OAM Security (MQSC Commands)
SET AUTHREC(Authority Records) sets authority records associated with a profile name that allows specific access to various objects within IBM MQ.
The AUTHRECs must be associated with a profile name. When using the queue manager, it has an internally used profile of “self”.
If you run the following AUTHREC MQSC command to be able to connect and display a queue manager, it will create 2 AUTHREC entries:
set authrec profile(self) objtype(qmgr) GROUP('abcgrp') authadd(connect, dsp)
PROFILE(self) ENTITY(abcgrp) ENTTYPE(GROUP) OBJTYPE(QMGR) AUTHLIST(CONNECT,DSP)
PROFILE(@class) ENTITY(abcgrp) ENTTYPE(GROUP) OBJTYPE(QMGR) AUTHLIST(NONE)
Before a user or group can be given access to a specific profile and object type, it needs to have a profile called “@class” in the object type.
This “@class” profile is used for authorizing the create object of the specified object type.
By default, the “@class” profile is given the AUTHLIST of NONE. To be able create a specific object type the AUTHLIST would have to be “CRT”
An example of adding “CRT” to the @class profile you would do the following command:
set authrec profile(‘@class’) objtype(qmgr) group(‘abcuser’) authadd(crt)
This applies to all object types.
Note ****
Can I clean up the entries?
After using a queue manager for a while, you find there are entries like
PROFILE(@class) ENTITY(…) ENTTYPE(PRINCIPAL) OBJTYPE(QMGR) AUTHLIST(NONE)
which exist even though the principal or group had been deleted from MQ.
You cannot delete these entries.
Authority records can be set for the following object types:
- Authentication information (AUTHINFO)
- Channel (CHANNEL)
- Client connections (CLNTCONN)
- Communication Information (COMMINFO)
- Listeners (LISTENER)
- Namelists (NAMELIST)
- Process (PROCESS)
- Queue (QUEUE)
- Queue Manager (QMGR)
- Remote Queue Manager Name (RQMNAME)
- Service (SERVICE)
- Topic (TOPIC)
Command example for Authentication Information:
set authrec profile(SYSTEM.DEFAULT.*) objtype(authinfo) GROUP('abcgrp') authadd(dsp)
Authority list for objtype(authinfo): CHG,DLT,DSP,INQ
Command example for Channel:
set authrec profile(ABC.SVRCONN) objtype(channel) GROUP('abcgrp') authadd(CHG,DSP)
Authority list for objtype(channel): CHG,DLT,DSP,CTRL,CTRLX
Command example for Communication Information:
set authrec profile(SYSTEM.DEFAULT.COMMINFO.MULTICAST) objtype(comminfo) GROUP('abcgrp') authadd(CHG,DSP)
Authority list for objtype(comminfo): CHG,DLT,DSP
Command example for listeners:
set authrec profile(QM93*) objtype(listener) GROUP('abcgrp') authadd(CHG,DSP,CTRL)
Authority list for objtype(listener): CHG,DLT,DSP,CTRL
Command example Namelist:
set authrec profile(QM93*) objtype(namelist) GROUP('abcgrp') authadd(DSP,INQ)
Authority list for objtype(namelist): CHG,DLT,DSP,INQ
Command example for process:
set authrec profile(SYSTEM.DEFAULT.PROCESS) objtype(process) GROUP('abcgrp') authadd(DSP,INQ,SET)
Authority list for objtype(process): CHG,DLT,DSP,INQ,SET
Command example Queue:
set authrec profile(SYSTEM.AMQP.COMMAND.QUEUE) objtype(queue) GROUP('abcgrp') authadd(BROWSE,DSP,CLR,GET,INQ,PUT)
Authority list for objtype(queue): BROWSE,CHG,CLR,DLT,DSP,GET,INQ,PUT,PASSALL,PASSID,SET,SETALL,SETID
Command example to connect to a queue manager and display attributes:
set authrec profile(self) objtype(qmgr) GROUP('abcgrp') authadd(connect, dsp)
Authority list for objtype(qmgr): ALTUSR,CHG,CONNECT,DLT,DSP,INQ,SET,SETALL,SETID,CTRL,SYSTEM
Command example for Remote Queue Manager Name:
set authrec profile(‘@class’) objtype(rqmname) GROUP('abcgrp') authadd(all)
Authority list for objtype(qmgr): NONE
Command example for service:
set authrec profile(SYSTEM.AMQP.SERVICE) objtype(service) GROUP('abcgrp') authadd(dsp,ctrl)
Authority list for objtype(service): CHG,DLT,DSP,CTRL
Command example for topic:
set authrec profile(SYSTEM.BASE.TOPIC) objtype(topic) GROUP('abcgrp') authadd(pub,sub,resume)
Authority list for objtype(topic): CHG,CLR,DLT,DSP,PASSALL,PASSID,SETALL,SETID,CTRL,PUB,SUB,RESUME
SET AUTHREC
[ PROFILE( profile_name ) ]
OBJTYPE( AUTHINFO | CHANNEL | CLNTCONN | COMMINFO | LISTENER |
NAMELIST | PROCESS | QMGR | QUEUE | RQMNAME |
SERVICE | TOPIC )
PRINCIPAL( principal_name ) | GROUP( group_name )
[ AUTHADD( authority_list ) ]
[ AUTHRMV( authority_list ) ]
[ SERVCOMP( service_component_name ) ]
authority_list :=
NONE | ALTUSR | BROWSE | CHG | CLR | CONNECT | CRT |
CTRL | CTRLX | DLT | DSP | GET | INQ | PASSALL | PASSID |
PUB | PUT | RESUME | SET | SETALL | SETID | SUB | SYSTEM |
ALL | ALLADM | ALLMQI
Explanations and examples of different Authority Records uses and configurations can be found at the following IBM MQ link:
*** Note: In the examples, if you do a copy/paste, you may need to change the singe quote “ ‘ “ in word to the correct single quote in the system editor.
