API-resource security access quick reference
A summary of the MQOPEN, MQPUT1, MQSUB, and MQCLOSE options and the access required by the different resource security types.
Minimum RACF® access level required | ||||
---|---|---|---|---|
RACF class: | MXTOPIC | MQQUEUE or MXQUEUE ( 1 ) | MQADMIN or MXADMIN | MQADMIN or MXADMIN |
RACF profile: | ( 15 or 16 ) | ( 2 ) | ( 3 ) | ( 4 ) |
MQOPEN option | ||||
MQOO_INQUIRE | READ ( 5 ) | No check | No check | |
MQOO_BROWSE | READ | No check | No check | |
MQOO_INPUT_* | UPDATE | No check | No check | |
MQOO_SAVE_ALL_CONTEXT ( 6 ) | UPDATE | No check | No check | |
MQOO_OUTPUT (USAGE=NORMAL) ( 7 ) | UPDATE | No check | No check | |
MQOO_PASS_IDENTITY_CONTEXT ( 8 ) | UPDATE | READ | No check | |
MQOO_PASS_ALL_CONTEXT ( 8 ) ( 9 ) | UPDATE | READ | No check | |
MQOO_SET_IDENTITY_CONTEXT ( 8 ) ( 9 ) | UPDATE | UPDATE | No check | |
MQOO_SET_ALL_CONTEXT ( 8 ) ( 10 ) | UPDATE | CONTROL | No check | |
MQOO_OUTPUT (USAGE (XMITQ) ( 11 ) | UPDATE | CONTROL | No check | |
MQOO_OUTPUT (topic object) | UPDATE ( 16 ) | |||
MQOO_OUTPUT (alias queue to topic object) | UPDATE ( 16 ) | UPDATE | ||
MQOO_SET | ALTER | No check | No check | |
MQOO_ALTERNATE_USER_AUTHORITY | ( 12 ) | ( 12 ) | UPDATE | |
MQPUT1 option | ||||
Put on a normal queue ( 7 ) | UPDATE | No check | No check | |
MQPMO_PASS_IDENTITY_CONTEXT | UPDATE | READ | No check | |
MQPMO_PASS_ALL_CONTEXT | UPDATE | READ | No check | |
MQPMO_SET_IDENTITY_CONTEXT | UPDATE | UPDATE | No check | |
MQPMO_SET_ALL_CONTEXT | UPDATE | CONTROL | No check | |
MQOO_OUTPUT Put on a transmission queue ( 11 ) |
UPDATE | CONTROL | No check | |
MQOO_OUTPUT (topic object) | UPDATE ( 16 ) | |||
MQOO_OUTPUT (alias queue to topic object) | UPDATE ( 16 ) | UPDATE | ||
MQPMO_ALTERNATE_USER_AUTHORITY | ( 13 ) | ( 13 ) | UPDATE | |
MQCLOSE option | ||||
MQCO_DELETE ( 14 ) | ALTER | No check | No check | |
MQCO_DELETE_PURGE ( 14 ) | ALTER | No check | No check | |
MQCO_REMOVE_SUB | ALTER ( 15 ) | |||
MQSUB option | ||||
MQSO_CREATE | ALTER ( 15 ) | ( 17 ) | ( 18 ) | |
MQSO_ALTER | ALTER ( 15 ) | ( 17 ) | ( 18 ) | |
MQSO_RESUME | READ ( 15 ) | ( 17 ) | No check | |
MQSO_ALTERNATE_USER_AUTHORITY | UPDATE | |||
MQSO_SET_IDENTITY_CONTEXT | ( 18 ) |
Note:
- This option is not restricted to queues. Use the MQNLIST or MXNLIST class for namelists, and the MQPROC or MXPROC class for processes.
- Use RACF profile: hlq.resourcename
- Use RACF profile: hlq.CONTEXT.queuename
- Use RACF profile:
hlq.ALTERNATE.USER.
alternateuserid
alternateuserid
is the user identifier that is specified in theAlternateUserId
field of the object descriptor. Note that up to 12 characters of theAlternateUserId
field are used for this check, unlike other checks where only the first 8 characters of a user identifier are used. - No check is made when opening the queue manager for inquiries.
- MQOO_INPUT_* must be specified as well. This is valid for a local, model or alias queue.
- This check is done for a local or model queue that has a
Usage queue attribute of MQUS_NORMAL, and also for an
alias or remote queue (that is defined to the connected queue manager.) If the queue is a remote
queue that is opened specifying an
ObjectQMgrName
(not the name of the connected queue manager) explicitly, the check is carried out against the queue with the same name asObjectQMgrName
(which must be a local queue with a Usage queue attribute of MQUS_TRANSMISSION). - MQOO_OUTPUT must be specified as well.
- MQOO_PASS_IDENTITY_CONTEXT is implied as well by this option.
- MQOO_PASS_IDENTITY_CONTEXT, MQOO_PASS_ALL_CONTEXT and MQOO_SET_IDENTITY_CONTEXT are implied as well by this option.
- This check is done for a local or model queue that has a Usage queue attribute of MQUS_TRANSMISSION, and is being opened directly for output. It does not apply if a remote queue is being opened.
- At least one of MQOO_INQUIRE, MQOO_BROWSE, MQOO_INPUT_*, MQOO_OUTPUT or MQOO_SET must be specified as well. The check carried out is the same as that for the other options specified.
- The check carried out is the same as that for the other options specified.
- This applies only for permanent dynamic queues that have been opened directly, that is, not opened through a model queue. No security is required to delete a temporary dynamic queue.
- Use RACF profile hlq.SUBSCRIBE.topicname.
- Use RACF profile hlq.PUBLISH.topicname.
- If on the MQSUB request you specified a destination queue for the publications to be sent to, then a security check is carried out against that queue to ensure that you have put authority to that queue.
- If on the MQSUB request, with MQSO_CREATE or MQSO_ALTER options specified, you want to set any of the identity context fields in the MQSD structure, you also need to specify the MQSO_SET_IDENTITY_CONTEXT option and you also need the appropriate authority to the context profile for the destination queue.