[z/OS]

Profiles for context security

If context security is active, to control access to the message context information you must define profiles in the appropriate classes and permit the necessary groups or user IDs access to those profiles. The message context is contained within the message descriptor (MQMD).

Using profiles for context security

If context security is active, to permit users to access context information for messages on a particular queue, or when publishing to a particular topic, you must define a profile in one of the following classes:
  • The MQADMIN class if using uppercase profiles.
  • The MXADMIN class if using mixed-case profiles.
Profiles for context security can be specified at subsystem level or at queue sharing group level and take the following form:
hlq.CONTEXT.queuename
hlq.CONTEXT.topicname
where hlq can be either the queue manager name or the queue sharing group name, and queuename and topicname can be either the full or generic name of the queue or topic you want to define the context profile for.

A profile prefixed by the queue manager name, and with ** specified as the queue or topic name, allows control for context security on all queues and topics belonging to that queue manager. This can be overridden on an individual queue or topic by defining a specific profile for context on that queue or topic.

A profile prefixed by the queue sharing group name, and with ** specified as the queue or topic name, allows control for context on all queues and topics belonging to the queue managers within the queue sharing group. This can be overridden on an individual queue manager by defining a queue manager level profile for context on that queue manager, by specifying a profile prefixed by the queue manager name. It can also be overridden on an individual queue or topic by specifying a profile suffixed with the queue or topic name.

If your queue manager is a member of a queue sharing group and you are using both queue manager and queue sharing group level security, IBM® MQ checks for a profile prefixed by the queue manager name first. If it does not find one, it looks for a profile prefixed by the queue sharing group name.

You must permit the necessary groups or user IDs access to this profile. The following table shows the access level required, depending on the specification of the context options when the queue is opened.

Table 1. Access levels for context security
MQOPEN or MQPUT1 option RACF® access level required to hlq.CONTEXT.queuename or hlq.CONTEXT.topicname
MQPMO_NO_CONTEXT No context security check
MQPMO_DEFAULT_CONTEXT No context security check
MQOO_SAVE_ALL_CONTEXT No context security check
MQOO_PASS_IDENTITY_CONTEXT MQPMO_PASS_IDENTITY_CONTEXT READ
MQOO_PASS_ALL_CONTEXT MQPMO_PASS_ALL_CONTEXT READ
MQOO_SET_IDENTITY_CONTEXT MQPMO_SET_IDENTITY_CONTEXT UPDATE
MQOO_SET_ALL_CONTEXT MQPMO_SET_ALL_CONTEXT CONTROL
MQOO_OUTPUT or MQPUT1 (USAGE(XMITQ)) CONTROL
MQSUB option  
MQSO_SET_IDENTITY_CONTEXT ( Note 2 ) UPDATE
Note:
  1. The user IDs used for distributed queuing require CONTROL access to hlq.CONTEXT.queuename to put messages on the destination queue. See User IDs used by the channel initiator for information about the user IDs used.
  2. If on the MQSUB request, with MQSO_CREATE or MQSO_ALTER options specified, you want to set any of the identity context fields in the MQSD structure, you need to specify the MQSO_SET_IDENTITY_CONTEXT option. You require also, the appropriate authority to the context profile for the destination queue.

If you put commands on the system-command input queue, use the default context put message option to associate the correct user ID with the command.

For example, the IBM MQ-supplied utility program CSQUTIL can be used to offload and reload messages in queues. When offloaded messages are restored to a queue, the CSQUTIL utility uses the MQOO_SET_ALL_CONTEXT option to return the messages to their original state. In addition to the queue security required by this open option, context authority is also required. For example, if this authority is required by the group BACKGRP on queue manager MQS1, this would be defined by:

RDEFINE MQADMIN MQS1.CONTEXT.** UACC(NONE)
PERMIT MQS1.CONTEXT.** CLASS(MQADMIN) ID(BACKGRP) ACCESS(CONTROL)
Depending on the options specified, and the types of security performed, other types of security checks might also occur when the queue is opened. These include queue security (see Profiles for queue security ), and alternate user security (see Profiles for alternate user security ). For a summary table showing the open options and the security checks required when queue, context and alternate user security are all active, see Table 1.

System queue context security

Many of the system queues are accessed by the ancillary parts of IBM MQ, for example the channel initiator address space, and the mqweb server used by the IBM MQ Console and REST API.

The user IDs under which these run under must be given RACF access to these queues, as shown in Table 2.

Table 2. Access required to the SYSTEM queues for context operations
SYSTEM queue Channel initiator for distributed queuing mqweb server
SYSTEM.ADMIN.COMMAND.QUEUE - CONTROL
SYSTEM.BROKER.CONTROL.QUEUE CONTROL -
SYSTEM.BROKER.INTER.BROKER.COMMUNICATIONS CONTROL -
SYSTEM.CHANNEL.SYNCQ CONTROL -
SYSTEM.CLUSTER.COMMAND.QUEUE CONTROL -
SYSTEM.CLUSTER.TRANSMIT.QUEUE CONTROL -