mqsichangefileauth command

Use the mqsichangefileauth command to authorize users to complete specific tasks against an integration node and its resources.

Purpose

Use the mqsichangefileauth command to grant and revoke administration authority by setting file-based or LDAP-based permissions for specified roles. Administrators can control the access that web users have to integration node resources, by assigning each user to a predefined role. You can authorize users with a particular role to complete specific actions; for example, you might allow users with one role to view integration node resources, while allowing users with another role to modify them. For more information about roles, see Role-based security.

You can use the mqsichangefileauth command only if the file-based or LDAP mode of administration security has been specified for the integration node. If you create an integration node without specifying an associated queue manager, file-based administration security is used by default for the integration node. Use the mqsichangeauthmode command to change the administration security mode, and the mqsireportauthmode command to see which security mode is currently in effect. For information about specifying the administration security mode, see Configuring administration security to use file-based, queue-based, or LDAP authorization.

Three levels of authorization are supported for IBM® Integration Bus administration security: read, write, and execute. These permissions can be applied to each role for the following types of objects: 
  • Integration node resources
  • Integration server resources
  • Data capture objects (record-replay)

Syntax

Read syntax diagramSkip visual syntax diagrammqsichangefileauthintegrationNodeName -r role  -e integrationServerName -o object -p permissions

Parameters

integrationNodeName
(Required) The name of the integration node to which the security permissions will apply.

 

-r role
(Required) The role for which the permissions are to be set.

 

-e integrationServerName
(Optional) Specifies an integration server to which the security permissions will apply. If you specify this parameter, you cannot specify an object (resource) using the -o parameter.

 

-o object
(Optional) Specifies the object (resource) name for which the security settings will be set. The valid value for this command is DataCapture. If you specify this parameter, you cannot specify a server name using the -e parameter.

 

-p permissions
(Required) Specifies the permissions that are set for the specified role:
  • integrationNodeName
  • integrationNodeName.integrationServerName
  • integrationNodeName.object
The following values are valid for this command:
  • read+/-
  • write+/-
  • execute+/-
  • all+/-

The permissions are specified as a comma-separated list of values. A value can be specified for each permission (read, write, and execute) only once in the list of values. For example, you cannot specify all-,read+ because it would be attempting to set the read permission twice (once explicitly, and once as part of all). If all is specified, it must be the only value. If you specify all-, all permission records in the registry are removed.

On z/OS, if you need to use JCL to run the mqsichangefileauth command, you must replace all+ with alla and replace all- with allr; the + and - characters are both reserved in JCL. If you use USS, you can continue to use all+ and all+ when you run the command.

 

Responses

In addition to standard command responses, the following responses are returned by this command.
  • BIP8060 The mqsichangefileauth command changes the security permissions for a specified resource
  • BIP8061 The supplied resource is not valid as a resource specifier

Examples

Always enter the command on a single line; in some examples, line breaks have been added to enhance readability.

In the following example, the role iibAdmins is granted execute and read permission on IB10NODE.default (the default integration server on the IB10NODE integration node). If this role did not previously exist, the write permission is disabled. If this role previously existed, the write permission is unchanged from its previous setting.
mqsichangefileauth IB10NODE -r iibAdmins -e default -p read+,execute+
In the following example, the role iibAdmins is granted read, execute, and write permission on the DataCapture object of the IB10NODE integration node:
mqsichangefileauth IB10NODE -r iibAdmins -o DataCapture -p all+
In the following example, the role iibAdmins is granted read, execute, and write permission for all resources in the IB10NODE integration node:
mqsichangefileauth IB10NODE -r iibAdmins -p all+
In the following example, all permissions are removed for the role iibAdmins for resources in the IB10NODE integration node, and the access control list for iibAdmins in the IB10NODE integration node is deleted:
mqsichangefileauth IB10NODE -r iibAdmins -p all-
You can confirm that the entry has been deleted by using the mqsireportfileauth command:
mqsireportfileauth IB10NODE -l