Using OAM generic profiles on UNIX, Linux, and Windows systems
OAM generic profiles enable you to set the authority a user has to many objects at once, rather than having to issue separate setmqaut commands against each individual object when it is created.
Using generic profiles in the setmqaut command enables you to set a generic authority for all objects that fit that profile.
This collection of topics describes the use of generic profiles in more detail.
Using wildcard characters in OAM profiles
What makes a profile generic is the use of special characters (wildcard
characters) in the profile name. For example, the question mark (?)
wildcard character matches any single character in a name. So, if
you specify ABC.?EF
, the authorization you give to
that profile applies to any objects with the names ABC.DEF
, ABC.CEF
, ABC.BEF
, and so on.
- ?
- Use the question mark (?) instead of any single character. For
example,
AB.?D
applies to the objectsAB.CD
,AB.ED
, andAB.FD
. - *
- Use the asterisk (*) as:
- A qualifier in a profile name to match any one qualifier
in an object name. A qualifier is the part of an object name delimited
by a period. For example, in
ABC.DEF.GHI
, the qualifiers areABC
,DEF
, andGHI
.For example,
ABC.*.JKL
applies to the objectsABC.DEF.JKL
, andABC.GHI.JKL
. (Note that it does not apply toABC.JKL
; * used in this context always indicates one qualifier.) - A character within a qualifier in a profile name to match zero
or more characters within the qualifier in an object name.
For example,
ABC.DE*.JKL
applies to the objectsABC.DE.JKL
,ABC.DEF.JKL
, andABC.DEGH.JKL
.
- A qualifier in a profile name to match any one qualifier
in an object name. A qualifier is the part of an object name delimited
by a period. For example, in
- **
- Use the double asterisk (**) once in a profile name as:
- The entire profile name to match all object names. For example
if you use
-t prcs
to identify processes, then use ** as the profile name, you change the authorizations for all processes. - As either the beginning, middle, or ending qualifier in a profile
name to match zero or more qualifiers in an object name. For example,
**.ABC
identifies all objects with the final qualifier ABC.
- The entire profile name to match all object names. For example
if you use
Profile priorities
setmqaut -n AB.* -t q +put -p fred
setmqaut -n AB.C* -t q +get -p fred
The first gives put authority to all queues for the principal
fred with names that match the profile AB.*; the second gives get
authority to the same types of queue that match the profile AB.C*.Suppose that you now create a queue called AB.CD. According to the rules for wildcard matching, either setmqaut could apply to that queue. So, does it have put or get authority?
To find the answer, you apply the rule that, whenever multiple profiles can apply to an object, only the most specific applies. The way that you apply this rule is by comparing the profile names from left to right. Wherever they differ, a non-generic character is more specific then a generic character. So, in the example above, the queue AB.CD has get authority (AB.C* is more specific than AB.*).
- ?
- *
- **
Dumping profile settings
For a full definition of the dmpmqaut control command and its syntax, see dmpmqaut, and for a full definition of the MQCMD_INQUIRE_AUTH_RECS PCF command and its syntax, see Inquire Authority Records .
- This example dumps all authority records with a profile that matches
queue a.b.c for principal user1.
The resulting dump looks something like this:dmpmqaut -m qm1 -n a.b.c -t q -p user1
profile: a.b.* object type: queue entity: user1 type: principal authority: get, browse, put, inq
Note: Although UNIX and Linux users can use the-p
option for the dmpmqaut command, they must use-g groupname
instead when defining authorizations. - This example dumps all authority records with a profile that matches
queue a.b.c.
The resulting dump looks something like this:dmpmqaut -m qmgr1 -n a.b.c -t q
profile: a.b.c object type: queue entity: Administrator type: principal authority: all - - - - - - - - - - - - - - - - - profile: a.b.* object type: queue entity: user1 type: principal authority: get, browse, put, inq - - - - - - - - - - - - - - - - - profile: a.** object type: queue entity: group1 type: group authority: get
- This example dumps all authority records for profile a.b.*, of
type queue.
The resulting dump looks something like this:dmpmqaut -m qmgr1 -n a.b.* -t q
profile: a.b.* object type: queue entity: user1 type: principal authority: get, browse, put, inq
- This example dumps all authority records for queue manager qmX.
The resulting dump looks something like this:dmpmqaut -m qmX
profile: q1 object type: queue entity: Administrator type: principal authority: all - - - - - - - - - - - - - - - - - profile: q* object type: queue entity: user1 type: principal authority: get, browse - - - - - - - - - - - - - - - - - profile: name.* object type: namelist entity: user2 type: principal authority: get - - - - - - - - - - - - - - - - - profile: pr1 object type: process entity: group1 type: group authority: get
- This example dumps all profile names and object types for queue
manager qmX.
The resulting dump looks something like this:dmpmqaut -m qmX -l
profile: q1, type: queue profile: q*, type: queue profile: name.*, type: namelist profile: pr1, type: process
profile: a.b.*
object type: queue
entity: user1@domain1
type: principal
authority: get, browse, put, inq