mqsilistaclentry command

Supported platforms

Purpose

Use the mqsilistaclentry command to view or list the currently defined:
  • User groups
  • Users
  • Objects
  • Access control lists

If you do not specify any parameters, all the groups, users, and objects are listed.

If you specify GroupName, only those access control lists relating to that group are listed.

If you specify UserName, only those access control lists relating to that specific user are listed, including any access control lists to which they belong.

If you specify Broker, only those groups, users, or access control lists relating to that broker are listed.

The output from this command is a description of the access rights that match the criteria specified in the command line arguments; each line takes the following form:
<principal> - <principaltype> - <accesstype> - <objectname> - <objecttype>
where
  • <principal> is the name of the user or group for which a policy has been defined.
  • <principaltype> is USER if the principal refers to a user, or GROUP if the principal refers to a group.
  • <accesstype> describes the type of authority that has been granted, and can be one of:
    V
    View access
    F
    Full control
    D
    Deploy access
    E
    Editor access
  • <objectname> applies only to execution groups and brokers, and describes the name of the object that has had a policy defined.
  • <objecttype> describes the type of object that has had a policy defined, and can be one of:
    Broker
    A broker
    ConfigManagerProxy
    Configuration Manager Proxy
    ExecutionGroup
    An execution group
    PubSubTopology
    The topology
    Subscription
    The list of active subscriptions
    TopicRoot
    The root topic
For example:
wrkgrp\ali  -  USER   -  F  -  EXE  -  BROKER\default   
means that user "ali" in domain "wrkgrp" has been granted full control over the execution group default in broker "BROKER".

Syntax

Windows

Linux and UNIX systems

z/OS console command

Synonym: la

Parameters

configmgrName
(Optional - Windows. Required - Linux and UNIX systems.) The name of the Configuration Manager for which the access control lists are to be displayed.

On Linux and UNIX systems this must be the first parameter specified. It is case-sensitive on Linux and UNIX systems. On z/OS this parameter is implicit because you specify the component you want to MODIFY.

The default name on Windows, if this parameter is not specified, is 'ConfigMgr'.

-ncfgParameterFilename
(Optional) The name of a .configmgr file that describes the connection parameters to the Configuration Manager.
The file is in XML, using the .configmgr format saved by the Eclipse GUI. For example:
<?xml version="1.0" encoding="UTF-8"?>
<configmgr host="localhost" listenerPort="1414" queueManager="QNAME"
           securityExit="test.myExit"/>
If you are using this file on z/OS you must remove the statement encoding="UTF-8" from the first line, to leave the statement as:
<?xml version="1.0"?>
and remove the value for the host attribute, to leave the statement as:
<configmgr host="" listenerPort="1414" queueManager="QNAME"
           securityExit="test.myExit"/>
-f FileName
(Optional) Place the results of this command into an XML file.
-u UserName
(Optional) User name to which this entry refers, for example, TEST\ANOTHER.
-a
(Optional) Allows a specified user to connect to all machines.
Note: You can select -a or -m.
-m MachineName
(Optional) The name of the machine from which a specified user can connect.
-gGroupName
(Optional) Group to which this entry refers. For this reason, the name must adhere to the standard platform convention for group names.
-b Broker
(Optional) The object is a broker object, and its name is specified as a parameter.
-e ExeGroup
(Optional) The object is an execution group and its name is specified as a parameter of the form 'Broker\ExeGroup'. You must specify the b flag if you specify this flag.
-s Subscription
(Optional) The object is a subscription object, and its name is specified as a parameter.
-r
(Optional) The object is referring to the root topic.
-t
(Optional) The object is referring to the main topology.
-p
(Optional) The object refers to the "allresources" resource type. The authority that the principal has for this object applies to all objects, including the mqsicreateaclentry, mqsideleteaclentry, and mqsilistaclentry commands themselves.
-w waitTime
(Optional) The time in seconds that the command waits for a response from the Configuration Manager. If you do not supply a value the command waits for 30 seconds.

Authorization

The user ID used to invoke this command must have full control permissions for the object being changed; see ACL permissions for more information.

Start of changeWhen z/OS commands are run through the console, they effectively run as the Configuration Manager's started-task ID. This means that the commands inherit a Full Control root ACL and you can carry out any operation.End of change

Start of changeIf you submit a console command to the Configuration Manager you can change any ACL for that Configuration Manager.End of change

Examples

Start of changeWindows, Linux, and UNIX systems:
mqsilistaclentry CMGR01 -b BROKER01
mqsilistaclentry CMGR01 -e BROKER01\ExeGrp01
mqsilistaclentry CMGR01 -g GROUPA
End of change
Start of changez/OS. Note, that on z/OS you must use a comma between each command option. The following example shows the z/OS version of the preceding Windows, Linux, and UNIX systems example:
 /f CMGR01, la g='GROUPA'
End of change
Related concepts
Security overview
Related tasks
Database security