Grant another user access to subscribe to only the topic deeper within the tree

This topic is the third in a list of tasks that tells you how to grant access to subscribe to topics by more than one user.

Before you begin

This topic uses the setup described in Grant access to a user to subscribe to a topic deeper within the tree.

About this task

In the previous task USER2 was refused access to topic Price/Fruit/Apples. This topic tells you how to grant access to that topic, but not to any other topics.
Figure 1. Granting access to specific topics within a topic tree
A diagrammatic representation of a topic object fruit, in a topic of price/fruit. The fruit object is further divided into apples and oranges and there is a further topic object apple.
Table 1. Access requirements for example topics and topic objects
Topic Subscribe access required Topic object
Price No user None
Price/Fruit USER1 FRUIT
Price/Fruit/Apples USER1 and USER2 APPLE
Price/Fruit/Oranges USER1  

Define a new topic object as follows:

Procedure

  1. Issue the MQSC command DEF TOPIC(APPLE) TOPICSTR('Price/Fruit/Apples').
  2. Grant access as follows:
    • [z/OS] z/OS® :

      In the previous task USER1 was granted access to subscribe to topic Price/Fruit/Apples by granting the user access to the hlq.SUBSCRIBE.FRUIT profile.

      This single profile also granted USER1 access to subscribe to Price/Fruit/Oranges Price/Fruit/# and this access remains even with the addition of the new topic object and the profiles associated with it.

      Grant access to USER2 to subscribe to topic Price/Fruit/Apples by granting the user access to the hlq.SUBSCRIBE.APPLE profile. Do this, using the following RACF® commands:

      
      RDEFINE MXTOPIC hlq.SUBSCRIBE.APPLE UACC(NONE)
      PERMIT hlq.SUBSCRIBE.FRUIT APPLE(MXTOPIC) ID(USER2) ACCESS(ALTER)
      
    • Other platforms:

      In the previous task USER1 was granted access to subscribe to topic Price/Fruit/Apples by granting the user subscribe access to the FRUIT profile.

      This single profile also granted USER1 access to subscribe to Price/Fruit/Oranges and Price/Fruit/#, and this access remains even with the addition of the new topic object and the profiles associated with it.

      Grant access to USER2 to subscribe to topic Price/Fruit/Apples by granting the user subscribe access to the APPLE profile. Do this, using the authorization command for the platform:

      [AIX, Linux, Windows]AIX®, Linux®, and Windows systems
      
      setmqaut -t topic -n APPLE -p USER2 +sub
      
      [IBM i]IBM® i
      
      GRTMQAUT OBJ(APPLE) OBJTYPE(*TOPIC) USER(USER2) AUT(*SUB)
      

Results

On z/OS, when USER1 attempts to subscribe to topic Price/Fruit/Apples the first security check on the hlq.SUBSCRIBE.APPLE profile fails, but on moving up the tree the hlq.SUBSCRIBE.FRUIT profile allows USER1 to subscribe, so the subscription succeeds and no return code is sent to the MQSUB call. However, a RACF ICH message is generated for the first check:

ICH408I USER(USER1   ) ...
  hlq.SUBSCRIBE.APPLE ...

When USER2 attempts to subscribe to topic Price/Fruit/Apples the result is success because the security check passes on the first profile.

When USER2 attempts to subscribe to topic Price/Fruit/Oranges the result is failure with an MQRC_NOT_AUTHORIZED message, together with:
  • [z/OS]On z/OS, the following messages seen on the console that show the full security path through the topic tree that has been attempted:
    
    ICH408I USER(USER2   ) ...
      hlq.SUBSCRIBE.FRUIT ...
    
    ICH408I USER(USER2   ) ...
      hlq.SUBSCRIBE.SYSTEM.BASE.TOPIC ...
    
  • [AIX, Linux, Windows]On AIX, Linux, and Windows platforms, the following authorization event:
    
    MQRC_NOT_AUTHORIZED
    ReasonQualifier	  MQRQ_SUB_NOT_AUTHORIZED
    UserIdentifier	    USER2
    AdminTopicNames	  FRUIT, SYSTEM.BASE.TOPIC
    TopicString		   "Price/Fruit/Oranges"
    
  • [IBM i]On IBMi, the following authorization event:
    
    MQRC_NOT_AUTHORIZED
    ReasonQualifier	  MQRQ_SUB_NOT_AUTHORIZED
    UserIdentifier	    USER2
    AdminTopicNames	  FRUIT, SYSTEM.BASE.TOPIC
    TopicString		   "Price/Fruit/Oranges"
    

The disadvantage of this setup is that, on z/OS, you receive additional ICH messages on the console. You can avoid this if you secure the topic tree in a different manner.