Profiles for queue security
If queue security is active, you must define profiles in the appropriate classes and permit the necessary groups or user IDs access to these profiles. Queue security profiles are named after the queue manager or queue sharing group, and the queue to be opened.
- Define profiles in the MQQUEUE or GMQQUEUE classes if using uppercase profiles.
- Define profiles in the MXQUEUE or GMXQUEUE classes if using mixed case profiles.
- Permit the necessary groups or user IDs access to these profiles, so that they can issue IBM® MQ API requests that use queues.
hlq.queuename
where hlq
can be either qmgr-name
(queue manager name) or
qsg-name
(queue sharing group name), and queuename
is the name of
the queue being opened, as specified in the object descriptor on the
MQOPEN or MQPUT1 call.
A profile prefixed by the queue manager name controls access to a single queue on that queue manager. A profile prefixed by the queue sharing group name controls access to access to one or more queues with that queue name on all queue managers within the queue sharing group, or access to a shared queue by any queue manager within the group. This access can be overridden on an individual queue manager by defining a queue manager level profile for that queue on that queue manager.
If your queue manager is a member of a queue sharing group and you are using both queue manager and queue sharing group level security, IBM MQ checks for a profile prefixed by the queue manager name first. If it does not find one, it looks for a profile prefixed by the queue sharing group name.
If you are using shared queues, you are recommended to use queue sharing group level security.
For details of how queue security operates when the queue name is that of an alias or a model queue , see Considerations for alias queues and Considerations for model queues .
The RACF access required to open a queue depends on the MQOPEN or MQPUT1 options specified. If more than one of the MQOO_* and MQPMO_* options is coded, the queue security check is performed for the highest RACF authority required.
MQOPEN or MQPUT1 option | RACF access level required to hlq.queuename |
---|---|
MQOO_BROWSE | READ |
MQOO_INQUIRE | READ |
MQOO_BIND_* | UPDATE |
MQOO_INPUT_* | UPDATE |
MQOO_OUTPUT or MQPUT1 | UPDATE |
MQOO_PASS_ALL_CONTEXT MQPMO_PASS_ALL_CONTEXT | UPDATE |
MQOO_PASS_IDENTITY_CONTEXT MQPMO_PASS_IDENTITY_CONTEXT | UPDATE |
MQOO_SAVE_ALL_CONTEXT | UPDATE |
MQOO_SET_IDENTITY_CONTEXT MQPMO_SET_IDENTITY_CONTEXT | UPDATE |
MQOO_SET_ALL_CONTEXT MQPMO_SET_ALL_CONTEXT | UPDATE |
MQOO_SET | ALTER |
RDEFINE MQQUEUE QM77.PAY.** UACC(NONE)
PERMIT QM77.PAY.** CLASS(MQQUEUE) ID(PAYGRP) ACCESS(UPDATE)
REQUEST_QUEUE_FOR_PAYROLL
SALARY.INCREASE.SERVER
REPLIES.FROM.SALARY.MODEL
You can do this by defining profiles for these queues in the GMQQUEUE class and giving access to that class as follows:
RDEFINE GMQQUEUE PAYROLL.EXTRAS UACC(NONE)
ADDMEM(QM77.REQUEST_QUEUE_FOR_PAYROLL,
QM77.SALARY.INCREASE.SERVER,
QM77.REPLIES.FROM.SALARY.MODEL)
PERMIT PAYROLL.EXTRAS CLASS(GMQQUEUE) ID(PAYGRP) ACCESS(UPDATE)
- If the RACF access level that an application has to a queue security profile is changed, the changes only take effect for any new object handles obtained (that is, new MQOPEN s) for that queue. Those handles already in existence at the time of the change retain their existing access to the queue. If an application is required to use its changed access level to the queue rather than its existing access level, it must close and reopen the queue for each object handle that requires the change.
- In the example, the queue manager name
QM77
could also be the name of a queue sharing group.
MQSUB option | RACF access level required to hlq.queuename |
---|---|
MQSO_ALTER, MQSO_CREATE, and MQSO_RESUME | UPDATE |
- The
hlq.queuename
is the destination queue for publications. When this is a managed queue, you need access to the appropriate model queue to be used for the managed queue and the dynamic queue that are created. - You can use a technique like this for the destination queue you provide on an MQSUB API call if you want to distinguish between the users making the subscriptions, and the users retrieving the publications from the destination queue.