This time, I’ll be writing about object permissions only.
Object permissions allow for fine-grained access control to MQ objects (queues, topics, etc.). One can configure an user to only be able to read from one specific queue and only write to another.
They can also be used to setup groups of people acting as MQ administrators, MQ operators, etc.
Object permissions, called authorizations in MQ parlance, are very important in MQ application security because it can prevent a user or application with bad intentions to do harm.
With authorizations you can:
- Allowing only administrators to issue commands to manage MQ resources
- Allowing an application user to “see” and use only the queues it needs access to.
- Limiting the operations an application can do on a queue, for example, one application needs only to put messages to a queue and not read them.
Prior to IBM MQ 7.1, on UNIX (at the time it was called IBM WebSphere MQ 7.1), one could only configure object permissions based on Unix groups.
Authorizations can be configured using the setmqaut UNIX® command or the SET AUTHREC MQSC command.
The following command grants dsp (display) authority to user mqapp to the queue Q1.R in the queue manager MQ01:
setmqaut ‑m MQ01 ‑t queue ‑n Q1.R ‑p mqapp +dsp
You can achieve the same with the following MQSC command:
SET AUTHREC OBJTYPE(QUEUE) PROFILE(Q1.R) PROFILE(‘mqapp’) AUTHADD(DSP)
The most commonly used authorizations for queues are listed in the following table (MQI are MQ API calls):
| Authorization | Description | Type |
| CONNECT | Allow issuing MQCONN and MQCONNX calls (connect to queue manager) | MQI |
| GET | Allow to issue MQGET calls (read from queue) | MQI |
| PUT | Allow to issue MQPUT calls (write to queue) | MQI |
| INQ | Allow to issue MQINQ calls (get queue attributes) | MQI |
| BROWSE | Allow to issue MQGET calls with BROWSE option | MQI |
| DSP | Allow DISPLAY MQSC command (view object definitions) | Administration |
| CRL | Allow clearing a queue or topic | Administration |
| CRT | Allow creating MQ objects | Administration |
| DLT | Allow deleting MQ object | Administration |
| SYSTEM | Allow using the queue manager for internal system operations | Administration |
There are several other authorizations, but I’ll leave it up to you to figure them out.
In addition to individual authorizations, there are also the all, allmqi and alladm authorizations.
The all authorization, as the name implies, includes all authorizations; the allmqi includes all MQ API authorizations and, finally, the alladm includes all administration authorizations.
The SET AUTHREC MQSC command can be used to add several authorizations at the same time:
SET AUTHREC OBJTYPE(QUEUE) PROFILE(LOCALQ1) PRINCIPAL(‘mqapp’) AUTHADD(GET,PUT,BROWSE)
To remove authorizations use the AUTHRMV directive of the SET AUTHREC MQSC command instead of AUTHADD:
SET AUTHREC OBJTYPE(QUEUE) PROFILE(LOCALQ1) PRINCIPAL(‘mqapp’) AUTHRMV(GET,PUT,BROWSE)
The above two authorizations can also be configured from the UNIX command line:
setmqaut ‑m MQ01 ‑t queue ‑n LOCALQ1 ‑p mqapp +get +put +browse
and
setmqaut ‑m MQ01 ‑t queue ‑n LOCALQ1 ‑p mqapp ‑get ‑put ‑browse
To check which authorizations a user or group has on a specific MQ object, for example, the queue LOCALQ1, just run the following command:
dspmqaut ‑m MQ01 ‑t queue ‑n LOCALQ1 ‑p mqapp
The output could be something like:
Entity mqapp has the following authorizations for object LOCALQ1:
get
browse
put
The equivalent MQSC command to the above is
DISPLAY AUTHREC OBJTYPE(QUEUE) PRINCIPAL(‘mqapp’) PROFILE(LOCALQ1)
4 : DISPLAY AUTHREC OBJTYPE(QUEUE) PRINCIPAL(‘mqapp’) PROFILE(LOCALQ1)
AMQ8864I: Display authority record details.
PROFILE(LOCALQ1) ENTITY(mqm)
ENTTYPE(GROUP) OBJTYPE(QUEUE)
AUTHLIST(BROWSE,CHG,CLR,DLT,DSP,GET,INQ,PUT,PASSALL,PASSID,SET,SETALL,SETID)
AMQ8864I: Display authority record details.
PROFILE(LOCALQ1) ENTITY(trindade)
ENTTYPE(GROUP) OBJTYPE(QUEUE)
AUTHLIST(BROWSE,GET,INQ,PUT,PASSALL,PASSID,SET,SETALL,SETID)
It’s also possible to dump all authorizations with the dmpmqaut command.
dmpmqaut ‑m MQ01
With the dmpmqaut command it is also possible to dump only authorizations specific to one object type, one user or user group or a specific MQ object. For that just use the -t, -p or -g and -n command line options, respectively.
For example, to list all authorizations for queues in the MQ01 queue manager applied to user mquser, just use the command:
dmpmqaut ‑m MQ01 ‑t queue ‑n LOCALQ1
There are other authorization types for other object types (for, example, topics have the PUB authorization that is needed for “writing” – publishing – to a topic). Perhaps some other article…