IBM MQ on the distributed platforms have commands to grant authorities to groups and users, in order to allow them access to use resources on a queue manager. There are actually three command interfaces to do this.
This was historically the first command interface. It is a control command, issued from the command line by a user who is a member of the mqm group.
- Set Authority Record
Next the PCF flavour of the command was implemented allowing the MQ Explorer (and other remotely connected tools such as MO71) to be able to issue these commands.
- SET AUTHREC
Finally, and most recently, the MQSC flavour of the command was implemented, allowing authority commands to co-exist in scripts along with object definitions.
When using a queue manager on the MQ Appliance, there is no setmqaut command. You are expected to either use a GUI with the PCF commands, or the MQSC scripting language and a SET AUTHREC command. In general the queue manager on the MQ Appliance is just like any other queue manager, and you may well be following some instructions to set up something on your appliance queue manager, but those instructions only provide examples with the setmqaut command.
This post is going to help you translate from an example setmqaut command to a SET AUTHREC command.
Here’s a couple of example commands that cover all the main switches you might see on a setmqaut command (although not all the values).
setmqaut -m QM1 -t qmgr -g mqgadm +connect setmqaut -m QM1 -t queue -n WORK.Q -p mqgusr -all +put +get
Sometimes it’s easier to see this sort of thing diagrammatically. So first I show a picture and then below is a table to step through each switch.
Here’s a table to map from setmqaut to an MQSC SET AUTHREC.
|setmqaut||→||SET AUTHREC||Instead of using the setmqaut command, you’re going to use the SET AUTHREC command.|
|-m QM1||→||runmqsc QM1||MQSC commands are directed to the queue manager your MQSC issuing tool, such as runmqsc is connected to, so it’s not part of the SET AUTHREC command, instead it’s the direction to runmqsc to tell it which queue manager to connect to.|
|-t queue||→||OBJTYPE(QUEUE)||The -t switch becomes the OBJTYPE parameter and it’s value could be exactly the same, except for cases when setmqaut uses shortened forms. For example -t q is the same as -t queue. If you know your IBM MQ object names from other MQSC commands, then you’ll have no trouble figuring out which one is which.|
|-n WORK.Q||→||PROFILE(WORK.Q)||The -n switch becomes the PROFILE parameter. It’s called a profile rather than an object name since it could have wildcards in it. The value that went with the -n goes inside the brackets. One thing to remember though, MQSC will upper case anything that you don’t put inside quotes, so if your profile name is not upper case, add quotes around it. In the case of -t qmgr, there will be no -n switch, and you can omit the PROFILE parameter.|
|-g mqgadm||→||GROUP(‘mqgadm’)||The -g switch becomes the GROUP parameter and the value goes inside the brackets. Remember to use quotes.|
|-p mqgusr||→||PRINCIPAL(‘mqgusr’)||The -p switch becomes the PRINCIPAL parameter and the value goes inside the brackets. Remember to use quotes.|
|-all||→||AUTHRMV(ALL)||Any authority switches with a ‘-‘ sign are being removed. These should go in the comma-separated list in the AUTHRMV parameter. It is often seen that -all is used because adding a few authorities, in order to remove everything before adding new ones so you know where you are. Normally you wouldn’t combine AUTHRMV and AUTHADD parameters, but the use of ALL is one of the cases where it is allowed.|
|+put +get||→||AUTHADD(PUT,GET)||Any authority switches with a ‘+’ sign are being added. These should go in the comma-separated list in the AUTHADD parameter. The authority switches are spelled the same in both setmqaut and SET AUTHREC, just remove the ‘+’ (or ‘-‘) prefix.|
If you come across a setmqaut command that you can’t translate into a SET AUTHREC with the above instructions, add it in the comments, and I’ll help you out. It’ll also improve this blog post for others.