Granting WebSphere MQ authorities to WebSphere MQ objects

WebSphere MQ for iSeries categorizes the product's CL commands into two groups:

Group 1
Users must be in the QMQMADM user group, or have *ALLOBJ authority, to process these commands. Users having either of these authorities can process all commands in all categories without requiring any extra authority.
Note:
These authorities override any OAM authority.

These commands can be grouped as follows:

Group 2
The rest of the commands, for which two levels of authority are required:
  1. OS/400(R) authority to run the command. A WebSphere MQ administrator sets this using the GRTOBJAUT command to override the *PUBLIC(*EXCLUDE) restriction for a user or group of users.

    For example:

    GRTOBJAUT OBJ(DSPMQMQ) OBJTYPE(*CMD) USER(MQUSER) AUT(*USE)
  2. WebSphere MQ authority to manipulate the WebSphere MQ objects associated with the command, or commands, given the correct OS/400 authority in Step 1.

    This authority is controlled by the user having the appropriate OAM authority for the required action, set by a WebSphere MQ administrator using the GRTMQMAUT command

    For example:

    CHGMQMQ *connect authority to the queue manager + *admchg authority to 
    		the queue

The commands can be grouped as follows:

Access authorizations

Authorizations defined by the AUT keyword on the GRTMQMAUT and RVKMQMAUT commands can be categorized as follows:

The following tables list the different authorities, using the AUT parameter for MQI calls, Context calls, MQSC and PCF commands, and generic operations.

Table 4. Authorizations for MQI calls
AUT Description
*ALTUSR Allow another user's authority to be used for MQOPEN and MQPUT1 calls.
*BROWSE Retrieve a message from a queue by issuing an MQGET call with the BROWSE option.
*CONNECT Connect the application to the specified queue manager by issuing an MQCONN call.
*GET Retrieve a message from a queue by issuing an MQGET call.
*INQ Make an inquiry on a specific queue by issuing an MQINQ call.
*PUT Put a message on a specific queue by issuing an MQPUT call.
*SET Set attributes on a queue from the MQI by issuing an MQSET call.
If you open a queue for multiple options, you must be authorized for each of them.
Table 5. Authorizations for context calls
AUT Description
*PASSALL Pass all context on the specified queue. All the context fields are copied from the original request.
*PASSID Pass identity context on the specified queue. The identity context is the same as that of the request.
*SETALL Set all context on the specified queue. This is used by special system utilities.
*SETID Set identity context on the specified queue. This is used by special system utilities.
Table 6. Authorizations for MQSC and PCF calls
AUT Description
*ADMCHG Change the attributes of the specified object.
*ADMCLR Clear the specified queue (PCF Clear queue command only).
*ADMCRT Create objects of the specified type.
*ADMDLT Delete the specified object.
*ADMDSP Display the attributes of the specified object.
Table 7. Authorizations for generic operations
AUT Description
*ALL Use all operations applicable to the object.
*ALLADM Perform all administration operations applicable to the object.
*ALLMQI Use all MQI calls applicable to the object.
*CTRL Control startup and shutdown of channels, listeners, and services.
*CTRLX Reset sequence number and resolve indoubt channels.

Using the GRTMQMAUT command

Provided that you have the required authorization, you can use the GRTMQMAUT command to grant authorization of a user profile or user group to access a particular object. The following examples illustrate how the GRTMQMAUT command is used:

  1. GRTMQMAUT OBJ(RED.LOCAL.QUEUE) OBJTYPE(*LCLQ) USER(GROUPA) +
              AUT(*BROWSE *PUT) MQMNAME('saturn.queue.manager')

    In this example:

  2. The following command grants to users JACK and JILL all applicable authorizations, to all process definitions, for the default queue manager.
        GRTMQMAUT OBJ(*ALL) OBJTYPE(*PRC) USER(JACK JILL) AUT(*ALL)
  3. The following command grants user GEORGE authority to put a message on the queue ORDERS, on the queue manager TRENT.
      GRTMQMAUT OBJ(TRENT) OBJTYPE(*MQM) USER(GEORGE) AUT(*CONNECT) MQMNAME (TRENT)
      GRTMQMAUT OBJ(ORDERS) OBJTYPE(*Q) USER(GEORGE) AUT(*PUT) MQMNAME (TRENT)

Using the RVKMQMAUT command

Provided that you have the required authorization, you can use the RVKMQMAUT command to remove previously granted authorization of a user profile or user group to access a particular object. The following examples illustrate how the RVKMQMAUT command is used:

  1.     RVKMQMAUT OBJ(RED.LOCAL.QUEUE) OBJTYPE(*LCLQ) USER(GROUPA) +
        AUT(*PUT) MQMNAME('saturn.queue.manager')
    The authority to put messages to the specified queue, that was granted in the previous example, is removed for GROUPA.
  2.     RVKMQMAUT OBJ(PAY*) OBJTYPE(*Q) USER(*PUBLIC) AUT(*GET) +
        MQMNAME(PAYROLLQM)
    Authority to get messages from any queue whose name starts with the characters PAY, owned by queue manager PAYROLLQM, is removed from all users of the system unless they, or a group to which they belong, have been separately authorized.

Using the DSPMQMAUT command

The display MQM authority (DSPMQMAUT) command shows, for the specified object and user, the list of authorizations that the user has for the object. The following example illustrates how the command is used:

    DSPMQMAUT OBJ(ADMINNL) OBJTYPE(*NMLIST) USER(JOE) OUTPUT(*PRINT) +
    MQMNAME(ADMINQM)

Using the RFRMQMAUT command

The refresh MQM security (RFRMQMAUT) command enables you to update the OAM's authorization group information immediately, reflecting changes made at the operating system level, without needing to stop and restart the queue manager. The following example illustrates how the command is used:

    RFRMQMAUT MQMNAME(ADMINQM)