Grant access for publish and subscribe

This topic is the last in a list of tasks that tells you how to grant access to publish and subscribe to topics by more than one user.

Before you begin

This topic uses the setup described in Grant access to a user to publish to a topic deeper within the tree.

About this task

In a previous task USER1 was given access to subscribe to the topic Price/Fruit. This topic tells you how to grant access to that user to publish to that topic.
Figure 1. Granting access for publishing and subscribing
A diagrammatic representation of a topic object fruit, in a topic of price/fruit. The fruit object is further divided into apples and oranges and there are further topic objects of apple and orange. There is a further topic object of vegetables in the topic of price/vegetables. Vegetables is further subdivided into potatoes and onions.
Table 1. Example publishing and subscribing access requirements
Topic Subscribe access required Publish access required Topic object
Price No user No user None
Price/Fruit USER1 USER1 FRUIT
Price/Fruit/Apples USER1 and USER2   APPLE
Price/Fruit/Oranges USER1   ORANGE

Procedure

Grant access as follows:
  • [z/OS] z/OS® :

    In an earlier task USER1 was granted access to subscribe to topic Price/Fruit by granting the user access to the hlq.SUBSCRIBE.FRUIT profile.

    In order to publish to the Price/Fruit topic, grant access to USER1 to the hlq.PUBLISH.FRUIT profile. Do this, using the following RACF® commands:

    
    RDEFINE MXTOPIC hlq.PUBLISH.FRUIT UACC(NONE)
    PERMIT hlq.PUBLISH.FRUIT CLASS(MXTOPIC) ID(USER1) ACCESS(ALTER)
    
  • Other platforms:

    Grant access to USER1 to publish to topic Price/Fruit by granting the user publish access to the FRUIT profile. Do this, using the authorization command for the platform:

    [UNIX, Linux, Windows]Windows, UNIX and Linux® systems
    
    setmqaut -t topic -n FRUIT -p USER1 +pub
    
    [IBM i]IBM® i
    
    GRTMQAUT OBJ(FRUIT) OBJTYPE(*TOPIC) USER(USER1) AUT(*PUB)
    

Results

On z/OS, when USER1 attempts to publish to topic Price/Fruit the security check on the MQOPEN call passes.

When USER2 attempts to publish at topic Price/Fruit the result is failure with an MQRC_NOT_AUTHORIZED message, together with:
  • [z/OS]On z/OS, the following messages seen on the console that show the full security path through the topic tree that has been attempted:
    
    ICH408I USER(USER2   ) ...
      hlq.PUBLISH.FRUIT ...
    
    ICH408I USER(USER2   ) ...
      hlq.PUBLISH.SYSTEM.BASE.TOPIC ...
    
  • [UNIX, Linux, Windows]On Windows, UNIX, and Linux platforms, the following authorization event:
    
    MQRC_NOT_AUTHORIZED
    ReasonQualifier	  MQRQ_OPEN_NOT_AUTHORIZED
    UserIdentifier	    USER2
    AdminTopicNames	  FRUIT, SYSTEM.BASE.TOPIC
    TopicString		   "Price/Fruit"
    
  • [IBM i]On IBMi, the following authorization event:
    
    MQRC_NOT_AUTHORIZED
    ReasonQualifier	  MQRQ_OPEN_NOT_AUTHORIZED
    UserIdentifier	    USER2
    AdminTopicNames	  FRUIT, SYSTEM.BASE.TOPIC
    TopicString		   "Price/Fruit"
    
Following the complete set of these tasks, gives USER1 and USER2 the following access authorities for publish and subscribe to the topics listed:
Table 2. Complete list of access authorities resulting from security examples
Topic Subscribe access required Publish access required Topic object
Price No user No user None
Price/Fruit USER1 USER1 FRUIT
Price/Fruit/Apples USER1 and USER2   APPLE
Price/Fruit/Oranges USER1   ORANGE
Price/Vegetables   USER1 VEG
Price/Vegetables/Potatoes      
Price/Vegetables/Onions      

Where you have different requirements for security access at different levels within the topic tree, careful planning ensures that you do not receive extraneous security warnings on the z/OS console log. Setting up security at the correct level within the tree avoids misleading security messages.