Profiles for context security
If context security is active, to control access to the message context information you must define profiles in the appropriate classes and permit the necessary groups or user IDs access to those profiles. The message context is contained within the message descriptor (MQMD).
Using profiles for context security
- The
MQADMIN
class if using uppercase profiles. - The
MXADMIN
class if using mixed-case profiles.
hlq.CONTEXT.queuename
hlq.CONTEXT.topicname
where hlq
can be either the queue manager name or the queue sharing group name, and
queuename and topicname can be either the full or generic name
of the queue or topic you want to define the context profile for.A profile prefixed by the queue manager name, and with **
specified as the queue
or topic name, allows control for context security on all queues and topics belonging to that queue
manager. This can be overridden on an individual queue or topic by defining a specific profile for
context on that queue or topic.
A profile prefixed by the queue sharing group name, and with **
specified as the
queue or topic name, allows control for context on all queues and topics belonging to the queue
managers within the queue sharing group. This can be overridden on an individual queue manager by
defining a queue manager level profile for context on that queue manager, by specifying a profile
prefixed by the queue manager name. It can also be overridden on an individual queue or topic by
specifying a profile suffixed with the queue or topic name.
If your queue manager is a member of a queue sharing group and you are using both queue manager and queue sharing group level security, IBM® MQ checks for a profile prefixed by the queue manager name first. If it does not find one, it looks for a profile prefixed by the queue sharing group name.
You must permit the necessary groups or user IDs access to this profile. The following table shows the access level required, depending on the specification of the context options when the queue is opened.
MQOPEN or MQPUT1 option | RACF® access level required to hlq.CONTEXT.queuename or hlq.CONTEXT.topicname |
---|---|
MQPMO_NO_CONTEXT | No context security check |
MQPMO_DEFAULT_CONTEXT | No context security check |
MQOO_SAVE_ALL_CONTEXT | No context security check |
MQOO_PASS_IDENTITY_CONTEXT MQPMO_PASS_IDENTITY_CONTEXT | READ |
MQOO_PASS_ALL_CONTEXT MQPMO_PASS_ALL_CONTEXT | READ |
MQOO_SET_IDENTITY_CONTEXT MQPMO_SET_IDENTITY_CONTEXT | UPDATE |
MQOO_SET_ALL_CONTEXT MQPMO_SET_ALL_CONTEXT | CONTROL |
MQOO_OUTPUT or MQPUT1 (USAGE(XMITQ)) | CONTROL |
MQSUB option | |
MQSO_SET_IDENTITY_CONTEXT ( Note 2 ) | UPDATE |
- The user IDs used for distributed queuing require CONTROL access to
hlq.CONTEXT.queuename
to put messages on the destination queue. See User IDs used by the channel initiator for information about the user IDs used. - If on the MQSUB request, with MQSO_CREATE or MQSO_ALTER options specified, you want to set any of the identity context fields in the MQSD structure, you need to specify the MQSO_SET_IDENTITY_CONTEXT option. You require also, the appropriate authority to the context profile for the destination queue.
If you put commands on the system-command input queue, use the default context put message option to associate the correct user ID with the command.
RDEFINE MQADMIN MQS1.CONTEXT.** UACC(NONE)
PERMIT MQS1.CONTEXT.** CLASS(MQADMIN) ID(BACKGRP) ACCESS(CONTROL)
System queue context security
Many of the system queues are accessed by the ancillary parts of IBM MQ, for example the channel initiator address space, and the mqweb server used by the IBM MQ Console and REST API.
The user IDs under which these run under must be given RACF access to these queues, as shown in Table 2.
SYSTEM queue | Channel initiator for distributed queuing | mqweb server |
---|---|---|
SYSTEM.ADMIN.COMMAND.QUEUE | - | CONTROL |
SYSTEM.BROKER.CONTROL.QUEUE | CONTROL | - |
SYSTEM.BROKER.INTER.BROKER.COMMUNICATIONS | CONTROL | - |
SYSTEM.CHANNEL.SYNCQ | CONTROL | - |
SYSTEM.CLUSTER.COMMAND.QUEUE | CONTROL | - |
SYSTEM.CLUSTER.TRANSMIT.QUEUE | CONTROL | - |