Commands and authorizations for administration security
If you have enabled administration security, users require specific permissions to be able to run the administration commands.
The following table shows the list of commands, and the permissions that you must set up
before users can run them.
Command | MQ queue-based security | File-based or LDAP security | ||
---|---|---|---|---|
WebSphere® MQ Queue6 | MQ permission (set on setmqaut command) | Object flag (set on mqsichangefileauth command)7 | Permission (set on mqsichangefileauth command) | |
mqsichangeresourcestats |
SYSTEM.BROKER.AUTH
|
+INQ | read+ | |
SYSTEM.BROKER.AUTH.EG1
|
+SET | -e integration_server1 | execute+ | |
mqsicreateexecutiongroup |
SYSTEM.BROKER.AUTH
|
+INQ +PUT | read+,write+ | |
mqsideleteexecutiongroup |
SYSTEM.BROKER.AUTH
|
+INQ +PUT | read+,write+ | |
mqsideploy |
SYSTEM.BROKER.AUTH
|
+INQ | read+ | |
SYSTEM.BROKER.AUTH.EG
|
+PUT | -e integration_server | write+ | |
mqsilist |
SYSTEM.BROKER.AUTH
|
+INQ | read+ | |
SYSTEM.BROKER.AUTH.**2
|
+INQ | -e integration_server2 | read+ | |
mqsimode |
SYSTEM.BROKER.AUTH
|
+INQ (to display)
+INQ +PUT (to modify) |
read+ (to display)
read+,write+ (to modify) |
|
mqsipushapis |
SYSTEM.BROKER.AUTH
|
+INQ | read+ | |
SYSTEM.BROKER.AUTH.EG
|
+INQ | -e integration_server | read+ | |
mqsireloadsecurity |
SYSTEM.BROKER.AUTH
|
+INQ | read+ | |
SYSTEM.BROKER.AUTH.**3
|
+PUT | -e integration_server3 | write+ | |
mqsireportresourcestats |
SYSTEM.BROKER.AUTH
|
+INQ | read+ | |
SYSTEM.BROKER.AUTH.EG4
|
+INQ | -e integration_server4 | read+ | |
mqsistartmsgflow5 |
SYSTEM.BROKER.AUTH
|
+INQ | read+ | |
SYSTEM.BROKER.AUTH.EG
|
+SET | -e integration_server | execute+ | |
mqsistopmsgflow5 |
SYSTEM.BROKER.AUTH
|
+INQ | read+ | |
SYSTEM.BROKER.AUTH.EG
|
+SET | -e integration_server | execute+ | |
mqsiwebuseradmin |
SYSTEM.BROKER.AUTH
|
+PUT | write+ |
Notes:
- If you are changing resource statistics collection for all integration servers on the integration node, you must have execute permission for all integration servers.
- You must have read permission for every integration node and every integration server for which you are requesting information. If you request details about a resource for which you do not have the required permissions, message BIP1185S is returned to identify each resource with inappropriate permissions: The command completes the request and returns results for all the resources for which permissions are correct.
- Where SYSTEM.BROKER.AUTH.** is specified, the user ID running the command must have permissions for all integration servers. You can set up this level of authority by either creating a generic profile for all integration servers, or a specific profile for every integration server.
- If you are reporting resource statistics collection for all integration servers on the integration node, you must have read permission for all integration servers.
- Exact requirements for this command depend on the combination of parameters that you specify on the command; for details, see the authorization section in mqsistartmsgflow command and mqsistopmsgflow command.
- In the queue name SYSTEM.BROKER.AUTH.EG, the EG refers to the name of your integration server.
- Where no object flag is specified, the permissions are set at the level of the integration node.
Only the commands that are listed in this table are subject to administration security.
Note: The permissions that are listed in this table are in addition to the permission required to
run the command on specific platforms. Refer to the following topics for information about
platform-specific permissions: