This is part of a series of small blog posts which will cover some of the smaller, perhaps less likely to be noticed, features of IBM MQ. Read other posts in this series.
Prompted by a recent blog post by Colin Paice I realised that the IBM MQ DISPLAY ENTAUTH command is perhaps not as well known as it should be, and it is a very useful command, so it meets the criteria of a Little Gem!
When you need to know whether "this user is authorised to use this queue" you can ask the queue manager this directly. If you think about this, this is the same question the queue manager needs to answer when a user runs an application that opens a queue for a specific purpose. The command to use is as follows:-
DISPLAY ENTAUTH PRINCIPAL(user-name) OBJTYPE(QUEUE) OBJNAME(queue-name)
Remember that the user-name and queue-name in the above command are case sensitive, so you must quote the string if it contains lower case characters due to the way MQSC commands work.
Here's an example of the above command, showing the MQSC output it responds with:-
DISPLAY ENTAUTH PRINCIPAL('mqgusr1') OBJTYPE(QUEUE) OBJNAME(Q1)
AMQ8866I: Display entity authority details.
OBJNAME(Q1) ENTITY(mqgusr1)
ENTTYPE(PRINCIPAL) OBJTYPE(QUEUE)
AUTHLIST(CHG,CLR,DSP,GET,PUT)
If your reason for asking the above question is because you expected an authority failure and didn't get one, your next question is likely, "why is this user authorised to use this queue?" To get the answer to this question you need to see the set of authority records that contributed to the above answer. That is, some authorities may have come from the group(s) you are in, and some may have been directly granted to your user (if you are running your queue manager in a mode that allows this). The command to use is as follows:-
DISPLAY AUTHREC PROFILE(queue-name) PRINCIPAL(user-name) MATCH(MEMBERSHIP) OBJTYPE(QUEUE)
Here's an example of this command, showing the MQSC output it responds with::-
DISPLAY AUTHREC PROFILE(Q1) PRINCIPAL('mqgusr1') MATCH(MEMBERSHIP) OBJTYPE(QUEUE)
AMQ8864I: Display authority records details.
PROFILE(Q1) ENTITY(mqgemadm)
ENTTYPE(GROUP) OBJTYPE(QUEUE)
AUTHLIST(CHG,CLR,DSP)
AMQ8864I: Display authority records details.
PROFILE(Q1) ENTITY(mqgemapp)
ENTTYPE(GROUP) OBJTYPE(QUEUE)
AUTHLIST(DSP,GET,PUT)
The above output shows that the user name mqgusr1 gets its authorities from two different groups that it is a member of; mqgemadm, which grants CHG, CLR and DSP; and mqgemapp, which grants DSP, GET and PUT.
The above example also illustrates that the same authority, for example, DSP in this case, can be granted to the user from different group memberships, and if your goal is to remove that authority from that user, you might have more than one change to make. Whether you achieve this by removing the user from the group, or removing the authority granted to the group will depend on other group members and which other authorisations you need to ensure it has.
Finally, remember that if one of the groups that is returned when you ask "why is this user authorised to use this queue?" is ENTITY(mqm), then you will see all the authorities listed, and you cannot remove any of them. In order to remove authorities granted to a user that is in the mqm group, you need to remove that user from the mqm group.
AMQ8864I: Display authority records details.
PROFILE(Q1) ENTITY(mqm)
ENTTYPE(GROUP) OBJTYPE(QUEUE)
AUTHLIST(BROWSE,CHG,CLR,CLT,DSP,GET,INQ,PUT,PASSALL,PASSID,SET,SETALL,SETID)
I hope these two very useful commands help you to negotiate viewing the myriad of authority records that you can be overwhelmed by, when you just use a vanilla DISPLAY AUTHREC command.
#Little-Gem#IBMMQ#ChampionsCorner