Grant access for publish and subscribe
This topic is the last in a list of tasks that tells you how to grant access to publish and subscribe to topics by more than one user.
Before you begin
About this task
USER1
was given access to subscribe to the topic Price/Fruit
. This topic tells you how to grant access to that user to publish to that topic.
Topic | Subscribe access required | Publish access required | Topic object |
---|---|---|---|
Price | No user | No user | None |
Price/Fruit | USER1 | USER1 | FRUIT |
Price/Fruit/Apples | USER1 and USER2 | APPLE | |
Price/Fruit/Oranges | USER1 | ORANGE |
Procedure
- z/OS® :
In an earlier task
USER1
was granted access to subscribe to topic
by granting the user access to thePrice/Fruit
hlq.SUBSCRIBE.FRUIT
profile.In order to publish to the
topic, grant access toPrice/Fruit
USER1
to thehlq.PUBLISH.FRUIT
profile. Do this, using the following RACF® commands:RDEFINE MXTOPIC hlq.PUBLISH.FRUIT UACC(NONE) PERMIT hlq.PUBLISH.FRUIT CLASS(MXTOPIC) ID(USER1) ACCESS(ALTER)
- Other platforms:
Grant access to
USER1
to publish to topic
by granting the user publish access to thePrice/Fruit
FRUIT
profile. Do this, using the authorization command for the platform:- AIX®, Linux®, and Windows systems
-
setmqaut -t topic -n FRUIT -p USER1 +pub
- IBM® i
-
GRTMQAUT OBJ(FRUIT) OBJTYPE(*TOPIC) USER(USER1) AUT(*PUB)
Results
On z/OS, when USER1
attempts to publish to topic
the security check on the MQOPEN call passes.
Price/Fruit
USER2
attempts to publish at topic Price/Fruit
the result is failure with an MQRC_NOT_AUTHORIZED
message, together with:- On z/OS, the following messages seen on the console that show the full security path through the topic tree that has been attempted:
ICH408I USER(USER2 ) ... hlq.PUBLISH.FRUIT ... ICH408I USER(USER2 ) ... hlq.PUBLISH.SYSTEM.BASE.TOPIC ...
- On AIX, Linux, and Windows platforms, the following authorization event:
MQRC_NOT_AUTHORIZED ReasonQualifier MQRQ_OPEN_NOT_AUTHORIZED UserIdentifier USER2 AdminTopicNames FRUIT, SYSTEM.BASE.TOPIC TopicString "Price/Fruit"
- On IBM i, the following authorization event:
MQRC_NOT_AUTHORIZED ReasonQualifier MQRQ_OPEN_NOT_AUTHORIZED UserIdentifier USER2 AdminTopicNames FRUIT, SYSTEM.BASE.TOPIC TopicString "Price/Fruit"
USER1
and USER2
the following access authorities for publish and subscribe to the topics listed:
Topic | Subscribe access required | Publish access required | Topic object |
---|---|---|---|
Price | No user | No user | None |
Price/Fruit | USER1 | USER1 | FRUIT |
Price/Fruit/Apples | USER1 and USER2 | APPLE | |
Price/Fruit/Oranges | USER1 | ORANGE | |
Price/Vegetables | USER1 | VEG | |
Price/Vegetables/Potatoes | |||
Price/Vegetables/Onions |
Where you have different requirements for security access at different levels within the topic tree, careful planning ensures that you do not receive extraneous security warnings on the z/OS console log. Setting up security at the correct level within the tree avoids misleading security messages.