IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Granting and revoking authority on Linux, UNIX, and Windows systems

Grant or revoke authority to one or more groups or users to complete specific tasks against a broker running on Linux, UNIX, or Windows.

Before you start:

Activate broker administration security for the broker before you grant and revoke authority for requests sent to that broker.

Use WebSphere® MQ commands to set up and manage your required security levels. If you prefer, you can make authorization changes to the security queues by using the WebSphere MQ Explorer.

For security reasons, it is important that authorities are set correctly. The setmqaut command grants and revokes authorities cumulatively. Therefore, to avoid retaining unwanted pre-existing authorities, it is helpful to set authorities explicitly on each setmqaut command, rather than granting and revoking individual authorities. Granting and revoking is achieved by specifying "-all" (to remove all authorities) followed by the required authorities.

The following command grants execute authority and retains any pre-existing authorities:

setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1 +set

The following command grants execute authority only and does not retain pre-existing authorities:

setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1 -all +set

Multiple authorities can also be set in this manner. For example, the following command grants execute and write authorities only (and not retain pre-existing authorities):

setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1 -all +set +put

It is also helpful to use the dspmqaut command after each setmqaut command, to check that authorities have been correctly set.

For further information about the commands shown in the following examples, and for details of the parameters, see the WebSphere MQ Version 7 product documentation online.

Examples

All the examples shown here are for a broker that is associated with the queue manager test.

Grant only execute authority to the broker to the user IDs that are defined in the group group1:
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1 -all +set
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1
Grant only execute and write authority to the broker to the user IDs that are defined in the group group2:
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group2 -all +set +put
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group2

Revoke execute authority from the user IDs that are defined in the group group2:

setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group2 -set
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group2
Using a generic WebSphere MQ profile on a UNIX system, grant only write authority for all integration servers for the user IDs that are defined in the group group3:
setmqaut -m test -t queue -n "SYSTEM.BROKER.AUTH.**" -g group3 -all +put
dspmqaut -m test -t queue -n "SYSTEM.BROKER.AUTH.**" -g group3
Note: You enclose generic profile names in quotes on UNIX and Linux systems. For more information see the WebSphere MQ Version 7 product documentation online and search for the "Using OAM generic profiles on UNIX systems and Windows" topic.
Using a generic WebSphere MQ revoke write authority on a UNIX system for all integration servers for the user IDs that are defined in the group group3:
setmqaut -m test -t queue -n "SYSTEM.BROKER.AUTH.**" -g group3 -all –put
dspmqaut -m test -t queue -n "SYSTEM.BROKER.AUTH.**" -g group3
Grant only read authority for a specific integration server called default for group group4:
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.default -g group4 -all +inq
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.default -g group4
Revoke execute and write authority for a specific integration server called default for group group5:
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.default -g group5 -set -put
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.default -g group5
Using a generic WebSphere MQ on a non-UNIX system, dump all WebSphere MQ authorities for all integration servers:
dmpmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.**
Parent topic: Authorizing users for administration
Related concepts:
Security overview
Administration security overview
Related tasks:
Enabling administration security
Disabling administration security
Authorizing users for administration
Granting and revoking authority on z/OS systems
Related information:
WebSphere MQ Version 7 product documentation
bp43640_.htm | Last updated Friday, 21 July 2017