SET QACCESS

Use the SET QACCESS statement to specify a set of queues that have group level or manager level message access rights specified.

Follow the guidelines that are described in Changing monitoring options when changing this monitoring option.

Syntax

SET QACCESS NAME(queue-name-mask)
              MSGAUTHUSERS(user-name-mask-list)
              MSGACCOUNT(UIUSER|MQAGENT|USER=user-id)
              MSGACCESS(NONE|DESC|RETRY|DATA|DELETE)
              MGRNAME(mgr-name)|GROUP(group-name)
              [STATUS(ADD|DELETE)]
              [DEFAULT(YES|NO)]
              [MSGSITACCOUNT(MQAGENT|USER=user_id)]
              [MSGSITMON(YES|NO|STATONLY)]

Parameters

NAME(queue-name-mask)
Specifies a 1- through 48-character specific or generic queue name that is used to specify access authorization. To specify a generic name, enter a characters string followed by an asterisk (*). This parameter is required.
If the queue-name-mask is empty (set to ()), this SET QACCESS statement is ignored, and the next statement is processed. A warning message is displayed on the console (this error message is not recorded in the IBM® Tivoli® Monitoring log files).
MSGAUTHUSERS(user-name-mask-list)
Defines the Tivoli Enterprise Portal clients that are authorized to manipulate messages according to the associated MSGACCESS parameter. There can be multiple entries associated with this parameter. Separate each entry with a comma (,). An entry can be a mask, which includes the asterisk (*) and question mark (?) wildcard characters. A Tivoli Enterprise Portal user that has an ID that matches any masks in this list is authorized to issue the MSGACCESS command (Description, Retry, Data, and Delete) that is handled by the IBM MQ Monitoring Agent. Tivoli Enterprise Portal user IDs are defined within the Tivoli Enterprise Monitoring Server, and do not necessarily exist on the node on which the agent is running.
There is no default value for this parameter.
If the user name mask list is empty (set to ()), this SET QACCESS statement is ignored and the next statement is processed. A warning message is logged.
MSGACCOUNT(UIUSER|MQAGENT|USER=user-id)
Defines the user ID that IBM MQ Monitoring Agent uses to interact with IBM MQ. When there is a requirement for message manipulation, and a predefined account or the monitoring agent account is authorized to interact with IBM MQ, the user ID defined by the MSGACCOUNT parameter is used.
If the value of the MSGACCOUNT parameter is not valid, this SET QACCESS statement is ignored and the next statement is processed. A warning message is logged.
MSGACCESS(NONE|DESC|RETRY|DATA|DELETE)
Controls the level of user access to messages for specified queues.
If the MSGACCESS value is not NONE, DESC, RETRY, DATA, or DELETE, this SET QACCESS statement is ignored and the next statement is processed. A warning message is issued.
  • NONE: No access to message functions is permitted for these specified queues, including the ability to list messages on a queue or collect message statistics.
  • DESC: Message descriptor browse is permitted for message summary workspaces, message detail workspaces, or message statistics workspaces and situations. This is the default level.
  • RETRY: DLQ retry and message descriptor browse are permitted.
  • DATA: Message data (contents) browse, message descriptor browse, and DLQ retry are permitted.
  • DELETE: Deletion of messages and all other message functions are permitted.
MGRNAME(manager-name)
Associates this SET QACCESS statement with a queue manager that was defined on a previous SET MANAGER statement. You can use the name or the nickname of the manager. The name must exactly match the name that is specified on the corresponding SET MANAGER statement. This parameter is required if the GROUP parameter is not specified.
If the MGRNAME parameter is empty, the queue manager is the default queue manager.
GROUP(group-name)
Associates this SET QACCESS statement with a group of queues that were defined on a previous SET GROUP statement. The name must exactly match the name specified on the corresponding SET GROUP statement. This parameter is required if the MGRNAME name is not specified.
If both the MGRNAME and GROUP parameters are not defined, this SET QACCESS statement is ignored and the next statement is processed. A warning message is issued.
STATUS(ADD|DELETE)
Specifies what to do if this SET QACCESS statement was previously specified with the same queue name mask and user name mask list.
If this parameter is omitted, the queue access definition is added if a SET QACCESS statement was not previously specified with the same name for both the queue name mask and user name mask list, or it is modified if the same name was previously specified for both the queue name mask and user name mask list.
  • ADD: Creates a new queue access definition. If this SET QACCESS statement was previously specified with the same name for both queue name mask and user name mask list, it is not modified and an error message is issued.
  • DELETE: Deletes a queue access definition.
DEFAULT(YES|NO)
Allows the specification of default queue access behavior. This allows a more restrictive default access to be applied only if there are no other matching queue access statements. If the DEFAULT value is not specified, DEFAULT(NO) is used.
The queue access applied will be the non-default statement (DEFAULT(NO)) with the most restrictive access that matches queue and user name. If there are no non-default statements that match, the queue access applied will be the default statement (DEFAULT(YES)) with the most restrictive access that matches queue and user name.
MSGSITACCOUNT(MQAGENT|USER=user_id)
Specifies the IBM MQ Monitoring Agent uses the MSGSITACCOUNT value as an alternate user ID to interact with IBM MQ for message monitoring situations.
This parameter is applicable only to the situations that are defined against the Message Summary attribute group.
This parameter takes effect only when the MSGSITMON is set to YES.
Valid values are as follows:
  • MQAGENT: The agent uses the monitoring agent account to interact with IBM MQ.
  • USER=user-id: The agent uses the predefined account (user-id) to interact with IBM MQ.
MSGSITMON (YES|NO|STATONLY)
Specifies whether to enable situations that are defined against the Message Summary attribute group for monitoring message content and message header.
Valid values are as follows:
  • YES: Enables situations for message monitoring. This value takes effect only when the MSGSITACCOUNT parameter is specified. Otherwise, it defaults to STATONLY.
  • NO: Disables the situations for the message monitoring and disables message statistics monitoring.
  • STATONLY: This is the default value. The behavior of the IBM MQ Monitoring Agent is not changed. Situations cannot be defined against the Message Summary attribute group to monitor message content and message header. This is the value to use when the MSGSITMON parameter is not specified.

Example

  • To keep the message situations work as before on all queues that have the queue1 prefix, to enable the situation monitoring and give the DESC MSGACCESS privilege to all queues that have the queue2 prefix, and to give the DATA MSGACCESS privilege to all other queues, specify the following statements:
    SET GROUP NAME(GROUP1) DEFAULT(YES) COMMAND(YES) MSGACCESS(DATA)
SET MANAGER NAME(QM1) MSGACCESS(USEQACCESS)
SET QACCESS NAME(queue1*) -
        MSGAUTHUSERS(*) -
        MSGACCOUNT(MQAGENT) -
        MSGACCESS(DELETE) -
        DEFAULT(NO) –
        MSGSITMON(STATONLY) –
        MGRNAME(QM1)
SET QACCESS NAME(queue2*) -
        MSGAUTHUSERS(*) -
        MSGACCOUNT(MQAGENT) -
        MSGACCESS(DESC) -
        DEFAULT(NO) –
        MSGSITMON(YES) –
        MSGSITACCOUNT(MQAGENT) -
        MGRNAME(QM1) 
SET QACCESS NAME(*) -
        MSGAUTHUSERS(*) -
        MSGACCOUNT(MQAGENT) -
        MSGACCESS(DATA) -
        DEFAULT(YES) –
        MSGSITMON(YES) –
        MSGSITACCOUNT(MQAGENT) -
        MGRNAME(QM1)

    When the conditions of the message situation are met, use the initial situation values table view in the event results workspace to check the values from the data sample that triggered the situation event. With the above settings, for all queues that have the queue2 prefix, the Msg Content column in the initial situation values view will be blank. All other queues that do not have queue1 or queue2 prefix, the Msg Content column will be filled in.

  • To set message manipulation for all queues to DATA, specify the following statements: 
    SET GROUP NAME (GROUP1) -
        DEFAULT (YES) -
        COMMAND (YES) -
        MSGACCESS (USEQACCESS)
SET QACCESS NAME(*) -
        MSGAUTHUSERS(*) -
        MSGACCOUNT(MQAGENT) -
        MSGACCESS(DATA)
        GROUP(GROUP1)
  • To give the DELETE MSGACCESS privilege to all queues that have the queue1 prefix and belong to the QM1 manager, to give the NONE MSGACCESS privilege to all other queues that belong to the QM1 manager, and to give the DATA MSGACCESS privilege to all queues that belong to the QM2 manager, specify the following statements: 
    SET GROUP NAME(GROUP1) DEFAULT(YES) COMMAND(YES) MSGACCESS(DATA)
SET MANAGER NAME(QM1) MSGACCESS(USEQACCESS)
SET MANAGER NAME(QM2)
SET QACCESS NAME(queue1*) -
        MSGAUTHUSERS(*) -
        MSGACCOUNT(MQAGENT) -
        MSGACCESS(DELETE) -
        MGRNAME(QM1)
SET QACCESS NAME(q1*) -
        MSGAUTHUSERS(*) -
        MSGACCOUNT(MQAGENT) -
        MSGACCESS(DELETE) -
        MGRNAME(QM2)
  • To give the DESC privilege to all queues that have the q1 prefix, and give the DATA privilege to all queues that have the q2 prefix, specify the following statements: 
    SET GROUP NAME(GROUP1) DEFAULT(YES)
SET MANAGER NAME(QM1) MSGACCESS(USEQACCESS)
SET QACCESS NAME(q1*) -
        MSGAUTHUSERS(A*, B?C) -
        MSGACCOUNT(UIUSER) -
        MSGACCESS(DESC) -
        MGRNAME(QM1)
SET QACCESS NAME(q2*) -
        MSGAUTHUSERS(John) -
        MSGACCOUNT(USER=mqoperator) -
        MSGACCESS(DATA) -
        MGRNAME(QM1)
  • To give the DELETE MSGACCESS privilege to all queues that have the queue1 prefix and belong to the QM1 manager, to give the DATA MSGACCESS privilege to all other queues that belong to the QM1 manager, specify the following statements:
    SET GROUP NAME(GROUP1) DEFAULT(YES) COMMAND(YES) MSGACCESS(DATA)
SET MANAGER NAME(QM1) MSGACCESS(USEQACCESS)
SET QACCESS NAME(queue1*) -
        MSGAUTHUSERS(*) -
        MSGACCOUNT(MQAGENT) -
        MSGACCESS(DELETE) -
        DEFAULT(NO) -
        MGRNAME(QM1)
SET QACCESS NAME(*) -
        MSGAUTHUSERS(*) -
        MSGACCOUNT(MQAGENT) -
        MSGACCESS(DATA) -
        DEFAULT(YES) -
        MGRNAME(QM1)