Authorizations for MQI calls
An application is allowed to issue specific MQI calls and options only
if the user identifier under which it is running (or whose authorizations
it is able to assume) has been granted the relevant authorization.
Four MQI calls might require authorization checks: MQCONN, MQOPEN, MQPUT1, and MQCLOSE.
For MQOPEN and MQPUT1, the authority check
is made on the name of the object being opened, and not on the name, or names,
resulting after a name has been resolved. For example, an application might
be granted authority to open an alias queue without having authority to open
the base queue to which the alias resolves. The rule is that the check is
carried out on the first definition encountered during the process of resolving
a name that is not a queue manager alias, unless the queue manager alias definition
is opened directly; that is, its name is displayed in the ObjectName field of the object descriptor. Authority is always needed for
the object being opened. In some cases additional queue-independent authority,
obtained through an authorization for the queue manager object, is required.
Table 7, Table 8, Table 9,
and Table 10 summarize the authorizations needed for each call.
In the tables Not applicable means that authorization
checking is not relevant to this operation; No check means
that no authorization checking is performed.
Note:
You will find
no mention of namelists, channels, client connection channels,
listeners, services, or authentication information objects in these tables.
This is because none of the authorizations apply to these objects, except
for MQOO_INQUIRE, for which the same authorizations apply as for the other
objects.
The special authorization MQZAO_ALL_MQI includes all the authorizations
in the tables that are relevant to the object type, except MQZAO_DELETE and
MQZAO_DISPLAY, which are classed as administration authorizations.
MQOO_INQUIRE |
MQZAO_INQUIRE |
MQZAO_INQUIRE |
MQZAO_INQUIRE |
MQOO_BROWSE |
MQZAO_BROWSE |
Not applicable |
No check |
MQOO_INPUT_* |
MQZAO_INPUT |
Not applicable |
No check |
MQOO_SAVE_ ALL_CONTEXT (2) |
MQZAO_INPUT |
Not applicable |
Not applicable |
MQOO_OUTPUT (Normal queue) (3) |
MQZAO_OUTPUT |
Not applicable |
Not applicable |
MQOO_PASS_ IDENTITY_CONTEXT (4) |
MQZAO_PASS_ IDENTITY_CONTEXT |
Not applicable |
No check |
MQOO_PASS_ALL_ CONTEXT (4, 5) |
MQZAO_PASS _ALL_CONTEXT |
Not applicable |
No check |
MQOO_SET_ IDENTITY_CONTEXT (4, 5) |
MQZAO_SET_ IDENTITY_CONTEXT |
Not applicable |
MQZAO_SET_ IDENTITY_CONTEXT (6) |
MQOO_SET_ ALL_CONTEXT (4, 7) |
MQZAO_SET_ ALL_CONTEXT |
Not applicable |
MQZAO_SET_ ALL_CONTEXT (6) |
MQOO_OUTPUT (Transmission queue) (8) |
MQZAO_SET_ ALL_CONTEXT |
Not applicable |
MQZAO_SET_ ALL_CONTEXT (6) |
MQOO_SET |
MQZAO_SET |
Not applicable |
No check |
MQOO_ALTERNATE_ USER_AUTHORITY |
(9) |
(9) |
MQZAO_ALTERNATE_ USER_AUTHORITY (9, 10) |
MQPMO_PASS_ IDENTITY_CONTEXT |
MQZAO_PASS_ IDENTITY_CONTEXT (11) |
Not applicable |
No check |
MQPMO_PASS_ALL _CONTEXT |
MQZAO_PASS_ ALL_CONTEXT (11) |
Not applicable |
No check |
MQPMO_SET_ IDENTITY_CONTEXT |
MQZAO_SET_ IDENTITY_CONTEXT (11) |
Not applicable |
MQZAO_SET_ IDENTITY_CONTEXT (6) |
MQPMO_SET_ ALL_CONTEXT |
MQZAO_SET_ ALL_CONTEXT (11) |
Not applicable |
MQZAO_SET_ ALL_CONTEXT (6) |
(Transmission queue) (8) |
MQZAO_SET_ ALL_CONTEXT |
Not applicable |
MQZAO_SET_ ALL_CONTEXT (6) |
MQPMO_ALTERNATE_ USER_AUTHORITY |
(12) |
Not applicable |
MQZAO_ALTERNATE_ USER_AUTHORITY (10) |
MQCO_DELETE |
MQZAO_DELETE (13) |
Not applicable |
Not applicable |
MQCO_DELETE _PURGE |
MQZAO_DELETE (13) |
Not applicable |
Not applicable |
Notes for the tables:
-
If opening a model queue:
- MQZAO_DISPLAY authority is needed for the model queue, in addition to
the authority to open the model queue for the type of access for which you
are opening.
- MQZAO_CREATE authority is not needed to create the dynamic queue.
- The user identifier used to open the model queue is automatically granted
all the queue-specific authorities (equivalent to MQZAO_ALL) for the dynamic
queue created.
-
MQOO_INPUT_* must also be specified. This is valid
for a local, model, or alias queue.
-
This check is performed for all output cases, except transmission
queues (see note 8).
-
MQOO_OUTPUT must also be specified.
-
MQOO_PASS_IDENTITY_CONTEXT is also implied by this option.
-
This authority is required for both the queue manager object
and the particular queue.
-
MQOO_PASS_IDENTITY_CONTEXT, MQOO_PASS_ALL_CONTEXT, and MQOO_SET_IDENTITY_CONTEXT
are also implied by this option.
-
This check is performed for a local or model queue that has
a Usage queue attribute of MQUS_TRANSMISSION, and
is being opened directly for output. It does not apply if a remote queue is
being opened (either by specifying the names of the remote queue manager and
remote queue, or by specifying the name of a local definition of the remote
queue).
-
At least one of MQOO_INQUIRE (for any object type), or MQOO_BROWSE,
MQOO_INPUT_*, MQOO_OUTPUT, or MQOO_SET (for queues) must also be
specified. The check carried out is as for the other options specified, using
the supplied alternate-user identifier for the specific-named object authority,
and the current application authority for the MQZAO_ALTERNATE_USER_IDENTIFIER
check.
-
This authorization allows any AlternateUserId to be specified.
-
An MQZAO_OUTPUT check is also carried out if the queue does
not have a Usage queue attribute of MQUS_TRANSMISSION.
-
The check carried out is as for the other options specified,
using the supplied alternate-user identifier for the specific-named queue
authority, and the current application authority for the MQZAO_ALTERNATE_USER_IDENTIFIER
check.
-
The check is carried out only if both of the following are
true:
- A permanent dynamic queue is being closed and deleted.
- The queue was not created by the MQOPEN call that returned the
object handle being used.
Otherwise, there is no check.