Grant or revoke authority to one or more groups or users to complete specific tasks against a broker running on Linux, UNIX, or Windows.
Activate broker administration security for the broker before you grant and revoke authority for requests sent to that broker.
For security reasons, it is important that authorities are set correctly. The setmqaut command grants and revokes authorities cumulatively. Therefore, to avoid retaining unwanted pre-existing authorities, it is helpful to set authorities explicitly on each setmqaut command, rather than granting and revoking individual authorities. Granting and revoking is achieved by specifying "-all" (to remove all authorities) followed by the required authorities.
The following command grants execute authority and retains any pre-existing authorities:
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1 +set
The following command grants execute authority only and does not retain pre-existing authorities:
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1 -all +set
Multiple authorities can also be set in this manner. For example, the following command grants execute and write authorities only (and not retain pre-existing authorities):
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1 -all +set +put
It is also helpful to use the dspmqaut command after each setmqaut command, to check that authorities have been correctly set.
For further information about the commands shown in the following examples, and for details of the parameters, see the WebSphere MQ Version 7 product documentation online.
All the examples shown here are for a broker that is associated with the queue manager test.
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1 -all +set
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group1
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group2 -all +set +put
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group2
Revoke execute authority from the user IDs that are defined in the group group2:
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group2 -set
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH -g group2
setmqaut -m test -t queue -n "SYSTEM.BROKER.AUTH.**" -g group3 -all +put
dspmqaut -m test -t queue -n "SYSTEM.BROKER.AUTH.**" -g group3
setmqaut -m test -t queue -n "SYSTEM.BROKER.AUTH.**" -g group3 -all –put
dspmqaut -m test -t queue -n "SYSTEM.BROKER.AUTH.**" -g group3
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.default -g group4 -all +inq
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.default -g group4
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.default -g group5 -set -put
dspmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.default -g group5
dmpmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.**