SET AUTHREC

Use the MQSC command SET AUTHREC to set authority records associated with a profile name.

Using MQSC commands

For information on how you use MQSC commands, see Performing local administration tasks using MQSC commands.

IBM® i UNIX and Linux® Windows z/OS®
X X X  

See setmqaut for more information on the options that you can select.

SET AUTHREC

Read syntax diagramSkip visual syntax diagram SET AUTHREC PROFILE(profile-name)OBJTYPE(AUTHINFOCHANNELCLNTCONNCOMMINFOLISTENERNAMELISTPROCESSQUEUEQMGRRQMNAMESERVICETOPIC)PRINCIPAL(principal-name)GROUP(group-name) AUTHADD(,NONEALTUSRBROWSECHGCLRCONNECTCRTDLTDSPGETINQPUTPASSALLPASSIDSETSETALLSETIDSUBRESUMEPUBSYSTEMCTRLCTRLXALLALLADMALLMQI) AUTHRMV(,NONEALTUSRBROWSECHGCLRCONNECTCRTDLTDSPGETINQPUTPASSALLPASSIDSETSETALLSETIDSUBRESUMEPUBSYSTEMCTRLCTRLXALLALLADMALLMQI) SERVCOMP(service-component)

Parameter descriptions

PROFILE(profile-name)
The name of the object or generic profile for which to display the authority records. This parameter is required unless the OBJTYPE parameter is QMGR, in which case it can be omitted.

See Using OAM generic profiles on UNIX, Linux, and Windows systems for more information on generic profiles and wildcard characters.

OBJTYPE
The type of object referred to by the profile. Specify one of the following values:
AUTHINFO
Authentication information record
CHANNEL
Channel
CLNTCONN
Client connection channel
COMMINFO
Communication information object
LISTENER
Listener
NAMELIST
Namelist
PROCESS
Process
QUEUE
Queue
QMGR
Queue manager
RQMNAME
Remote queue manager
SERVICE
Service
TOPIC
Topic
PRINCIPAL(principal-name)
A principal name. This is the name of a user for whom to set authority records for the specified profile. On IBM MQ for Windows, the name of the principal can optionally include a domain name, specified in this format: user@domain.

You must specify either PRINCIPAL or GROUP.

GROUP(group-name)
A group name. This is the name of the user group for which to set authority records for the specified profile. You can specify one name only and it must be the name of an existing user group.
[Windows]For IBM MQ for Windows only, the group name can optionally include a domain name, specified in the following format: 

GroupName@domain

You must specify either PRINCIPAL or GROUP.

AUTHADD
A list of authorizations to add in the authority records. Specify any combination of the following values:
NONE
No authorization
ALTUSR
Specify an alternative user ID on an MQI call
BROWSE
Retrieve a message from a queue by issuing an MQGET call with the BROWSE option
CHG
Change the attributes of the specified object, using the appropriate command set
CLR
Clear a queue or a topic
CONNECT
Connect an application to a queue manager by issuing an MQCONN call
CRT
Create objects of the specified type using the appropriate command set
DLT
Delete the specified object using the appropriate command set
DSP
Display the attributes of the specified object using the appropriate command set
GET
Retrieve a message from a queue by issuing an MQGET call
INQ
Make an inquiry on a specific queue by issuing an MQINQ call
PUT
Put a message on a specific queue by issuing an MQPUT call
PASSALL
Pass all context
PASSID
Pass the identity context
SET
Set attributes on a queue by issuing an MQSET call
SETALL
Set all context on a queue
SETID
Set the identity context on a queue
SUB
Create, alter, or resume a subscription to a topic using the MQSUB call
RESUME
Resume a subscription using the MQSUB call
PUB
Publish a message on a topic using the MQPUT call
SYSTEM
Give authority to principals or groups, who are authorized to carry out privileged operations on the queue manager, for internal system operations.
CTRL
Start and stop the specified channel, listener, or service, and ping the specified channel
CTRLX
Reset or resolve the specified channel
ALL
Use all operations relevant to the object
all authority is equivalent to the union of the authorities alladm, allmqi, and system appropriate to the object type.
ALLADM
Perform all administration operations relevant to the object
ALLMQI
Use all MQI calls relevant to the object
AUTHRMV
A list of authorizations to remove from the authority records. Specify any combination of the following values:
NONE
No authorization
ALTUSR
Specify an alternative user ID on an MQI call
BROWSE
Retrieve a message from a queue by issuing an MQGET call with the BROWSE option
CHG
Change the attributes of the specified object, using the appropriate command set
CLR
Clear a queue or a topic
CONNECT
Connect an application to a queue manager by issuing an MQCONN call
CRT
Create objects of the specified type using the appropriate command set
DLT
Delete the specified object using the appropriate command set
DSP
Display the attributes of the specified object using the appropriate command set
GET
Retrieve a message from a queue by issuing an MQGET call
INQ
Make an inquiry on a specific queue by issuing an MQINQ call
PUT
Put a message on a specific queue by issuing an MQPUT call
PASSALL
Pass all context
PASSID
Pass the identity context
SET
Set attributes on a queue by issuing an MQSET call
SETALL
Set all context on a queue
SETID
Set the identity context on a queue
SUB
Create, alter, or resume a subscription to a topic using the MQSUB call
RESUME
Resume a subscription using the MQSUB call
PUB
Publish a message on a topic using the MQPUT call
SYSTEM
Use queue manager for internal system operations
CTRL
Start and stop the specified channel, listener, or service, and ping the specified channel
CTRLX
Reset or resolve the specified channel
ALL
Use all operations relevant to the object
all authority is equivalent to the union of the authorities alladm, allmqi, and system appropriate to the object type.
ALLADM
Perform all administration operations relevant to the object
ALLMQI
Use all MQI calls relevant to the object
Note: To use SETID or SETALL authority, authorizations must be granted on both the appropriate queue object and also on the queue manager object.
SERVCOMP(service-component)
The name of the authorization service for which information is to be set.

If you specify this parameter, it specifies the name of the authorization service to which the authorizations apply. If you omit this parameter, the authority record is set using the registered authorization services in turn in accordance with the rules for chaining authorization services.

Usage notes for SET AUTHREC

The list of authorizations to add and the list of authorizations to remove must not overlap. For example, you cannot add display authority and remove display authority with the same command. This rule applies even if the authorities are expressed using different options. For example, the following command fails because DSP authority overlaps with ALLADM authority: 

SET AUTHREC PROFILE(*) OBJTYPE(QUEUE) PRINCIPAL(PRINC01) AUTHADD(DSP) AUTHRMV(ALLADM)
The exception to this overlap behavior is with the ALL authority. The following command first adds ALL authorities then removes the SETID authority: 

SET AUTHREC PROFILE(*) OBJTYPE(QUEUE) PRINCIPAL(PRINC01) AUTHADD(ALL) AUTHRMV(SETID)
The following command first removes ALL authorities then adds the DSP authority: 

SET AUTHREC PROFILE(*) OBJTYPE(QUEUE) PRINCIPAL(PRINC01) AUTHADD(DSP) AUTHRMV(ALL)

Regardless of the order in which they are provided on the command, the ALL are processed first.