IBM Websphere MQ v6. QM  running on Solaris 9. I want to provide my staff limited permission to make changes to the WMQ network.

ANSWER: One way is to use “Using WebSphere MQ Explorer as a read-only viewer”

The WebSphere MQ Explorer GUI provides a user-friendly way to administer your queue managers. It can be used as a read-only ‘viewer’. If you have some staff that doesn’t have authority to make changes to the WMQ network, but need them to be able to monitor what is happening, this will let them use WMQ Explorer to do it.

The below are the steps required to set this up for a single QM and highlight some problems to watch out for.

• Create a user-making sure that the user is not a member of the MQM groups.
• Start a channel listener for the queue manager.
• Create a server-connection (SVRCONN) channel on the queue manager-setting the MCAUSER attribute to the user name defined in step 1.
• Use setmqaut to specify which objects you want the user to be able to see.

1)First, you need permission to connect to the queue manager:

Setmqaut –m <QM> –t qmgr –p

<user_name> +connect  +ing +dsp

2)To give permission to the queues that WMQ Explorer will need:

 Setmqaut –m <QM> -t q –n

SYSTEM.DEFAULT.MODEL.QUEUE –p <USER_NAME> +get +browse +inq

Setmquat –m <QM> –t q –n

SYSTEM.ADMIN.COMMAND.QUEUE –p <USER_NAME> +get +browse +ing +put

Setmquat – m <QM> –t q-n

SYSTEM.MQEXPLORER.REPLY.MODEL –p <USER_NAME> +ing +browse +get +dsp

setmquat –m <QM> –t q –n ‘AMQ.**’ –p <USER_NAME> +all

setmquat -m <QM> –t q –n ‘MQAI.**’ -p <USER_NAME> +all

 3) You could give access to all objects of a certain type, such as being able to display all channels:

setmquat –m <QM> –t channel –n ‘**’ –p <USER_NAME> +dsp

 4) You might want to include additional permissions, such as the ability to browse messages on queues or inquire their attributes:

setmqaut –m <QM> –t q –n ‘**’ –p <USER_NAME> +dsp +ing +browse

5) Review the System Administration Guide section on setmqaut for more detail on the options available.

 Step to carry out on the WebSphere MQ Explorer machine:

 1)Right-click on ‘Queue Managers’ and choose “Show Queue Manager” and click on the “Add” button.

2) Enter the queue manager name and click “next”

3) Fill in the hostname of the machine hosting the queue manager, the TCP port number for the channel listener you started and the name of the server-connection channel you created.

4) Click “Finish”.

Note1: The WebSphere MQ Explorer user will only see the objects that they have the authority to see. So it’s worth being aware that in such a setup, the Explorer is no longer showing a definitive view of the objects on the queue manager.

Note2: Attempts to view an object, which the user isn’t authorized to display, can result in an authorization event. See the Monitoring WebSphere MQ section on “Event Monitoring (fhttp://publib.boulder.ibm.com/infocenter/wmqv6/v6ro/index.jsp?topic=/com.ibm.mq.csqzax.doc/monevent.htm) for more information. If a queue manager has authorization events (AUTHOREV) enabled, every attempt to access something which a user is not authorized to will cause an event message to be put to the SYSTEM.ADMIN.QMGR.EVENT queue. So, for example, if a user does not have access to display queues, then one authorization event message will be put to SYSTEM.ADMIN.QMGR.EVENT for each queue they cannot access every time the Queues view in WMQ Explorer is refreshed. This could result in a lot of messages, so you may want to disable AUTHOREV or take steps to handle these messages.

Note3: If you want to look at queues with WebSphere MQ Explorer in this way, you will need to have Refresh Pack 6.o.2.o or greater applied. A bug in the Explorer prior to this meant that the failure to display SYSTTEM.AUTH.DATA.QUEUE (a queue which it is not possible to give a non-mqm user access to) prevented any queues from being displayed. This is documented more fully in APAR IC49051 (http://www-1.ibm.com/support/docview.wss?re=171&uid=swg1IC49051)

Note4: In the examples above, we used the –p option for setmqaut-specifying a specifying a specific user. This was done for simplicity but in practice using –g to specify a group is often easier to manage. See the System Administrative Guide for the full syntax.