WebSphere MQ for iSeries categorizes the product's CL commands into two groups:
These commands can be grouped as follows:
For example:
GRTOBJAUT OBJ(DSPMQMQ) OBJTYPE(*CMD) USER(MQUSER) AUT(*USE)
This authority is controlled by the user having the appropriate OAM authority for the required action, set by a WebSphere MQ administrator using the GRTMQMAUT command
For example:
CHGMQMQ *connect authority to the queue manager + *admchg authority to the queue
The commands can be grouped as follows:
To process the DSP commands you must grant the user *connect and *admdsp authority to the queue manager, together with any specific option listed:
To process the WRK commands and display the options panel you must grant the user *connect and *admdsp authority to the queue manager, together with any specific option listed:
This requires *browse authority to the queue
This requires the following authorities:
This requires the following authorities:
This requires the following authorities:
To process the channel commands you must grant the user the specific authorities listed:
This requires *connect authority to the queue manager and *allmqi authority to the transmission queue associated with the channel.
This requires no WebSphere MQ object authority.
This requires *connect and *inqauthority to the queue manager.
This requires *connect authority to the queue manager.
This requires *connect authority to the queue manager and *allmqi authority to the transmission queue associated with the channel.
This requires *connect and *inq authority to the queue manager, and *allmqi authority to the initiation queue associated with the transmission queue of the channel.
This requires no WebSphere MQ object authority.
To process the following commands you must grant the user the specific authorities listed:
This requires no WebSphere MQ object authority.
This requires *connect and *admchg authority to the queue manager.
This requires *connect authority to the queue manager and *admchg authority to the namelist.
This requires *connect authority to the queue manager and *admchg authority to the process.
This requires *connect authority to the queue manager and *admchg authority to the queue.
This requires *connect authority to the queue manager and *admchg authority to the queue.
This requires *connect and *admcrtauthority to the queue manager.
This requires *connect and *admcrtauthority to the queue manager.
This requires *connect and *admcrtauthority to the queue manager.
This requires *connect and *admcrtauthority to the queue manager and *admdsp authority to the default namelist.
This requires *connect and *admcrtauthority to the queue manager and *admdsp authority to the default process.
This requires *connect and *admcrtauthority to the queue manager and *admdsp authority to the default queue.
This requires no WebSphere MQ object authority.
This requires *connect authority to the queue manager and *admdlt authority to the namelist.
This requires *connect authority to the queue manager and *admdlt authority to the process.
This requires *connect authority to the queue manager and *admdlt authority to the queue.
This requires no WebSphere MQ object authority.
This requires *connect authority to the queue manager.
This requires *connect authority to the queue manager.
This requires *connect authority to the queue manager.
This requires *connect authority to the queue manager.
This requires *connect authority to the queue manager.
Authorizations defined by the AUT keyword on the GRTMQMAUT and RVKMQMAUT commands can be categorized as follows:
The following tables list the different authorities, using the AUT parameter for MQI calls, Context calls, MQSC and PCF commands, and generic operations.
AUT | Description |
---|---|
*ALTUSR | Allow another user's authority to be used for MQOPEN and MQPUT1 calls. |
*BROWSE | Retrieve a message from a queue by issuing an MQGET call with the BROWSE option. |
*CONNECT | Connect the application to the specified queue manager by issuing an MQCONN call. |
*GET | Retrieve a message from a queue by issuing an MQGET call. |
*INQ | Make an inquiry on a specific queue by issuing an MQINQ call. |
*PUT | Put a message on a specific queue by issuing an MQPUT call. |
*SET | Set attributes on a queue from the MQI by issuing an MQSET
call.
If you open a queue for multiple options, you must be authorized for each of them. |
AUT | Description |
---|---|
*PASSALL | Pass all context on the specified queue. All the context fields are copied from the original request. |
*PASSID | Pass identity context on the specified queue. The identity context is the same as that of the request. |
*SETALL | Set all context on the specified queue. This is used by special system utilities. |
*SETID | Set identity context on the specified queue. This is used by special system utilities. |
AUT | Description |
---|---|
*ADMCHG | Change the attributes of the specified object. |
*ADMCLR | Clear the specified queue (PCF Clear queue command only). |
*ADMCRT | Create objects of the specified type. |
*ADMDLT | Delete the specified object. |
*ADMDSP | Display the attributes of the specified object. |
AUT | Description |
---|---|
*ALL | Use all operations applicable to the object. |
*ALLADM | Perform all administration operations applicable to the object. |
*ALLMQI | Use all MQI calls applicable to the object. |
*CTRL | Control startup and shutdown of channels, listeners, and services. |
*CTRLX | Reset sequence number and resolve indoubt channels. |
Provided that you have the required authorization, you can use the GRTMQMAUT command to grant authorization of a user profile or user group to access a particular object. The following examples illustrate how the GRTMQMAUT command is used:
GRTMQMAUT OBJ(RED.LOCAL.QUEUE) OBJTYPE(*LCLQ) USER(GROUPA) +
AUT(*BROWSE *PUT) MQMNAME('saturn.queue.manager')
In this example:
*BROWSE adds authorization to browse messages on the queue (to issue MQGET with the browse option).
*PUT adds authorization to put (MQPUT) messages on the queue.
GRTMQMAUT OBJ(*ALL) OBJTYPE(*PRC) USER(JACK JILL) AUT(*ALL)
GRTMQMAUT OBJ(TRENT) OBJTYPE(*MQM) USER(GEORGE) AUT(*CONNECT) MQMNAME (TRENT) GRTMQMAUT OBJ(ORDERS) OBJTYPE(*Q) USER(GEORGE) AUT(*PUT) MQMNAME (TRENT)
Provided that you have the required authorization, you can use the RVKMQMAUT command to remove previously granted authorization of a user profile or user group to access a particular object. The following examples illustrate how the RVKMQMAUT command is used:
RVKMQMAUT OBJ(RED.LOCAL.QUEUE) OBJTYPE(*LCLQ) USER(GROUPA) + AUT(*PUT) MQMNAME('saturn.queue.manager')The authority to put messages to the specified queue, that was granted in the previous example, is removed for GROUPA.
RVKMQMAUT OBJ(PAY*) OBJTYPE(*Q) USER(*PUBLIC) AUT(*GET) + MQMNAME(PAYROLLQM)Authority to get messages from any queue whose name starts with the characters PAY, owned by queue manager PAYROLLQM, is removed from all users of the system unless they, or a group to which they belong, have been separately authorized.
The display MQM authority (DSPMQMAUT) command shows, for the specified object and user, the list of authorizations that the user has for the object. The following example illustrates how the command is used:
DSPMQMAUT OBJ(ADMINNL) OBJTYPE(*NMLIST) USER(JOE) OUTPUT(*PRINT) + MQMNAME(ADMINQM)
The refresh MQM security (RFRMQMAUT) command enables you to update the OAM's authorization group information immediately, reflecting changes made at the operating system level, without needing to stop and restart the queue manager. The following example illustrates how the command is used:
RFRMQMAUT MQMNAME(ADMINQM)
Notices |
Downloads |
Library |
Support |
Feedback
![]() ![]() |
grntobj |