{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 时光不老,我们不散 的问题《IBM MQ - Permissions - Read perspective》','https://www.manongdao.com/q-405619.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
In order to give read permission to all objects of a queue manager (queues, channels, etc) for monitoring perspective, what command/permission is required. My monitoring client uses java api.
Will MQZAO_ALL_ADMIN permission do for this purpose. Can setmqaut be used to set this permission but this command has options like +put , +get, etc not MQZAO_ALL_ADMIN. Currently I am using setmqaut for each queue, etc. with version 8.0.0.4.
For read only you do not want to use
MQZAO_ALL_ADMINsince this would give administrative authority. In terms ofsetmqautthat is+alladmand provides+chg +clr +dlt +dspon queues.In general for read only you would provide
+connect +inq +dspagainst theqmgrobject, and+dspfor any objects that you want to monitor.+dspallows you to see the name of the object and in some cases details of the object. For some objects (queue, process, namelist) you also need to add+inqto see details of the object. You also need to provide+putto theSYSTEM.ADMIN.COMMAND.QUEUEand+getto either a model queue if you are going to use dynamic queues, or to a normal local queue.You can use wildcards as well if you want to provide permission to multiple queues.
The example below would provide read only permission to all objects for all types:
*Note that I always prefix permissions with a
-allso that you know the permissions you are granting will be the only permissions. If you did not have-alland the group above already had other permissions for example+puton a queue that permission would stay and you would be adding+dsp +inqand end up with+put +dsp +inq.If the queue manager is on Windows you can use
-pand a username instead to grant the permission directly to that user. On Unix prior to v8 if you used -p it would actually grant the permission to the users primary group, in v8 and later if you addSecurityPolicy=userto theService:stanza of the qm.ini it will behave like Windows always had and grant permission only to the user specified with the-p. In a large organization this can be preferred since you know you have provided permission only to a single user, were if you provide it at a group level it is possible someone can just get a second user added to that group and the second user now has the same permission.Note that an alternative to the
setmqautcommand, in MQ v7.1 and later you can grant permissions usingSET AUTHRECMQSC commands. The commands below will provide the same permissions that the above setmqaut commands provide: