Use queue-based administration security to grant users permissions to complete specific tasks against an integration node running on Linux, UNIX, or Windows.
Use the mqsichangeauthmode command to activate administration security and to specify the queue-based mode of administration security for the integration node.
For security reasons, it is important that permissions are set correctly. You can use WebSphere® MQ commands to set up and manage your required security levels. Use the setmqaut command to set the required permissions, and the dspmqaut command to check which permissions have been set.
Action | Integration node permission | Queue | WebSphere MQ permission (set on setmqaut command) |
---|---|---|---|
View | read | SYSTEM.BROKER.AUTH | +INQ |
Create | write | SYSTEM.BROKER.AUTH | +PUT |
Delete | write | SYSTEM.BROKER.AUTH | +PUT |
Modify | write | SYSTEM.BROKER.AUTH | +PUT |
Start | execute | SYSTEM.BROKER.AUTH | +SET |
Stop | execute | SYSTEM.BROKER.AUTH | +SET |
Action | Integration node permission | Queue | WebSphere MQ permission (set on setmqaut command) |
---|---|---|---|
View | read | SYSTEM.BROKER.AUTH.EG | +INQ |
Create | write | SYSTEM.BROKER.AUTH.EG | +PUT |
Delete | write | SYSTEM.BROKER.AUTH.EG | +PUT |
Modify | write | SYSTEM.BROKER.AUTH.EG | +PUT |
Start | execute | SYSTEM.BROKER.AUTH.EG | +SET |
Stop | execute | SYSTEM.BROKER.AUTH.EG | +SET |
Action | Integration node permission | Queue | WebSphere MQ permission (set on setmqaut command) |
---|---|---|---|
View | read | SYSTEM.BROKER.DC.AUTH | +INQ |
Replay | execute | SYSTEM.BROKER.DC.AUTH | +SET |
The setmqaut command grants and revokes permissions cumulatively. To avoid retaining unwanted permissions that have been set previously, set them explicitly on each setmqaut command by specifying -all to remove all existing permissions, followed by the permissions that you want to set.
The following command grants execute permission and retains any permissions that were already set:
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1 +set
The following command grants execute permission and does not retain any existing permissions:
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1 -all +set
You can also set multiple permissions at the same time. For example, the following command removes any existing permissions and then grants execute and write permissions:
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1 -all +set +put
Use the dspmqaut command after each setmqaut command, to check that the permissions have been set correctly.
For further
information about the commands shown in the following examples, and
for details of the parameters, see the WebSphere MQ Version 7.5 product
documentation online.
All the examples shown here are for an integration node that is associated with the queue manager test.
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1 -all +set
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group2 -all +set +put
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group2
Revoke execute permission from the user IDs that are defined in the group group2:
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group2 -set
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group2
setmqaut -m test -t queue -n "SYSTEM.BROKER.AUTH.**" -g group3 -all +put
dspmqaut -m test -t queue -n "SYSTEM.BROKER.AUTH.**" -g group3
setmqaut -m test -t queue -n "SYSTEM.BROKER.AUTH.**" -g group3 -all -put
dspmqaut -m test -t queue -n "SYSTEM.BROKER.AUTH.**" -g group3
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.default -g group4 -all +inq
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.default -g group4
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.default -g group5 -set -put
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.default -g group5
dmpmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.**