Granting full administrative access to all resources on a queue manager

Grant full administrative access to all the resources on a queue manager, to each user or group of users with a business need for it.

About this task

You can use the Add Role Based Authorities wizard or the appropriate commands for your operating system.
On UNIX, Linux®, Windows systems, and IBM® i, you can also use the SET AUTHREC command.
Note: On IBM MQ Appliance you can use only the SET AUTHREC command.
[UNIX, Linux, Windows]Notes:
  1. If you are using runmqsc to administer the queue manager instead of the MQ Explorer, you must grant authority to inquire, get, and browse the SYSTEM.MQSC.REPLY.QUEUE, and you do not need to grant any authorities on the SYSTEM.MQEXPLORER.REPLY.MODEL queue.
  2. When giving a user access to all resources on a queue manager there are some commands that the user cannot run, unless that user has read access to the qm.ini file. This is due to restrictions on non mqm users being able to read the qm.ini file.
    The user cannot issue the following commands unless you have granted that user read access to the qm.ini file:
    • Defining a channel that is configured to use TLS
    • Defining a channel using auto-configuration insertion variables defined in qm.ini

Procedure

  • If you are using the wizard, in the IBM MQ Explorer Navigator pane, right-click the queue manager and click Object Authorities > Add Role Based Authorities.
    The Add Role Based Authorities wizard opens.
  • [UNIX][Linux] For UNIX and Linux systems, issue the following commands: 
    setmqaut -m QMgrName -n '**' -t queue -g GroupName +alladm +browse
setmqaut -m QMgrName -n @class -t queue -g GroupName +crt
setmqaut -m QMgrName -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g GroupName +dsp +inq +put
setmqaut -m QMgrName -n SYSTEM.MQEXPLORER.REPLY.QUEUE -t queue -g GroupName +dsp +inq +get
setmqaut -m QMgrName -n '**' -t topic -g GroupName +alladm
setmqaut -m QMgrName -n @class -t topic -g GroupName +crt
setmqaut -m QMgrName -n '**' -t channel -g GroupName +alladm
setmqaut -m QMgrName -n @class -t channel -g GroupName +crt
setmqaut -m QMgrName -n '**' -t clntconn -g GroupName +alladm
setmqaut -m QMgrName -n @class -t clntconn -g GroupName +crt
setmqaut -m QMgrName -n '**' -t authinfo -g GroupName +alladm
setmqaut -m QMgrName -n @class -t authinfo -g GroupName +crt
setmqaut -m QMgrName -n '**' -t listener -g GroupName +alladm
setmqaut -m QMgrName -n @class -t listener -g GroupName +crt
setmqaut -m QMgrName -n '**' -t namelist -g GroupName +alladm
setmqaut -m QMgrName -n @class -t namelist -g GroupName +crt
setmqaut -m QMgrName -n '**' -t process -g GroupName +alladm
setmqaut -m QMgrName -n @class -t process -g GroupName +crt
setmqaut -m QMgrName -n '**' -t service -g GroupName +alladm
setmqaut -m QMgrName -n @class -t service -g GroupName +crt
setmqaut -m QMgrName -t qmgr -g GroupName +alladm +conn

    See setmqaut for more information on @class

  • [Windows] For Windows systems, issue the same commands as for UNIX and Linux systems, but using the profile name @CLASS instead of @class.
  • [IBMi] For IBM i, issue the following command: 
    
GRTMQMAUT OBJ(*ALL) OBJTYPE(*ALL) USER(' GroupName ') AUT(*ALLADM) MQMNAME(' QMgrName ')
  • [z/OS] For z/OS®, issue the following commands: 
    
RDEFINE MQADMIN QMgrName.*.** UACC(NONE)
PERMIT QMgrName.*.** CLASS(MQADMIN) ID(GroupName) ACCESS(ALTER)
    The variable names have the following meanings:
    QMgrName
    The name of the queue manager. On z/OS, this value can also be the name of a queue-sharing group.
    GroupName
    The name of the group to be granted access.