Using OAM generic profiles

OAM generic profiles enable you to set the authority a user has to many objects at once, rather than having to issue separate setmqaut commands against each individual object when it is created. Using generic profiles in the setmqaut command enables you to set a generic authority for all objects that fit that profile.

The rest of this section describes the use of generic profiles in more detail:

Using wildcard characters

What makes a profile generic is the use of special characters (wildcard characters) in the profile name. For example, the ? wildcard character matches any single character in a name. So, if you specify ABC.?EF, the authorization you give to that profile applies to any objects with the names ABC.DEF, ABC.CEF, ABC.BEF, and so on.

The wildcard characters available are:

?
Use the question mark (?) instead of any single character. For example, AB.?D would apply to the objects AB.CD, AB.ED, and AB.FD.
*
Use the asterisk (*) as:
**
Use the double asterisk (**) once in a profile name as:
Note:
When using wildcard characters on UNIX systems, you must enclose the profile name in quotes.

Profile priorities

An important point to understand when using generic profiles is the priority that profiles are given when deciding what authorities to apply to an object being created. For example, suppose that you have issued the commands:

setmqaut -n AB.* -t q +put -p fred
setmqaut -n AB.C* -t q +get -p fred

The first gives put authority to all queues for the principal fred with names that match the profile AB.*; the second gives get authority to the same types of queue that match the profile AB.C*.

Suppose that you now create a queue called AB.CD. According to the rules for wildcard matching, either setmqaut could apply to that queue. So, does it have put or get authority?

To find the answer, you apply the rule that, whenever multiple profiles can apply to an object, only the most specific applies. The way that you apply this rule is by comparing the profile names from left to right. Wherever they differ, a non-generic character is more specific then a generic character. So, in the example above, the queue AB.CD has get authority (AB.C* is more specific than AB.*).

When you are comparing generic characters, the order of specificity is:

  1. ?
  2. *
  3. **

Dumping profile settings

The dmpmqaut control command and the MQCMD_INQUIRE_AUTH_RECS PCF command, enable you to dump the current authorizations associated with a specified profile. For a full definition of the dmpmqaut control command and its syntax, see dmpmqaut (dump authority), and for a full definition of the MQCMD_INQUIRE_AUTH_RECS PCF command and its syntax, see the WebSphere MQ Programmable Command Formats and Administration Interface book.

The following examples show the use of the dmpmqaut control command to dump authority records for generic profiles:

  1. This example dumps all authority records with a profile that matches queue a.b.c for principal user1.
    dmpmqaut -m qm1 -n a.b.c -t q -p user1
    The resulting dump would look something like this:
    profile:     a.b.*
    object type: queue
    entity:      user1
    type:        principal
    authority:   get, browse, put, inq
    Note:
    UNIX(R) users cannot use the -p option; they must use -g groupname instead.
  2. This example dumps all authority records with a profile that matches queue a.b.c.
    dmpmqaut -m qmgr1 -n a.b.c -t q
    The resulting dump would look something like this:
    profile:     a.b.c
    object type: queue
    entity:      Administrator
    type:        principal
    authority:   all
    - - - - - - - - - - - - - - - - - 
    profile:     a.b.*
    object type: queue
    entity:      user1
    type:        principal
    authority:   get, browse, put, inq
    - - - - - - - - - - - - - - - - - 
    profile:     a.**
    object type: queue
    entity:      group1
    type:        group
    authority:   get 
  3. This example dumps all authority records for profile a.b.*, of type queue.
    dmpmqaut -m qmgr1 -n a.b.* -t q
    The resulting dump would look something like this:
    profile:     a.b.*
    object type: queue
    entity:      user1
    type:        principal
    authority:   get, browse, put, inq
  4. This example dumps all authority records for queue manager qmX.
    dmpmqaut -m qmX 
    The resulting dump would look something like this:
    profile:     q1
    object type: queue
    entity:      Administrator
    type:        principal
    authority:   all
    - - - - - - - - - - - - - - - - - 
    profile:     q*
    object type: queue
    entity:      user1
    type:        principal
    authority:   get, browse
    - - - - - - - - - - - - - - - - - 
    profile:     name.*
    object type: namelist
    entity:      user2
    type:        principal
    authority:   get
    - - - - - - - - - - - - - - - - - 
    profile:     pr1
    object type: process
    entity:      group1
    type:        group
    authority:   get
  5. This example dumps all profile names and object types for queue manager qmX.
    dmpmqaut -m qmX -l 
    The resulting dump would look something like this:
    profile: q1, type: queue
    profile: q*, type: queue
    profile: name.*, type: namelist
    profile: pr1, type: process
Note:
For WebSphere MQ for Windows only, all principals displayed include domain information, for example:
profile:     a.b.*
object type: queue
entity:      user1@domain1
type:        principal
authority:   get, browse, put, inq

For detailed information on the command, see dmpmqaut (dump authority).