If security exits are defined on that channel, the MQCSP is passed into each security exit and can be altered by the exit. Security exits can also create the MQCSP. For more details of the use of security exits in this context, see “Channel-exit programs”, in the WebSphere MQ Intercommunications manual.
On UNIX and Windows systems, the control command setmqaut grants and revokes authorities and is used to maintain the ACLs. For example, the command:
setmqaut -m JUPITER -t queue -n MOON.EUROPA -g VOYAGER +browse +get
allows the members of the group VOYAGER to browse messages on the queue MOON.EUROPA that is owned by the queue manager JUPITER. It allows the members to get messages from the queue as well. To revoke these authorities subsequently, enter the following command:
setmqaut -m JUPITER -t queue -n MOON.EUROPA -g VOYAGER -browse -get
The command:
setmqaut -m JUPITER -t queue -n MOON.* -g VOYAGER +put
allows the members of the group VOYAGER to put messages on any queue whose name commences with the characters MOON. . MOON.* is the name of a generic profile. A generic profile allows you to grant authorities for a set of objects using a single setmqaut command. Objects whose names match the profile name do not have to exist when the setmqaut command is issued. Using generic profiles, therefore, allows you to grant authorities for objects that you might create in the future. For more information about the setmqaut command, see the WebSphere MQ System Administration Guide.
The control command dspmqaut is available to display the current authorities that a user or group has for a specified object. The control command dmpmqaut is also available to display the current authorities associated with generic profiles. For more information about the dspmqaut and dmpmqaut commands, see the WebSphere MQ System Administration Guide.
On i5/OS, an administrator uses the CL command GRTMQMAUT to grant authorities and the CL command RVKMQMAUT to revoke authorities. Generic profiles can be used as well. For example, the CL command:
GRTMQMAUT MQMNAME(JUPITER) OBJTYPE(*Q) OBJ('MOON.*') USER(VOYAGER) AUT(*PUT)
provides the same function as the previous example of a setmqaut command; it allows the members of the group VOYAGER to put messages on any queue whose name commences with the characters MOON. .
The CL command DSPMQMAUT displays the current authorities that user or group has for a specified object. The CL commands WRKMQMAUT and WRKMQMAUTD are also available to work with the current authorities associated with objects and generic profiles.
If you do not want any authority checks, for example, in a test environment, we can disable the OAM.
For more information about the authority to work with WebSphere MQ objects, see:

WebSphere MQ for iSeries™ System Administration Guide
WebSphere MQ System Administration Guide, for UNIX and Windows systems

Distributed channels as queue manager objects

Using PCF to access OAM commands

Parent topic:
Authority to work with WebSphere MQ objects

sy10870_