[z/OS]

API-resource security access quick reference

A summary of the MQOPEN, MQPUT1, MQSUB, and MQCLOSE options and the access required by the different resource security types.

Table 1. MQOPEN, MQPUT1, MQSUB, and MQCLOSE options and the security authorization required. Callouts shown like this (1) refer to the notes following this table.
  Minimum RACF® access level required
RACF class: MXTOPIC MQQUEUE or MXQUEUE ( 1 ) MQADMIN or MXADMIN MQADMIN or MXADMIN
RACF profile: ( 15 or 16 ) ( 2 ) ( 3 ) ( 4 )
MQOPEN option
MQOO_INQUIRE   READ ( 5 ) No check No check
MQOO_BROWSE   READ No check No check
MQOO_INPUT_*   UPDATE No check No check
MQOO_SAVE_ALL_CONTEXT ( 6 )   UPDATE No check No check
MQOO_OUTPUT (USAGE=NORMAL) ( 7 )   UPDATE No check No check
MQOO_PASS_IDENTITY_CONTEXT ( 8 )   UPDATE READ No check
MQOO_PASS_ALL_CONTEXT ( 8 ) ( 9 )   UPDATE READ No check
MQOO_SET_IDENTITY_CONTEXT ( 8 ) ( 9 )   UPDATE UPDATE No check
MQOO_SET_ALL_CONTEXT ( 8 ) ( 10 )   UPDATE CONTROL No check
MQOO_OUTPUT (USAGE (XMITQ) ( 11 )   UPDATE CONTROL No check
MQOO_OUTPUT (topic object) UPDATE ( 16 )      
MQOO_OUTPUT (alias queue to topic object) UPDATE ( 16 ) UPDATE    
MQOO_SET   ALTER No check No check
MQOO_ALTERNATE_USER_AUTHORITY   ( 12 ) ( 12 ) UPDATE
MQPUT1 option
Put on a normal queue ( 7 )   UPDATE No check No check
MQPMO_PASS_IDENTITY_CONTEXT   UPDATE READ No check
MQPMO_PASS_ALL_CONTEXT   UPDATE READ No check
MQPMO_SET_IDENTITY_CONTEXT   UPDATE UPDATE No check
MQPMO_SET_ALL_CONTEXT   UPDATE CONTROL No check
MQOO_OUTPUT

Put on a transmission queue ( 11 )
  UPDATE CONTROL No check
MQOO_OUTPUT (topic object) UPDATE ( 16 )      
MQOO_OUTPUT (alias queue to topic object) UPDATE ( 16 ) UPDATE    
MQPMO_ALTERNATE_USER_AUTHORITY   ( 13 ) ( 13 ) UPDATE
MQCLOSE option
MQCO_DELETE ( 14 )   ALTER No check No check
MQCO_DELETE_PURGE ( 14 )   ALTER No check No check
MQCO_REMOVE_SUB ALTER ( 15 )      
MQSUB option
MQSO_CREATE ALTER ( 15 ) ( 17 ) ( 18 )  
MQSO_ALTER ALTER ( 15 ) ( 17 ) ( 18 )  
MQSO_RESUME READ ( 15 ) ( 17 ) No check  
MQSO_ALTERNATE_USER_AUTHORITY       UPDATE
MQSO_SET_IDENTITY_CONTEXT     ( 18 )  
Note:
  1. This option is not restricted to queues. Use the MQNLIST or MXNLIST class for namelists, and the MQPROC or MXPROC class for processes.
  2. Use RACF profile: hlq.resourcename
  3. Use RACF profile: hlq.CONTEXT.queuename
  4. Use RACF profile: hlq.ALTERNATE.USER. alternateuserid

    alternateuserid is the user identifier that is specified in the AlternateUserId field of the object descriptor. Note that up to 12 characters of the AlternateUserId field are used for this check, unlike other checks where only the first 8 characters of a user identifier are used.

  5. No check is made when opening the queue manager for inquiries.
  6. MQOO_INPUT_* must be specified as well. This is valid for a local, model or alias queue.
  7. This check is done for a local or model queue that has a Usage queue attribute of MQUS_NORMAL, and also for an alias or remote queue (that is defined to the connected queue manager.) If the queue is a remote queue that is opened specifying an ObjectQMgrName (not the name of the connected queue manager) explicitly, the check is carried out against the queue with the same name as ObjectQMgrName (which must be a local queue with a Usage queue attribute of MQUS_TRANSMISSION).
  8. MQOO_OUTPUT must be specified as well.
  9. MQOO_PASS_IDENTITY_CONTEXT is implied as well by this option.
  10. MQOO_PASS_IDENTITY_CONTEXT, MQOO_PASS_ALL_CONTEXT and MQOO_SET_IDENTITY_CONTEXT are implied as well by this option.
  11. This check is done for a local or model queue that has a Usage queue attribute of MQUS_TRANSMISSION, and is being opened directly for output. It does not apply if a remote queue is being opened.
  12. At least one of MQOO_INQUIRE, MQOO_BROWSE, MQOO_INPUT_*, MQOO_OUTPUT or MQOO_SET must be specified as well. The check carried out is the same as that for the other options specified.
  13. The check carried out is the same as that for the other options specified.
  14. This applies only for permanent dynamic queues that have been opened directly, that is, not opened through a model queue. No security is required to delete a temporary dynamic queue.
  15. Use RACF profile hlq.SUBSCRIBE.topicname.
  16. Use RACF profile hlq.PUBLISH.topicname.
  17. If on the MQSUB request you specified a destination queue for the publications to be sent to, then a security check is carried out against that queue to ensure that you have put authority to that queue.
  18. If on the MQSUB request, with MQSO_CREATE or MQSO_ALTER options specified, you want to set any of the identity context fields in the MQSD structure, you also need to specify the MQSO_SET_IDENTITY_CONTEXT option and you also need the appropriate authority to the context profile for the destination queue.