I downloaded the MQ container and able to login using admin and app user. I am able to see all queues from admin user but unable to all queues avilable using app user. As per the documentation, i need to add the permission on SYSTEM.ADMIN.COMMAND.QUEUE and SYSTEM.DEFAULT.MODEL.QUEUE queue. Can anyone share the exact command used after "runmqsc QM1" to add this permission for app user? I tried to add below command and then I am not able to login with app user.
runmqsc QM1
SET AUTHREC PROFILE('SYSTEM.ADMIN.COMMAND.QUEUE') PRINCIPAL('app') OBJTYPE(QUEUE) AUTHADD(BROWSE,DSP,GET,INQ,PUT)
SET AUTHREC PROFILE('SYSTEM.DEFAULT.MODEL.QUEUE') PRINCIPAL('app') OBJTYPE(QUEUE) AUTHADD(DSP,GET)
REFRESH SECURITY(*) TYPE(CONNAUTH)
I need help with linux command to add and remove the permission on above mentioned system queues(specific to container deployment).
Reading between the lines, it seems that you are using the IBM MQ Advanced for Developers image with the app user and admin defined, where DEV.* queues have been created and this mqsc script has been run.
The following lines in the script, authorise the app user to use DEV.* objects.
* Developer authority records
SET AUTHREC PRINCIPAL('app') OBJTYPE(QMGR) AUTHADD(CONNECT,INQ)
SET AUTHREC PROFILE('DEV.**') PRINCIPAL('app') OBJTYPE(QUEUE) AUTHADD(BROWSE,GET,INQ,PUT)
SET AUTHREC PROFILE('DEV.**') PRINCIPAL('app') OBJTYPE(TOPIC) AUTHADD(PUB,SUB)
SET AUTHREC PROFILE('DEV.APP.MODEL.QUEUE') PRINCIPAL('app') OBJTYPE(QUEUE) AUTHADD(BROWSE,DSP,GET,INQ,PUT)
The app user shouldn't normally be allowed to access SYSTEM.* objects. If you do want to grant access, then remember that you are running a container. Unless you persist /mnt/mqm to an external volume using something like.
--volume qm1data:/mnt/mqm
then any changes you make to the container are lost on every restart.