setmqaut (set or reset authority)

Purpose

Use the setmqaut command to change the authorizations to a profile, object or class of objects. Authorizations can be granted to, or revoked from, any number of principals or groups.

For more information about authorization service components, see Installable services, Service components, and Authorization service.

Syntax

Read syntax diagramSkip visual syntax diagram>>-setmqaut--+--------------+-- -n Profile-- -t ObjectType------>
             '- -m QMgrName-'

>--+----------------------+--+-----------+---------------------->
   '- -s ServiceComponent-'  '- -remove -'

   .-----------------------.
   V                       |
>----+- -p PrincipalName-+-+------------------------------------>
     '- -g GroupName-----'

   .---------------------------------------.
   V                                       |
>----+-| MQI authorizations |------------+-+-------------------><
     +-| Context authorizations |--------+
     +-| Administration authorizations |-+
     '-| Generic authorizations |--------'

MQI authorizations:

   .--------------------.
   V                    |
|------+- +altusr --+---+---------------------------------------|
       +- -altusr --+
       +- +browse --+
       +- -browse --+
       +- +connect -+
       +- -connect -+
       +- +get -----+
       +- -get -----+
       +- +inq -----+
       +- -inq -----+
       +- +put -----+
       +- -put -----+
       +- +set -----+
       '- -set -----'

Context authorizations:

   .--------------------.
   V                    |
|------+- +passall -+---+---------------------------------------|
       +- -passall -+
       +- +passid --+
       +- -passid --+
       +- +setall --+
       +- -setall --+
       +- +setid ---+
       '- -setid ---'

Read syntax diagramSkip visual syntax diagramAdministration authorizations:

   .------------------.
   V                  |
|------+- +chg ---+---+-----------------------------------------|
       +- -chg ---+
       +- +clr ---+
       +- -clr ---+
       +- +crt ---+
       +- -crt ---+
       +- +dlt ---+
       +- -dlt ---+
       +- +dsp ---+
       +- -dsp ---+
       +- +ctrl --+
       +- -ctrl --+
       +- +ctrlx -+
       '- -ctrlx -'

Generic authorizations:

   .-------------------.
   V                   |
|------+- +all ----+---+----------------------------------------|
       +- -all ----+
       +- +alladm -+
       +- -alladm -+
       +- +allmqi -+
       +- -allmqi -+
       '- +none ---'

Description

Use setmqaut both to set an authorization, that is, give a user group or principal permission to perform an operation, and to reset an authorization, that is, remove the permission to perform an operation. You must specify the user groups and principals to which the authorizations apply, the queue manager, object type, and the profile name identifying the object or objects. You can specify any number of groups and principals in a single command.

Note:
In WebSphere MQ for UNIX systems, if you specify a set of authorizations for a principal, the same authorizations are given to all principals in the same primary group.

The authorizations that can be given are categorized as follows:

Each authorization to be changed is specified in an authorization list as part of the command. Each item in the list is a string prefixed by + or -. For example, if you include +put in the authorization list, you give authority to issue MQPUT calls against a queue. Alternatively, if you include -put in the authorization list, you remove the authorization to issue MQPUT calls.

Authorizations can be specified in any order provided that they do not clash. For example, specifying allmqi with set causes a clash.

You can specify as many groups or authorizations as you require in a single command.

If a user ID is a member of more than one group, and if the groups have conflicting authorizations, the reset option does not override the set option, and the authorizations that apply are the union of the authorizations of each group to which that user ID belongs.

Required parameters

-t ObjectType
The type of object for which to change authorizations.

Possible values are:

authinfo Authentication information object, for use with Secure Sockets Layer (SSL) channel security
channel or ch A channel
clntconn or clcn A client connection channel
lsr or listener A listener
namelist or nl A namelist
process or prcs A process
queue or q A queue or queues matching the object name parameter
qmgr A queue manager
srvc or service A service
-n Profile
The name of the profile for which to change authorizations. The authorizations apply to all WebSphere MQ objects with names that match the profile name specified. The profile name can be generic, using wildcard characters to specify a range of names as explained in Using OAM generic profiles.

If you give an explicit profile name (without any wildcard characters), the object identified must exist.

This parameter is required, unless you are changing the authorizations of a queue manager, in which case you must not include it. To change the authorizations of a queue manager use the queue manager name, for example

setmqaut -m QMGR -t qmgr -p user1 +connect

where QMGR is the name of the queue manager and user1 is the user requesting the change.

Optional parameters

-m QMgrName
The name of the queue manager of the object for which to change authorizations. The name can contain up to 48 characters.

This parameter is optional if you are changing the authorizations of your default queue manager.

-p PrincipalName
The name of the principal for which to change authorizations.

For WebSphere MQ for Windows only, the name of the principal can optionally include a domain name, specified in the following format:

userid@domain

For more information about including domain names on the name of a principal, see Principals and groups.

You must have at least one principal or group.

-g GroupName
The name of the user group for which to change authorizations. You can specify more than one group name, but each name must be prefixed by the -g flag. On Windows systems, you can use only local groups.
-s ServiceComponent
The name of the authorization service to which the authorizations apply (if your system supports installable authorization services). This parameter is optional; if you omit it, the authorization update is made to the first installable component for the service.
-remove
Removes a profile. The authorizations associated with the profile no longer apply to WebSphere MQ objects with names that match the profile name specified.
Authorizations
The authorizations to be given or removed. Each item in the list is prefixed by a + indicating that authority is to be given, or a -, indicating that authority is to be removed.

For example, to give authority to issue an MQPUT call from the MQI, specify +put in the list. To remove authority to issue an MQPUT call, specify -put.

Table 22 shows the authorities that can be given to the different object types.

Table 22. Specifying authorities for different object types
Authority Queue Process Queue manager Namelist Auth info Clntconn Channel Listener Service
all Yes Yes Yes Yes Yes Yes Yes Yes Yes
alladm Yes Yes Yes Yes Yes Yes Yes Yes Yes
allmqi Yes Yes Yes Yes Yes Yes Yes Yes Yes
none Yes Yes Yes Yes Yes Yes Yes Yes Yes
altusr No No Yes No No No No No No
browse Yes No No No No No No No No
chg Yes Yes Yes Yes Yes Yes Yes Yes Yes
clr Yes No No No No No No No No
connect No No Yes No No No No No No
crt Yes Yes Yes Yes Yes Yes Yes Yes Yes
ctrl No No No No No No Yes Yes Yes
ctrlx No No No No No No Yes No No
dlt Yes Yes Yes Yes Yes Yes Yes Yes Yes
dsp Yes Yes Yes Yes Yes Yes Yes Yes Yes
get Yes No No No No No No No No
put Yes No No No No No No No No
inq Yes Yes Yes Yes Yes No No No No
passall Yes No No No No No No No No
passid Yes No No No No No No No No
set Yes No No No No No No No No
setall Yes No Yes No No No No No No
setid Yes No Yes No No No No No No
1

1.
Some of the authorities are part of +allmqi. Although they cannot be set individually, they can be reset individually using the setmqaut command.