$ dspmqver
Name:        IBM MQ
Version:     9.3.0.2

I'm trying to query local queues using a Zabbix agent.
Basically, the agent should run this command.

echo 'DISPLAY QLOCAL(QE*) WHERE(CURDEPTH GE 0)' | runmqsc QMName

However, the Zabbix user is not authorized.

Starting MQSC for queue manager QMName.
AMQ8135E: Not authorized.

No MQSC commands read.

I tried to add the zabbix user to the mqm user group, but it didn't work.

usermod -aG mqm zabbix

When I checked the logs, I found that the user did not have sufficient privileges to access the QM.

AMQ8077W: Entity 'zabbix' has insufficient authority to access object
QMName [qmgr].
 
EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: connect

So, I added the connect permission

SET AUTHREC OBJTYPE(QMGR) GROUP('zabbix') AUTHADD(CONNECT)

Then a new permission error showed up.

AMQ8245W: Entity 'zabbix' has insufficient authority to display object
QMName [qmgr].
 
EXPLANATION:
The specified entity is not authorized to display the required object. The
following requested permissions are unauthorized: dsp

I then added the dsp permission, but this time the query returned an error for each queue.

AMQ8245W: Entity 'zabbix' has insufficient authority to display object
QE.TEST [queue].

EXPLANATION:
The specified entity is not authorized to display the required object. The
following requested permissions are unauthorized: dsp

Since there are many queues for each QM, I could not figure out how to add permission to the Zabbix user for all queues.

Can you guys help out?

Hi Daniel,

Let me first of all say that I am impressed how you have figured out how to grant the authorities you needed for the queue manager object and that you noticed that the first one was 'connect' and the second one was 'dsp'. Well done.

To grant access to multiple objects, you can use wildcards, so something like this:-

SET AUTHREC PROFILE('QE.**') OBJTYPE(QUEUE) GROUP('zabbix') AUTHADD(DSP)

What does the '**' mean? Why not just a single '*'?

The double asterisk matches multiple dot separators in the name, where a single asterisk only matches one dot separated portion of the name.

You can match literally all queues using a profile of '**'.

Cheers,
Morag

$ dspmqver
Name:        IBM MQ
Version:     9.3.0.2

I'm trying to query local queues using a Zabbix agent.
Basically, the agent should run this command.

echo 'DISPLAY QLOCAL(QE*) WHERE(CURDEPTH GE 0)' | runmqsc QMName

However, the Zabbix user is not authorized.

Starting MQSC for queue manager QMName.
AMQ8135E: Not authorized.

No MQSC commands read.

I tried to add the zabbix user to the mqm user group, but it didn't work.

usermod -aG mqm zabbix

When I checked the logs, I found that the user did not have sufficient privileges to access the QM.

AMQ8077W: Entity 'zabbix' has insufficient authority to access object
QMName [qmgr].
 
EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: connect

So, I added the connect permission

SET AUTHREC OBJTYPE(QMGR) GROUP('zabbix') AUTHADD(CONNECT)

Then a new permission error showed up.

AMQ8245W: Entity 'zabbix' has insufficient authority to display object
QMName [qmgr].
 
EXPLANATION:
The specified entity is not authorized to display the required object. The
following requested permissions are unauthorized: dsp

I then added the dsp permission, but this time the query returned an error for each queue.

AMQ8245W: Entity 'zabbix' has insufficient authority to display object
QE.TEST [queue].

EXPLANATION:
The specified entity is not authorized to display the required object. The
following requested permissions are unauthorized: dsp

Since there are many queues for each QM, I could not figure out how to add permission to the Zabbix user for all queues.

Can you guys help out?

$ dspmqver
Name:        IBM MQ
Version:     9.3.0.2

I'm trying to query local queues using a Zabbix agent.
Basically, the agent should run this command.

echo 'DISPLAY QLOCAL(QE*) WHERE(CURDEPTH GE 0)' | runmqsc QMName

However, the Zabbix user is not authorized.

Starting MQSC for queue manager QMName.
AMQ8135E: Not authorized.

No MQSC commands read.

I tried to add the zabbix user to the mqm user group, but it didn't work.

usermod -aG mqm zabbix

When I checked the logs, I found that the user did not have sufficient privileges to access the QM.

AMQ8077W: Entity 'zabbix' has insufficient authority to access object
QMName [qmgr].
 
EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: connect

So, I added the connect permission

SET AUTHREC OBJTYPE(QMGR) GROUP('zabbix') AUTHADD(CONNECT)

Then a new permission error showed up.

AMQ8245W: Entity 'zabbix' has insufficient authority to display object
QMName [qmgr].
 
EXPLANATION:
The specified entity is not authorized to display the required object. The
following requested permissions are unauthorized: dsp

I then added the dsp permission, but this time the query returned an error for each queue.

AMQ8245W: Entity 'zabbix' has insufficient authority to display object
QE.TEST [queue].

EXPLANATION:
The specified entity is not authorized to display the required object. The
following requested permissions are unauthorized: dsp

Since there are many queues for each QM, I could not figure out how to add permission to the Zabbix user for all queues.

Can you guys help out?

After adding zabbix to the mqm group, did you do a refresh security on the queue manager? Remember that the queue manager caches the security and in particular the group membership. So adding zabbix to the mqm group will only be effective after a refresh security or a queue manager restart.

$ dspmqver
Name:        IBM MQ
Version:     9.3.0.2

I'm trying to query local queues using a Zabbix agent.
Basically, the agent should run this command.

echo 'DISPLAY QLOCAL(QE*) WHERE(CURDEPTH GE 0)' | runmqsc QMName

However, the Zabbix user is not authorized.

Starting MQSC for queue manager QMName.
AMQ8135E: Not authorized.

No MQSC commands read.

I tried to add the zabbix user to the mqm user group, but it didn't work.

usermod -aG mqm zabbix

When I checked the logs, I found that the user did not have sufficient privileges to access the QM.

AMQ8077W: Entity 'zabbix' has insufficient authority to access object
QMName [qmgr].
 
EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: connect

So, I added the connect permission

SET AUTHREC OBJTYPE(QMGR) GROUP('zabbix') AUTHADD(CONNECT)

Then a new permission error showed up.

AMQ8245W: Entity 'zabbix' has insufficient authority to display object
QMName [qmgr].
 
EXPLANATION:
The specified entity is not authorized to display the required object. The
following requested permissions are unauthorized: dsp

I then added the dsp permission, but this time the query returned an error for each queue.

AMQ8245W: Entity 'zabbix' has insufficient authority to display object
QE.TEST [queue].

EXPLANATION:
The specified entity is not authorized to display the required object. The
following requested permissions are unauthorized: dsp

Since there are many queues for each QM, I could not figure out how to add permission to the Zabbix user for all queues.

Can you guys help out?