Grant another user access to subscribe to only the topic deeper within the tree
This topic is the third in a list of tasks that tells you how to grant access to subscribe to topics by more than one user.
Before you begin
About this task
USER2
was refused access to topic Price/Fruit/Apples
. This topic tells you how to grant access to that topic, but not to any other topics.
Topic | Subscribe access required | Topic object |
---|---|---|
Price | No user | None |
Price/Fruit | USER1 | FRUIT |
Price/Fruit/Apples | USER1 and USER2 | APPLE |
Price/Fruit/Oranges | USER1 |
Define a new topic object as follows:
Procedure
Results
On z/OS, when
USER1
attempts to subscribe to topic Price/Fruit/Apples
the first security check on the hlq.SUBSCRIBE.APPLE
profile fails, but on moving up the tree the hlq.SUBSCRIBE.FRUIT
profile allows USER1 to subscribe, so the subscription succeeds and no return code is sent to the MQSUB call. However, a RACF ICH
message is generated for the first check:
ICH408I USER(USER1 ) ...
hlq.SUBSCRIBE.APPLE ...
When USER2
attempts to subscribe to topic
the result is success because the security check passes on the first profile.
Price/Fruit/Apples
When
USER2
attempts to subscribe to topic Price/Fruit/Oranges
the result is failure with an MQRC_NOT_AUTHORIZED
message, together with:- On z/OS, the following messages seen on the console that show the full security path through the topic tree that has been attempted:
ICH408I USER(USER2 ) ... hlq.SUBSCRIBE.FRUIT ... ICH408I USER(USER2 ) ... hlq.SUBSCRIBE.SYSTEM.BASE.TOPIC ...
- On AIX, Linux, and Windows platforms, the following authorization event:
MQRC_NOT_AUTHORIZED ReasonQualifier MQRQ_SUB_NOT_AUTHORIZED UserIdentifier USER2 AdminTopicNames FRUIT, SYSTEM.BASE.TOPIC TopicString "Price/Fruit/Oranges"
- On IBMi, the following authorization event:
MQRC_NOT_AUTHORIZED ReasonQualifier MQRQ_SUB_NOT_AUTHORIZED UserIdentifier USER2 AdminTopicNames FRUIT, SYSTEM.BASE.TOPIC TopicString "Price/Fruit/Oranges"
The disadvantage of this setup is that, on z/OS, you receive additional ICH
messages on the console. You can avoid this if you secure the topic tree in a different manner.