System Administration Guide

Using the OAM to control access to objects

The OAM provides a command interface for granting and revoking authority to WebSphere MQ objects. You must be suitably authorized to use these commands, as described in Authority to administer WebSphere MQ. User IDs that are authorized to administer WebSphere MQ have super user authority to the queue manager, which means that you do not have to grant them further permission to issue any MQI requests or commands.

Queue managers running the OAM store authorization data on a local queue, called SYSTEM.AUTH.DATA.QUEUE. Authorization data is managed by the amqzfuma process (amqzfuma.exe for Windows systems).

Giving access to a WebSphere MQ object

Use the setmqaut command to give users, and groups of users, access to WebSphere MQ objects. For a full definition of the command and its syntax, see setmqaut (set or reset authority). The queue manager must be running to use this command. When you have changed access for a principal, the changes are reflected immediately by the OAM.

To give users access to an object, you need to specify:

The name of the queue manager that owns the objects you are working with; if you do not specify the name of a queue manager, the default queue manager is assumed.
The name and type of the object (to identify the object uniquely). You specify the name as a profile; this is either the explicit name of the object, or a generic name, including wildcard characters. For a detailed description of generic profiles, and the use of wildcard characters within them, see Using OAM generic profiles.
One or more principals and group names to which the authority applies.
If a user ID contains spaces, enclose it in single quotes when you use this command. On Windows systems, you can qualify a user ID with a domain name. If the actual user ID contains an @ symbol, replace this with @@ to show that it is part of the user ID, not the delimiter between the user ID and the domain name.
A list of authorizations. Each item in the list specifies a type of access that is to be granted to that object (or revoked from it). Each authorization in the list is specified as a keyword, prefixed with a plus sign (+) or a minus sign (-). Use a plus sign to add the specified authorization, and a minus sign to remove the authorization. There must be no spaces between the + or - sign and the keyword.
You can specify any number of authorizations in a single command. For example, the list of authorizations to permit a user or group to put messages on a queue and to browse them, but to revoke access to get messages is:
```
   +browse -get +put
```

Examples of using the command

The following examples show how to use the setmqaut command to grant and revoke permission to use an object:

setmqaut -m saturn.queue.manager -t queue -n RED.LOCAL.QUEUE
         -g groupa +browse -get +put

In this example:

saturn.queue.manager is the queue manager name
queue is the object type
RED.LOCAL.QUEUE is the object name
groupa is the identifier of the group whose authorizations are to change
+browse -get +put is the authorization list for the specified queue
- +browse adds authorization to browse messages on the queue (to issue MQGET with the browse option)
- -get removes authorization to get (MQGET) messages from the queue
- +put adds authorization to put (MQPUT) messages on the queue

The following command revokes put authority on the queue MyQueue from principal fvuser and from groups groupa and groupb. On UNIX systems, this command also revokes put authority for all principals in the same primary group as fvuser.

setmqaut -m saturn.queue.manager -t queue -n MyQueue -p fvuser
         -g groupa -g groupb -put

Using the command with a different authorization service

If you are using your own authorization service instead of the OAM, you can specify the name of this service on the setmqaut command to direct the command to this service. You must specify this parameter if you have multiple installable components running at the same time; if you do not, the update is made to the first installable component for the authorization service. By default, this is the supplied OAM.

Using OAM generic profiles

OAM generic profiles enable you to set the authority a user has to many objects at once, rather than having to issue separate setmqaut commands against each individual object when it is created. Using generic profiles in the setmqaut command enables you to set a generic authority for all future objects created that fit that profile.

The rest of this section describes the use of generic profiles in more detail:

Using wildcard characters
Profile priorities
Dumping profile settings

Using wildcard characters

What makes a profile generic is the use of special characters (wildcard characters) in the profile name. For example, the ? wildcard character matches any single character in a name. So, if you specify ABC.?EF, the authorization you give to that profile applies to any objects created with the names ABC.DEF, ABC.CEF, ABC.BEF, and so on.

The wildcard characters available are:

?

Use the question mark (?) instead of any single character. For example, AB.?D would apply to the objects AB.CD, AB.ED, and AB.FD.

*

Use the asterisk (*) as:

A qualifier in a profile name to match any one qualifier in an object name.
For example, ABC.*.JKL would apply to the objects ABC.DEF.JKL, and ABC.GHI.JKL. (Note that it would not apply to ABC.JKL; * used in this context always indicates one qualifier.)
A character within a qualifier in a profile name to match zero or more characters within the qualifier in an object name.
For example, ABC.DE*.JKL would apply to the objects ABC.DE.JKL, ABC.DEF.JKL, and ABC.DEGH.JKL.

Use the double asterisk (**) once in a profile name as:

The entire profile name to match all object names. For example if you use -t prcs to identify processes, then use ** as the profile name, you change the authorizations for all processes.
As either the beginning, middle, or ending qualifier in a profile name to match zero or more qualifiers in an object name. For example, **.ABC identifies all objects with the final qualifier ABC.

Note:

When using wildcard characters on UNIX systems, you must enclose the profile name in quotes.

Profile priorities

An important point to understand when using generic profiles is the priority that profiles are given when deciding what authorities to apply to an object being created. For example, suppose that you have issued the commands:

setmqaut -n AB.* -t q +put -p fred
setmqaut -n AB.C* -t q +get -p fred

The first gives put authority to all queues for the principal fred with names that match the profile AB.*; the second gives get authority to the same types of queue that match the profile AB.C*.

Suppose that you now create a queue called AB.CD. According to the rules for wildcard matching, either setmqaut could apply to that queue. So, does it have put or get authority?

To find the answer, you apply the rule that, whenever multiple profiles can apply to an object, only the most specific applies. The way that you apply this rule is by comparing the profile names from left to right. Wherever they differ, a non-generic character is more specific then a generic character. So, in the example above, the queue AB.CD has get authority (AB.C* is more specific than AB.*).

When you are comparing generic characters, the order of specificity is:

Dumping profile settings

The dmpmqaut command enables you to dump the current authorizations associated with a specified profile.

The following examples show the use of dmpmqaut to dump authority records for generic profiles:

This example dumps all authority records with a profile that matches queue a.b.c for principal user1.

dmpmqaut -m qm1 -n a.b.c -t q -p user1