mqsichangefileauth command
Use the mqsichangefileauth command to authorize users to complete specific tasks against an integration node and its resources.
Supported platforms
- Windows systems.
- Linux® and UNIX systems.
- z/OS®. Run this command by customizing and submitting BIPCHFA; see Contents of the integration node PDSE
Purpose
Use the mqsichangefileauth command to grant and revoke administration authority by setting file-based or LDAP-based permissions for specified roles. Administrators can control the access that web users have to integration node resources, by assigning each user to a predefined role. You can authorize users with a particular role to complete specific actions; for example, you might allow users with one role to view integration node resources, while allowing users with another role to modify them. For more information about roles, see Role-based security.
You can use the mqsichangefileauth command only if the file-based or LDAP mode of administration security has been specified for the integration node. If you create an integration node without specifying an associated queue manager, file-based administration security is used by default for the integration node. Use the mqsichangeauthmode command to change the administration security mode, and the mqsireportauthmode command to see which security mode is currently in effect. For information about specifying the administration security mode, see Configuring administration security to use file-based, queue-based, or LDAP authorization.
- Integration node resources
- Integration server resources
- Data capture objects (record-replay)
Syntax
Parameters
- integrationNodeName
- (Required) The name of the integration node to which the security
permissions will apply.
- -r role
- (Required) The role for which the permissions are to be set.
- -e integrationServerName
- (Optional) Specifies an integration server to which the security
permissions will apply. If you specify this parameter, you cannot
specify an object (resource) using the -o parameter.
- -o object
- (Optional) Specifies the object (resource) name for which the
security settings will be set. The valid value for this command is DataCapture.
If you specify this parameter, you cannot specify a server name using
the -e parameter.
- -p permissions
- (Required) Specifies the permissions that are set for the specified role:
- integrationNodeName
- integrationNodeName.integrationServerName
- integrationNodeName.object
The following values are valid for this command:- read+/-
- write+/-
- execute+/-
- all+/-
The permissions are specified as a comma-separated list of values. A value can be specified for each permission (read, write, and execute) only once in the list of values. For example, you cannot specify all-,read+ because it would be attempting to set the read permission twice (once explicitly, and once as part of all). If all is specified, it must be the only value. If you specify all-, all permission records in the registry are removed.
On z/OS, if you need to use JCL to run the mqsichangefileauth command, you must replace all+ with alla and replace all- with allr; the
+
and-
characters are both reserved in JCL. If you use USS, you can continue to use all+ and all+ when you run the command.
Responses
- BIP8060 The mqsichangefileauth command changes the security permissions for a specified resource
- BIP8061 The supplied resource is not valid as a resource specifier
Authorization
- Security requirements for Linux and UNIX platforms
- Security requirements for Windows systems
- Security requirements for z/OS
Examples
Always enter the command on a single line; in some examples, line breaks have been added to enhance readability.
iibAdmins
is
granted execute and read permission on IB10NODE.default
(the default
integration
server on the IB10NODE
integration node). If this
role did not previously exist, the write permission is disabled. If
this role previously existed, the write permission is unchanged from
its previous setting. mqsichangefileauth IB10NODE -r iibAdmins -e default -p read+,execute+
iibAdmins
is
granted read, execute, and write permission on the DataCapture
object
of the IB10NODE
integration node: mqsichangefileauth IB10NODE -r iibAdmins -o DataCapture -p all+
iibAdmins
is
granted read, execute, and write permission for all resources in the IB10NODE
integration
node: mqsichangefileauth IB10NODE -r iibAdmins -p all+
iibAdmins
for
resources in the IB10NODE
integration node, and the
access control list for iibAdmins
in the IB10NODE
integration
node is deleted: mqsichangefileauth IB10NODE -r iibAdmins -p all-
You
can confirm that the entry has been deleted by using the mqsireportfileauth command:mqsireportfileauth IB10NODE -l