In order to give read permission to all objects of a queue manager (queues, channels, etc) for monitoring perspective, what command/permission is required. My monitoring client uses java api.
Will MQZAO_ALL_ADMIN permission do for this purpose. Can setmqaut be used to set this permission but this command has options like +put , +get, etc not MQZAO_ALL_ADMIN. Currently I am using setmqaut for each queue, etc. with version 8.0.0.4.
For read only you do not want to use MQZAO_ALL_ADMIN since this would give administrative authority. In terms of setmqaut that is +alladm and provides +chg +clr +dlt +dsp on queues.
In general for read only you would provide +connect +inq +dsp against the qmgr object, and +dsp for any objects that you want to monitor. +dsp allows you to see the name of the object and in some cases details of the object. For some objects (queue, process, namelist) you also need to add +inq to see details of the object. You also need to provide +put to the SYSTEM.ADMIN.COMMAND.QUEUE and +get to either a model queue if you are going to use dynamic queues, or to a normal local queue.
You can use wildcards as well if you want to provide permission to multiple queues.
The example below would provide read only permission to all objects for all types:
setmqaut -m <QMGR> -t qmgr -g group -all +connect +inq +dsp
setmqaut -m <QMGR> -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g group -all +inq +put +dsp
setmqaut -m <QMGR> -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -g group -all +inq +get +dsp
setmqaut -m <QMGR> -n '**' -t namelist -g group -all +dsp +inq
setmqaut -m <QMGR> -n '**' -t process -g group -all +dsp +inq
setmqaut -m <QMGR> -n '**' -t queue -g group -all +dsp +inq
setmqaut -m <QMGR> -n '**' -t channel -g group -all +dsp
setmqaut -m <QMGR> -n '**' -t clntconn -g group -all +dsp
setmqaut -m <QMGR> -n '**' -t listener -g group -all +dsp
setmqaut -m <QMGR> -n '**' -t service -g group -all +dsp
setmqaut -m <QMGR> -n '**' -t topic -g group -all +dsp
*Note that I always prefix permissions with a -all so that you know the permissions you are granting will be the only permissions. If you did not have -all and the group above already had other permissions for example +put on a queue that permission would stay and you would be adding +dsp +inq and end up with +put +dsp +inq.
If the queue manager is on Windows you can use -p and a username instead to grant the permission directly to that user. On Unix prior to v8 if you used -p it would actually grant the permission to the users primary group, in v8 and later if you add SecurityPolicy=user to the Service: stanza of the qm.ini it will behave like Windows always had and grant permission only to the user specified with the -p. In a large organization this can be preferred since you know you have provided permission only to a single user, were if you provide it at a group level it is possible someone can just get a second user added to that group and the second user now has the same permission.
Note that an alternative to the setmqaut command, in MQ v7.1 and later you can grant permissions using SET AUTHREC MQSC commands. The commands below will provide the same permissions that the above setmqaut commands provide:
SET AUTHREC PROFILE('self') GROUP('group') OBJTYPE(QMGR) AUTHRMV(ALL) AUTHADD(CONNECT,DSP,INQ)
SET AUTHREC PROFILE('SYSTEM.ADMIN.COMMAND.QUEUE') GROUP('group') OBJTYPE(QUEUE) AUTHRMV(ALL) AUTHADD(DSP,INQ,PUT)
SET AUTHREC PROFILE('SYSTEM.DEFAULT.MODEL.QUEUE') GROUP('group') OBJTYPE(QUEUE) AUTHRMV(ALL) AUTHADD(DSP,INQ,GET)
SET AUTHREC PROFILE('**') GROUP('group') OBJTYPE(NAMELIST) AUTHRMV(ALL) AUTHADD(DSP,INQ)
SET AUTHREC PROFILE('**') GROUP('group') OBJTYPE(PROCESS) AUTHRMV(ALL) AUTHADD(DSP,INQ)
SET AUTHREC PROFILE('**') GROUP('group') OBJTYPE(QUEUE) AUTHRMV(ALL) AUTHADD(DSP,INQ)
SET AUTHREC PROFILE('**') GROUP('group') OBJTYPE(CHANNEL) AUTHRMV(ALL) AUTHADD(DSP)
SET AUTHREC PROFILE('**') GROUP('group') OBJTYPE(CLNTCONN) AUTHRMV(ALL) AUTHADD(DSP)
SET AUTHREC PROFILE('**') GROUP('group') OBJTYPE(LISTENER) AUTHRMV(ALL) AUTHADD(DSP)
SET AUTHREC PROFILE('**') GROUP('group') OBJTYPE(SERVICE) AUTHRMV(ALL) AUTHADD(DSP)
SET AUTHREC PROFILE('**') GROUP('group') OBJTYPE(TOPIC) AUTHRMV(ALL) AUTHADD(DSP)
来源:https://stackoverflow.com/questions/43754974/ibm-mq-permissions-read-perspective