dmpmqaut
Dump a list of current authorizations for a range of IBM® MQ object types and profiles.
Purpose
Use the dmpmqaut command to dump the current authorizations to a specified object.
Syntax
Optional parameters
- -m
QMgrName
- Dump authority records only for the queue manager specified. If you omit this parameter, only authority records for the default queue manager are dumped.
- -n
Profile
- The name of the profile for which to dump authorizations. The profile name can be generic, using wildcard characters to specify a range of names as explained in Using OAM generic profiles on UNIX, Linux®, and Windows systems.
- -l
- Dump only the profile name and type. Use this option to generate a terse list of all defined profile names and types.
- -a
- Generate set authority commands.
- -t
ObjectType
- The type of object for which to dump authorizations. Possible values are:
Value Description authinfo An authentication information object, for use with Secure Sockets Layer (SSL) channel security channel or chl A channel clntconn or clcn A client connection channel listener or lstr A listener namelist or nl A namelist process or prcs A process queue or q A queue or queues matching the object name parameter qmgr A queue manager rqmname or rqmn A remote queue manager name service or srvc A service topic or top A topic - -s
ServiceComponent
- If installable authorization services are supported, specifies the name of the authorization service for which to dump authorizations. This parameter is optional; if you omit it, the authorization inquiry is made to the first installable component for the service.
- -p
PrincipalName
- This parameter applies to IBM MQ for
Windows only; UNIX systems keep only group authority records.
The name of a user for whom to dump authorizations to the specified object. The name of the principal can optionally include a domain name, specified in the following format:
userid@domain
For more information about including domain names on the name of a principal, see Principals and groups.
- -g
GroupName
- The name of the user group for which to dump authorizations. You can specify only one name, which must be the name of an existing user group.
For IBM MQ for Windows only, the group name can optionally include a domain name, specified in the following formats:
GroupName@domain domain\GroupName
- -e
- Display all profiles used to calculate the cumulative authority that the entity has to the object specified in
-n Profile
. The variableProfile
must not contain any wildcard characters.The following parameters must also be specified:-m QMgrName
-n Profile
-t ObjectType
-p PrincipalName
, or-g GroupName
. - -x
- Display all profiles with the same name as specified in
-n Profile
. This option does not apply to the QMGR object, so a dump request of the formdmpmqaut -m QM -t QMGR ... -x
is not valid.
Examples
The following examples show the use of dmpmqaut to dump authority records for generic profiles:
- This example dumps all authority records with a profile that matches queue a.b.c for principal user1.
The resulting dump would look something like this:dmpmqaut -m qm1 -n a.b.c -t q -p user1
profile: a.b.* object type: queue entity: user1 type: principal authority: get, browse, put, inq
Note: UNIX users cannot use the-p
option; they must use-g groupname
instead. - This example dumps all authority records with a profile that matches queue a.b.c.
The resulting dump would look something like this:dmpmqaut -m qmgr1 -n a.b.c -t q
profile: a.b.c object type: queue entity: Administrator type: principal authority: all - - - - - - - - - - - - - - - - - profile: a.b.* object type: queue entity: user1 type: principal authority: get, browse, put, inq - - - - - - - - - - - - - - - - - profile: a.** object type: queue entity: group1 type: group authority: get
- This example dumps all authority records for profile a.b.*, of type queue.
The resulting dump would look something like this:dmpmqaut -m qmgr1 -n a.b.* -t q
profile: a.b.* object type: queue entity: user1 type: principal authority: get, browse, put, inq
- This example dumps all authority records for queue manager qmX.
The resulting dump would look something like this:dmpmqaut -m qmX
profile: q1 object type: queue entity: Administrator type: principal authority: all - - - - - - - - - - - - - - - - - profile: q* object type: queue entity: user1 type: principal authority: get, browse - - - - - - - - - - - - - - - - - profile: name.* object type: namelist entity: user2 type: principal authority: get - - - - - - - - - - - - - - - - - profile: pr1 object type: process entity: group1 type: group authority: get
- This example dumps all profile names and object types for queue manager qmX.
The resulting dump would look something like this:dmpmqaut -m qmX -l
profile: q1, type: queue profile: q*, type: queue profile: name.*, type: namelist profile: pr1, type: process
Note:
- For IBM MQ for
Windows only, all principals displayed include domain information, for example:
profile: a.b.* object type: queue entity: user1@domain1 type: principal authority: get, browse, put, inq
- Each class of object has authority records for each group or principal. These records have the
profile name
@CLASS
and track thecrt
(create) authority common to all objects of that class. If thecrt
authority for any object of that class is changed then this record is updated. For example:
This shows that members of the groupprofile: @class object type: queue entity: test entity type: principal authority: crt
test
havecrt
authority to the classqueue
.Attention: You cannot delete the@CLASS
entries (the system is working as designed) - For IBM MQ for
Windows only, members of the
Administrators
group are by default given full authority. This authority, however, is given automatically by the OAM, and is not defined by the authority records. The dmpmqaut command displays authority defined only by the authority records. Unless an authority record has been explicitly defined, therefore, running the dmpmqaut command against theAdministrators
group displays no authority record for that group.