Check for new replies
Thread Rating:
  • 132 Vote(s) - 3.11 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Understanding MQ Authorization
#1
Authorization in MQ controls the privileges to a user or a group for an MQ object. Authority check happens when queue manager or the other MQ objects are accessed.

Authorizations available for MQ Objects

1. MQI authorizations
  • Altusr - Grants/Revoke permission to use another user's authority(normally userid associated with application is used) while making MQOPEN and MQPUT CALLS
  • Browse - Grants/Revoke permission to get message from a queue using BROWSE OPTiON while issuing MQGET CALL
  • Connect - Grants/Revoke persmission to connect to queue manager
  • Inq - Grants/Revoke permission to inquire about a queue using MQI calls
  • Get - Grants/Revoke permission to get message from queue by issuing MQGET CALL
  • Put - Grants/Revoke permission to put message on the queue by issuing MQPUT CALL
  • set - Grants/Revoke permission to set attribute on queue using MQI calls
2. Context authorizations
  • Passall - Pass all context on the queue
  • Passid - Pass identity context on the queue
  • Setall - Set all context on the queue
  • setid - Set identity context on the queue
3. Administration authorizations
  • Chg - Grants/Revoke permission to change any attribute of the object
  • Clr - Grants/Revoke permission to Clear queues
  • Crt - Grants/Revoke permission to create object
  • Dlt - Grants/Revoke permission to delete object
  • Dsp - Grants/Revoke permission to display the attributes of the object
  • Ctrl - Grants/Revoke permission to start or stop channels, listeners and services
  • ctrlx - Reset Seq number of channels and to resolve indoubt channels
4. Generic authorizations
  • All - Grant/Revoke all authorizations applicable to the object
  • Alladm - Grant/Revoke all administrative operations applicable on the object
  • Allmqi - Grant/Revoke all MQI calls applicable to the object
  • none

COMMAND:
setmqaut - To grant/revoke authorizations
Granting
[Image: y93cPvg.png]
Revoking
[Image: Oz8VenP.png]
dspmqaut - To display the authorizations
[Image: bhDSRXO.png]

The authority information is stored as message in the system object "SYSTEM.AUTH.DATA.QUEUE" from which the Object Authority Manager(OAM) process(amqzfuma) reads and authorizes the connecting applications(internal MQ processes are also authorized). "amqzfuma" is the default OAM included with the QMGR. We can write custom OAMS and associate with the QMGR by editing the "qm.ini" file.

[Image: WqH84Nc.png]
[Image: F1Vr1BD.png]
cheers,
Jessin
Reply
#2
Wink 
Good one Jessin, you should have also posted a BIG BOLD warning in the end saying "Do not mess with or alter the SYSTEM.AUTH.DATA.QUEUE object" Smile

Also I have seen depth alert warnings during audit or monitoring this queue which can very well be ignored, or if you need to reduce the depth of the SYSTEM.AUTH.DATA.QUEUE, use only the 'setmqaut' command to achieve what you need.
Reply
#3
(04-29-2014, 09:15 PM)limal.raja Wrote: Good one Jessin, you should have also posted a BIG BOLD warning in the end saying "Do not mess with or alter the SYSTEM.AUTH.DATA.QUEUE object" Smile

Also I have seen depth alert warnings during audit or monitoring this queue which can very well be ignored, or if you need to reduce the depth of the SYSTEM.AUTH.DATA.QUEUE, use only the 'setmqaut' command to achieve what you need.

Thank you Limal for adding that important point which i missed out.
If this queue is altered by someone other than the queue manager, it will break the users permission on the queue manager.
[Image: d9Z0soa.png]
[Image: bxVOYMd.png]
cheers,
Jessin
Reply
#4
This is one of the issues you might encounter if you mess up with SYSTEM.AUTH.DATA.QUEUE.

[Image: bpMFfPO.png]


Here the problem is SYSTEM.AUTH.DATA.QUEUE is made put disabled by someone. Altering the parameter to put enabled resolves the issue and listener object can be created then.
cheers,
Jessin
Reply

Check for new replies

Forum Jump:


Users browsing this thread: 1 Guest(s)