RACF profiles
All RACF® profiles used by IBM® MQ contain a prefix, which is either the queue manager name or the queue sharing group name. Be careful when you use the percent sign as a wildcard.
All RACF profiles used by IBM MQ contain a prefix. For queue sharing group level security, this is the queue sharing group name. For queue manager level security, the prefix is the queue manager name. If you are using a mixture of queue manager and queue sharing group level security, you will use profiles with both types of prefix. Queue sharing group and queue manager level security are described in Security controls and options in IBM MQ for z/OS®.
RDEFINE MQQUEUE QSG1.QUEUE_FOR_SUBSCRIBER_LIST
RDEFINE MQQUEUE STCD.QUEUE_FOR_LOST_CARD_LIST
This means that different queue managers and queue sharing groups can share the same RACF database and yet have different security options.
Do not use generic queue manager names in profiles to avoid unanticipated user access.
IBM MQ allows the use of the percent sign (%) in object names. However, RACF uses the % character as a single-character wildcard. This means that when you define an object name with a % character in its name, you must consider this when you define the corresponding profile.
RDEFINE MQQUEUE CRDP.CREDIT_CARD_%_RATE_INQUIRY
This queue cannot be protected by a generic profile, such as, CRDP.**.
- Mixed-case profiles in the appropriate mixed-case RACF classes, or
- Generic profiles in the appropriate uppercase RACF classes.
To use mixed-case profiles and mixed-case RACF classes you must follow the steps described in Migrating a z/OS queue manager to mixed-case security.
- Switch profiles.
- All high-level qualifiers (HLQ) including subsystem and queue sharing group identifiers.
- Profiles for SYSTEM objects.
- Profiles for Default objects.
- The MQCMDS class, so all command profiles are uppercase only.
- The MQCONN class, so all connection profiles are uppercase only.
- RESLEVEL profiles.
- The
'object'
qualification in command resource profiles; for example,hlq.QUEUE.queuename
. The resource name only is mixed case. - Dynamic queue profiles
hlq.CSQOREXX.*
,hlq.CSQUTIL.*
, andCSQXCMD.*
. - The
'CONTEXT'
part ofhlq.CONTEXT.resourcename
. - The
'ALTERNATE.USER'
part ofhlq.ALTERNATE.USER.userid
.
PAYROLL.Dept1
on queue manager QM01
in one of the following ways.- If you are using mixed-case profiles, you can define a profile in the IBM MQ
RACF class
MXQUEUE
using the following command:RDEFINE MXQUEUE MQ01.PAYROLL.Dept1
- If you are using uppercase profiles, you can define a profile in the IBM MQ
RACF class
MQQUEUE
using the following command:RDEFINE MQQUEUE MQ01.PAYROLL.*