mqsicreateaclentry command

Supported platforms

Purpose

Use the mqsicreateaclentry command to create or modify the Configuration Manager data relating to the group or user access control lists that you have defined.

If you create or modify an access control group you must stop and restart the Configuration Manager for the change to take effect.

Start of changeOn z/OS, you must define an OMVS segment for user IDs and groups, in order for a Configuration Manager to obtain user ID and group information from the External Security Manager (ESM) database. End of change

Note that this command does not check for the existence of the specified component in case you want to set up the access control list first.

Syntax

Windows

Linux and UNIX systems

z/OS console command

Synonym: ca

Parameters

You must select either -f or
  • -g or -u, and
  • -x, and
  • -b and -e or -s or -r or -t or -p

If you select -u you must select either -m or -a

Start of changeconfigmgrNameEnd of change
Start of change(Optional - Windows. Required - Linux and UNIX systems.) The name of the Configuration Manager to which the access control lists are to be added.

On Linux and UNIX systems this must be the first parameter specified. It is case-sensitive on Linux and UNIX systems. On z/OS this parameter is implicit because you specify the component you want to MODIFY.

The default name on Windows, if this parameter is not specified, is 'ConfigMgr'.

End of change
-ncfgParameterFilename
(Optional) The name of a .configmgr file that describes the connection parameters to the Configuration Manager.
The file is in XML, using the .configmgr format saved by the Eclipse GUI. For example:
<?xml version="1.0" encoding="UTF-8"?>
<configmgr host="localhost" listenerPort="1414" queueManager="QNAME"
           securityExit="test.myExit"/>
If you are using this file on z/OS you must remove the statement encoding="UTF-8" from the first line, to leave the statement as:
<?xml version="1.0"?>
and remove the value for the host attribute, to leave the statement as:
<configmgr host="" listenerPort="1414" queueManager="QNAME"
           securityExit="test.myExit"/>
-f FileName
(Optional) File from which to import the configuration. The output of the mqsilistaclentry command is the correct format.
-g GroupName
(Optional) Local group to which this entry refers. For this reason, the name must adhere to the standard platform convention for group names.

To add a domain group, grant authority to a local group and then add the domain group, or groups, that you want to authorize into that local group. Any members of those domain groups obtain the permissions of the local group indirectly.

-u UserName
(Optional) User name to which this entry refers, for example, TEST\ANOTHER.
Note: -u and -g in this command refer to users and groups within the domain that the Configuration Manager uses for its security. This domain is by default the machine on which the Configuration Manager resides.
-m MachineName
(Optional) The name of the machine from which a specified user can connect. This option can not be used with -a.
-a
(Optional) This signifies that the specified user name can be on any machine. This option can not be used with -m.
Note: If you select -u, you must select either -a or -m.
-x AccessLevel
(Optional) The required access level given for this group. This can be any one of the following letters:
F
Full control
D
Deploy
E
Edit
V
View
-b Broker
(Optional) The object is a broker object, and its name is specified as a parameter.
-e ExeGroup
(Optional) The object is an execution group and its name is specified as a parameter of the form Broker\ExeGroup. You must specify the b flag if you specify this flag.
-s Subscription
(Optional) The object is a subscription object, and its name is specified as a parameter.
-r
(Optional) The object refers to the root topic.
-t
(Optional) The object refers to the main topology.
-p
(Optional) The object refers to the "allresources" resource type. The authority that the principal has for this object applies to all objects, including the mqsicreateaclentry, mqsideleteaclentry, and mqsilistaclentry commands themselves.
-w waitTime
(Optional) The time in seconds that the command waits for a response from the Configuration Manager. If you do not supply a value the command waits for 30 seconds.

Authorization

The user ID used to invoke this command must have full control permissions for the object being changed; see ACL permissions for more information.

Start of changeWhen z/OS commands are run through the console, they effectively run as the Configuration Manager's started-task ID. This means that the commands inherit a Full Control root ACL and you can carry out any operation.End of change

Start of changeIf you submit a console command to the Configuration Manager you can change any ACL for that Configuration Manager.End of change

Examples

Start of changeWindows, Linux, and UNIX systems:
mqsicreateaclentry CMGR01 -f c:\test\mylist 
mqsicreateaclentry CMGR01 -g GROUPA -x F -b MYBROKER
End of change
Start of changez/OS. Note, that on z/OS you must use a comma between each command option. The following example shows the z/OS version of the preceding Windows, Linux, and UNIX systems example:
 /f CMGR01, ca g='GROUPA', x='F', b='MYBROKER'
End of change