setmqaut (set or reset authority)

Purpose

Use the setmqaut command to change the authorizations to a profile, object or class of objects. Authorizations can be granted to, or revoked from, any number of principals or groups.

For more information about authorization service components, see "Installable services", "Service components", and Chapter 19, Authorization service.

Syntax 

>>-setmqaut---+--------------+--- -n Profile--- -t ObjectType--->
              '- -m QMgrName-'
 
>-----+----------------------+---+-----------+------------------>
      '- -s ServiceComponent-'   '- -remove -'
 
      .--------------------------.
      V                          |
>---------+- -p PrincipalName-+--+------------------------------>
          '- -g GroupName-----'
 
      .------------------------------------------.
      V                                          |
>---------+-| MQI authorizations |------------+--+-------------><
          +-| Context authorizations |--------+
          +-| Administration authorizations |-+
          '-| Generic authorizations |--------'
 
MQI authorizations
 
    .-----------------------.
    V                       |
|---------+- +altusr --+----+-----------------------------------|
          +- -altusr --+
          +- +browse --+
          +- -browse --+
          +- +connect -+
          +- -connect -+
          +- +get -----+
          +- -get -----+
          +- +inq -----+
          +- -inq -----+
          +- +put -----+
          +- -put -----+
          +- +set -----+
          '- -set -----'
 
Context authorizations
 
    .-----------------------.
    V                       |
|---------+- +passall -+----+-----------------------------------|
          +- -passall -+
          +- +passid --+
          +- -passid --+
          +- +setall --+
          +- -setall --+
          +- +setid ---+
          '- -setid ---'
 

 
Administration authorizations
 
   .-------------------.
   V                   |
|--------+- +chg -+----+----------------------------------------|
         +- -chg -+
         +- +clr -+
         +- -clr -+
         +- +crt -+
         +- -crt -+
         +- +dlt -+
         +- -dlt -+
         +- +dsp -+
         '- -dsp -'
 
Generic authorizations
 
    .----------------------.
    V                      |
|---------+- +all ----+----+------------------------------------|
          +- -all ----+
          +- +alladm -+
          +- -alladm -+
          +- +allmqi -+
          +- -allmqi -+
          '- +none ---'

Description

Use setmqaut both to set an authorization, that is, give a user group or principal permission to perform an operation, and to reset an authorization, that is, remove the permission to perform an operation. You must specify the user groups and principals to which the authorizations apply, the queue manager, object type, and the profile name identifying the object or objects. You can specify any number of groups and principals in a single command.

Note:In WebSphere MQ for UNIX systems, if you specify a set of authorizations for a principal, the same authorizations are given to all principals in the same primary group.

The authorizations that can be given are categorized as follows:

Each authorization to be changed is specified in an authorization list as part of the command. Each item in the list is a string prefixed by + or -. For example, if you include +put in the authorization list, you give authority to issue MQPUT calls against a queue. Alternatively, if you include -put in the authorization list, you remove the authorization to issue MQPUT calls.

Authorizations can be specified in any order provided that they do not clash. For example, specifying allmqi with set causes a clash.

You can specify as many groups or authorizations as you require in a single command.

If a user ID is a member of more than one group, the authorizations that apply are the union of the authorizations of each group to which that user ID belongs.

Required parameters

-t ObjectType
The type of object for which to change authorizations.

Possible values are:

-n Profile
The name of the profile for which to change authorizations. The authorizations apply to all WebSphere MQ objects with names that match the profile name specified. The profile name can be generic, using wildcard characters to specify a range of names as explained in Using OAM generic profiles.

If you give an explicit profile name (without any wildcard characters), the object identified must exist.

This parameter is required, unless you are changing the authorizations of your default queue manager, in which case you must not include it.

Optional parameters

-m QMgrName
The name of the queue manager of the object for which to change authorizations. The name can contain up to 48 characters.

This parameter is optional if you are changing the authorizations of your default queue manager.

-p PrincipalName
The name of the principal for which to change authorizations.

For WebSphere MQ for Windows only, the name of the principal can optionally include a domain name, specified in the following format: 

userid@domain

For more information about including domain names on the name of a principal, see "Principals and groups".

You must have at least one principal or group.

-g GroupName
The name of the user group for which to change authorizations. You can specify more than one group name, but each name must be prefixed by the -g flag. On Windows systems, you can use only local groups.

-s ServiceComponent
The name of the authorization service to which the authorizations apply (if your system supports installable authorization services). This parameter is optional; if you omit it, the authorization update is made to the first installable component for the service.

-remove
Removes a profile. The authorizations associated with the profile no longer apply to WebSphere MQ objects with names that match the profile name specified.

Authorizations
The authorizations to be given or removed. Each item in the list is prefixed by a + indicating that authority is to be given, or a -, indicating that authority is to be removed.

For example, to give authority to issue an MQPUT call from the MQI, specify +put in the list. To remove authority to issue an MQPUT call, specify -put.

Table 20 shows the authorities that can be given to the different object types.

Table 20. Specifying authorities for different object types

Authority Queue Process Queue manager Namelist Authentication information
all Yes Yes Yes Yes Yes
alladm Yes Yes Yes Yes Yes
allmqi Yes Yes Yes Yes Yes
none Yes Yes Yes Yes Yes
altusr No No Yes No No
browse Yes No No No No
chg Yes Yes Yes Yes Yes
clr Yes No No No No
connect No No Yes No No
crt Yes Yes Yes Yes Yes
dlt Yes Yes Yes Yes Yes
dsp Yes Yes Yes Yes Yes
get Yes No No No No
put Yes No No No No
inq Yes Yes Yes Yes Yes
passall Yes No No No No
passid Yes No No No No
set Yes No No No No
setall Yes No No No No
setid Yes No No No No

Authorizations for MQI calls

altusr Use another user's authority for MQOPEN and MQPUT1 calls.
browse Retrieve a message from a queue using an MQGET call with the BROWSE option.
connect Connect the application to the specified queue manager using an MQCONN call.
get Retrieve a message from a queue using an MQGET call.
inq Make an inquiry on a specific queue using an MQINQ call.
put Put a message on a specific queue using an MQPUT call.
set Set attributes on a queue from the MQI using an MQSET call.

Note:If you open a queue for multiple options, you have to be authorized for each option.

Authorizations for context

passall Pass all context on the specified queue. All the context fields are copied from the original request.
passid Pass identity context on the specified queue. The identity context is the same as that of the request.
setall Set all context on the specified queue. This is used by special system utilities.
setid Set identity context on the specified queue. This is used by special system utilities.

Authorizations for commands

chg Change the attributes of the specified object.
clr Clear the specified queue (PCF Clear queue command only).
crt Create objects of the specified type.
dlt Delete the specified object.
dsp Display the attributes of the specified object.

Authorizations for generic operations

all Use all operations applicable to the object.
alladm Use all administration operations applicable to the object.
allmqi Use all MQI calls applicable to the object.
none No authority. Use this to create profiles without authority.

Return codes

0 Successful operation
36 Invalid arguments supplied
40 Queue manager not available
49 Queue manager stopping
69 Storage not available
71 Unexpected error
72 Queue manager name error
133 Unknown object name
145 Unexpected object name
146 Object name missing
147 Object type missing
148 Invalid object type
149 Entity name missing
150 Authorization specification missing
151 Invalid authorization specification

Examples

  1. This example shows a command that specifies that the object on which authorizations are being given is the queue orange.queue on queue manager saturn.queue.manager. If the queue does not exist, the command fails. 
    setmqaut -m saturn.queue.manager -n orange.queue -t queue
         -g tango +inq +alladm
    The authorizations are given to user group tango and the associated authorization list specifies that user group tango can:
  2. In this example, the authorization list specifies that user group foxy: If the queue does not exist, the command fails. 
    setmqaut -m saturn.queue.manager -n orange.queue -t queue
         -g foxy -allmqi +alladm
  3. This example gives user1 full access to all queues with names beginning a.b on queue manager qmgr1. The profile is persistent, and will apply to any object created in the future with a name that matches the profile name. 
    setmqaut -m qmgr1 -n a.b.* -t q -p user1 +all
  4. This example deletes the specified profile. 
    setmqaut -m qmgr1 -n a.b.* -t q -p user1 -remove
  5. This example creates a profile with no authority. 
    setmqaut -m qmgr1 -n a.b.* -t q -p user1 +none

Related commands

dmpmqaut Dump authority
dspmqaut Display authority


© IBM Corporation 1994, 2002. All Rights Reserved