New AMQ message for insufficient display authority

A little publicised feature of MQ 9.0.4 (MQ 9.1 LTS) was splitting out, as a new message, the OAM insufficient display authority (AMQ8245), from the generic OAM insufficient authority message (AMQ8077):
AMQ8077W Entity <insert_3> has insufficient authority to access object <insert_4>.
When a user performs an action requiring only display authority of an MQ object on a queue manager without sufficient permissions the new AMQ8245 message will be reported for each display violation to the queue manager error logs:
AMQ8245W Entity <insert_3> has insufficient authority to display object <insert_4>.
The existing AMQ8077 message will now only be displayed in the queue manager error logs for OAM authority issues which do not exclusively relate to display access on the object.

Why did we do this and why does it matter?

Prior to 9.0.4, when an application (such as MQ Explorer) connects to a queue manager it will perform numerous display attempts on MQ objects for a given queue manager, each MQ object the application attempts to show will result in an individual AMQ8077 message being written to the queue manager error logs. Given the number of MQ objects for any given queue manager may be very large this can result in a lot of 'noise' building up in the error logs, wasting log space and making it hard to see any real issues.

The problem for an MQ administrator was that if you were to suppress the AMQ8077 message, it means you would suppress not only the reporting of display access issues but also all other cases where a user did not have sufficient authority to perform an action (such as modify/create). Cases where a user attempted to do something other than display an MQ object would likely warrant further investigation by an administrator so suppression of AMQ8077 would not be advised. It is worth noting that due to this AMQ8077 is not in the allowed list of suppressible messages.

Modifying qm.ini to suppress insufficient display authority messages

The act of suppressing messages results in suppressed messages being written to the queue manager error log once only in a configurable time interval (default 30 seconds). To suppress an error message it must be added to a SuppressMessage attribute of the QMErrorLog stanza within the queue manager's qm.ini file. This is a comma separated list of AMQ error message numbers to suppress:
QMErrorLog: SuppressMessage=8245 SuppressInterval=30
As with any qm.ini updates, this requires a queue manager restart to apply the changes, at which point the queue manager will report a message stating the message will be suppressed during the interval period.
06/08/2019 12:37:56 - Process(2548.1) User(MUSR_MQADMIN) Program(amqzxma0.exe) Host(DESKTOP-2GOQIBP) Installation(Installation1) VRMF(9.1.3.0) QMgr(QM1) Time(2019-08-06T11:37:56.830Z) ArithInsert1(30) CommentInsert1(AMQ8245) CommentInsert2(QMErrorLog) CommentInsert3(C:\ProgramData\IBM\MQ\Qmgrs\QM1\qm.ini) AMQ6257I: Message suppression enabled for message numbers (AMQ8245). EXPLANATION: The message contains a list of message numbers for service QMErrorLog from the configuration file 'C:\ProgramData\IBM\MQ\Qmgrs\QM1\qm.ini', for which entries repeated within the 30 suppression interval will be suppressed. ACTION: If you wish to see all occurrences of these messages you should alter the definition of the SuppressMessage attribute in the queue manager configuration.
From now on the queue manager will only report at most one AMQ8245 message every 30 seconds.

Exclude vs suppress

Alternatively the new AMQ8245 insufficient display authority message can be added to the ExcludeMessage list of the same QMErrorLog stanza. As the name suggests the main difference with exclude over suppress is all AMQ8245 messages will no longer be be reported in the queue manager error logs if added to the ExcludeMessage list.

For more information on the Suppress and Exclude messages see the Diagnostic message service stanzas Knowledge center page

Join The Discussion

Your email address will not be published.