Considerations for model queues
To open a model queue, you must be able to open both the model queue itself and the dynamic queue to which it resolves. Define generic RACF® profiles for dynamic queues, including dynamic queues used by IBM® MQ utilities.
- Are you authorized to access the model queue?
- Are you authorized to access the dynamic queue to which the model queue resolves?
If the dynamic queue name contains a trailing asterisk (*) character, this * is replaced by a character string generated by IBM MQ, to create a dynamic queue with a unique name. However, because the whole name, including this generated string, is used for checking authority, you should define generic profiles for these queues.
For example, an MQOPEN call uses a model queue name of CREDIT.CHECK.REPLY.MODEL and a dynamic queue name of CREDIT.REPLY.* on queue manager (or queue sharing group) MQSP.
RDEFINE MQQUEUE MQSP.CREDIT.CHECK.REPLY.MODEL
RDEFINE MQQUEUE MQSP.CREDIT.REPLY.**
You must also issue the corresponding RACF PERMIT commands to allow the user access to these profiles.
A typical dynamic queue name created by an MQOPEN is something like CREDIT.REPLY.A346EF00367849A0. The precise value of the last qualifier is unpredictable; this is why you should use generic profiles for such queue names.
SYSTEM.CSQUTIL.* (used by CSQUTIL)
SYSTEM.CSQOREXX.* (used by the operations and control panels)
SYSTEM.CSQXCMD.* (used by the channel initiator when processing CSQINPX)
CSQ4SAMP.* (used by the IBM MQ supplied samples)
You might also consider defining a profile to control use of the dynamic queue name used by
default in the application programming copy members. The IBM MQ-supplied copybooks contain a default
DynamicQName
, which is CSQ.*. This enables an appropriate
RACF profile to be established.