Setting file-based or LDAP-based permissions
Use the mqsichangefileauth command to grant and revoke administration authority by configuring file-based or LDAP-based permissions for working with an integration node and its resources.
Before you begin
About this task
You can grant and revoke administration authority by using the mqsichangefileauth command to configure file-based or LDAP-based permissions for specified roles. You can use file-based or LDAP-based permissions for authorization only if the file-based or LDAP mode of administration security has been specified respectively for the integration node. If no queue manager has been specified on the integration node, file-based administration security is used by default. You can use the mqsichangeauthmode command to change the administration security mode, and the mqsireportauthmode command to see which security mode is currently in effect.
If a queue manager is specified on the integration node, queue-based administration security is set by default; however, you can change to file-based or LDAP-based authorization by using the mqsichangeauthmode command. For information about specifying the administration security mode, see Configuring administration security to use file-based, queue-based, or LDAP authorization.
- read+/-
- write+/-
- execute+/-
- all+/-
You specify the permissions as a comma-separated list of values. A value can be specified for each permission (read, write, and execute) only once in the list of values. For example, you cannot specify all-,read+ because it would be attempting to set the read permission twice (once explicitly, and once as part of all). If all is specified, it must be the only value. If you specify all-, all permission records in the registry are removed.
- Integration node resources
- Integration server resources
- Data capture objects (record-replay)
Procedure
Follow these steps to set permissions for a role:
What to do next
For information about authentication, see Authenticating users for administration.