Granting limited administrative access to some queues

Grant partial administrative access to some queues on a queue manager, to each group of users with a business need for it.

About this task

To grant limited administrative access to some queues for some actions, use the appropriate commands for your operating system.
On UNIX, Linux®, Windows systems, and IBM® i, you can also use the SET AUTHREC command.
Note: On IBM MQ Appliance you can use only the SET AUTHREC command.

Procedure

  • For UNIX, Linux and Windows systems, issue the following command: 
    
setmqaut -m QMgrName -n ObjectProfile -t queue -g GroupName ReqdAction
  • [IBMi] For IBM i, issue the following command: 
    
GRTMQMAUT OBJ(' ObjectProfile ') OBJTYPE(*Q) USER(GroupName) AUT(ReqdAction) MQMNAME(' QMgrName ')
  • [z/OS]For z/OS®, issue the following commands:
    [z/OS] 
    
RDEFINE MQADMIN QMgrName.QUEUE. ObjectProfile UACC(NONE)
PERMIT QMgrName.QUEUE. ObjectProfile CLASS(MQADMIN) ID(GroupName) ACCESS(ALTER)
    These commands grant access to the specified queue. To determine which MQSC commands the user can perform on the queue, issue the following commands for each MQSC command: 
    
RDEFINE MQCMDS QMgrName. ReqdAction. QType UACC(NONE)
PERMIT QMgrName. ReqdAction. QType CLASS(MQCMDS) ID(GroupName) ACCESS(ALTER)
    To permit the user to use the DISPLAY QUEUE command, issue the following commands: 
    
RDEFINE MQCMDS QMgrName.DISPLAY. QType UACC(NONE)
PERMIT QMgrName.DISPLAY. QType CLASS(MQCMDS) ID(GroupName) ACCESS(READ)
    The variable names have the following meanings:
    QMgrName
    The name of the queue manager. On z/OS, this value can also be the name of a queue-sharing group.
    ObjectProfile
    The name of the object or generic profile for which to change authorizations.
    GroupName
    The name of the group to be granted access.
    ReqdAction
    The action you are allowing the group to take:
    • On UNIX, Linux and Windows systems, any combination of the following authorizations: +chg, +clr, +dlt, +dsp. The authorization +alladm is equivalent to +chg +clr +dlt +dsp.
    • [IBMi]On IBM i, any combination of the following authorizations: *ADMCHG, *ADMCLR, *ADMDLT, *ADMDSP. The authorization *ALLADM is equivalent to all these individual authorizations.
    • [z/OS]On z/OS, one of the values ALTER, CLEAR, DELETE, or MOVE.
    Note: Granting +crt for queues indirectly makes the user or group an administrator. Do not use +crt authority to grant limited administrative access to some queues.
    QType

    For the DISPLAY command, one of the values QUEUE, QLOCAL, QALIAS, QMODEL, QREMOTE, or QCLUSTER.

    For other values of ReqdAction, one of the values QLOCAL, QALIAS, QMODEL, or QREMOTE.