Profiles for processes
If process security is active, you must define profiles in the appropriate classes and permit the necessary groups or user IDs access to those profiles.
- Define profiles in the MQPROC or GMQPROC classes if using uppercase profiles.
- Define profiles in the MXPROC or GMXPROC classes if using mixed case profiles.
- Permit the necessary groups or user IDs access to these profiles, so that they can issue IBM® MQ API requests that use processes.
hlq.processname
hlq
can be either qmgr-name
(queue manager name) or qsg-name
(queue-sharing group name), and processname
is the name of the process being opened.
A profile prefixed by the queue manager name controls access to a single process definition on that queue manager. A profile prefixed by the queue-sharing group name controls access to one or more process definitions with that name on all queue managers within the queue-sharing group. This access can be overridden on an individual queue manager by defining a queue-manager level profile for that process definition on that queue manager.
If your queue manager is a member of a queue-sharing group and you are using both queue manager and queue-sharing group level security, IBM MQ checks for a profile prefixed by the queue manager name first. If it does not find one, it looks for a profile prefixed by the queue-sharing group name.
The following table shows the access required for opening a process.
MQOPEN option | RACF® access level required to hlq.processname |
---|---|
MQOO_INQUIRE | READ |
RDEFINE MQPROC MQS9.V* UACC(NONE)
PERMIT MQS9.V* CLASS(MQPROC) ID(INQVPRC) ACCESS(READ)
Alternate user security might also be active, depending on the open options specified when a process definition object is opened.