System Administration Guide

dspmqaut (display authority)

Purpose

Use the dspmqaut command to display the current authorizations to a specified object.

If a user ID is a member of more than one group, this command displays the combined authorizations of all the groups.

Only one group or principal can be specified.

For more information about authorization service components, see "Installable services", "Service components", and Chapter 19, Authorization service.

Syntax

Required parameters

-n ObjectName

The name of a queue manager, queue, or process definition on which to make the inquiry.

You must include this parameter, unless the inquiry relates to the queue manager itself, in which case you must omit it.

-t ObjectType

The type of object on which to make the inquiry. Possible values are:

	queue or q	A queue or queues matching the object name parameter
	qmgr	A queue manager object
	process or prcs	A process
	namelist or nl	A namelist
	authinfo	Authentication information, for use with Secure Sockets Layer (SSL) channel security

Optional parameters

-m QMgrName

The name of the queue manager on which to make the inquiry. This parameter is optional if you are setting the authorizations of your default queue manager.

-g GroupName

The name of the user group on which to make the inquiry. You can specify only one name, which must be the name of an existing user group. On Windows systems, you can use only local groups.

-p PrincipalName

The name of a user for whom to display authorizations to the specified object.

For WebSphere MQ for Windows only, the name of the principal can optionally include a domain name, specified in the following format:

userid@domain

For more information about including domain names on the name of a principal, see "Principals and groups".

-s ServiceComponent

If installable authorization services are supported, specifies the name of the authorization service to which the authorizations apply. This parameter is optional; if you omit it, the authorization inquiry is made to the first installable component for the service.

Returned parameters

Returns an authorization list, which can contain none, one, or more authorization values. Each authorization value returned means that any user ID in the specified group or principal has the authority to perform the operation defined by that value.

Table 19 shows the authorities that can be given to the different object types.

Table 19. Security authorities from the dspmqaut command

Authority	Queue	Process	Queue manager	Namelist	Authent- ication information
all	Yes	Yes	Yes	Yes	Yes
alladm	Yes	Yes	Yes	Yes	Yes
allmqi	Yes	Yes	Yes	Yes	Yes
altusr	No	No	Yes	No	No
browse	Yes	No	No	No	No
chg	Yes	Yes	Yes	Yes	Yes
clr	Yes	No	No	No	No
connect	No	No	Yes	No	No
crt	Yes	Yes	Yes	Yes	Yes
dlt	Yes	Yes	Yes	Yes	Yes
dsp	Yes	Yes	Yes	Yes	Yes
get	Yes	No	No	No	No
inq	Yes	Yes	Yes	Yes	Yes
passall	Yes	No	No	No	No
passid	Yes	No	No	No	No
put	Yes	No	No	No	No
set	Yes	Yes	Yes	No	Yes
setall	Yes	No	Yes	No	No
setid	Yes	No	Yes	No	No

The following list defines the authorizations associated with each value:

all	Use all operations relevant to the object.
alladm	Perform all administration operations relevant to the object.
allmqi	Use all MQI calls relevant to the object.
altusr	Specify an alternate user ID on an MQI call.
browse	Retrieve a message from a queue by issuing an MQGET call with the BROWSE option.
chg	Change the attributes of the specified object, using the appropriate command set.
clr	Clear a queue (PCF command Clear queue only).
connect	Connect the application to the specified queue manager by issuing an MQCONN call.
crt	Create objects of the specified type using the appropriate command set.
dlt	Delete the specified object using the appropriate command set.
dsp	Display the attributes of the specified object using the appropriate command set.
get	Retrieve a message from a queue by issuing an MQGET call.
inq	Make an inquiry on a specific queue by issuing an MQINQ call.
passall	Pass all context.
passid	Pass the identity context.
put	Put a message on a specific queue by issuing an MQPUT call.
set	Set attributes on a queue from the MQI by issuing an MQSET call.
setall	Set all context on a queue.
setid	Set the identity context on a queue.

The authorizations for administration operations, where supported, apply to these command sets:

Control commands
MQSC commands
PCF commands

Return codes

0	Successful operation
36	Invalid arguments supplied
40	Queue manager not available
49	Queue manager stopping
69	Storage not available
71	Unexpected error
72	Queue manager name error
133	Unknown object name
145	Unexpected object name
146	Object name missing
147	Object type missing
148	Invalid object type
149	Entity name missing

Examples

The following example shows a command to display the authorizations on queue manager saturn.queue.manager associated with user group staff:

dspmqaut -m saturn.queue.manager -t qmgr -g staff

The results from this command are:

Entity staff has the following authorizations for object:
        get
        browse
        put
        inq
        set
        connect
        altusr
        passid
        passall
        setid

The following example displays the authorities user1 has for queue a.b.c:

dspmqaut -m qmgr1 -n a.b.c -t q -p user1

The results from this command are:

Entity user1 has the following authorizations for object:
        get
        put

Related commands

dmpmqaut	Dump authority
setmqaut	Set or reset authority