Profiles for processes
If process security is active, you must define profiles in the appropriate classes and permit the necessary groups or user IDs access to those profiles.
- Define profiles in the MQPROC or GMQPROC classes if using uppercase profiles.
- Define profiles in the MXPROC or GMXPROC classes if using mixed case profiles.
- Permit the necessary groups or user IDs access to these profiles, so that they can issue IBM® MQ API requests that use processes.
hlq.processname
hlq
can be either qmgr-name
(queue manager name) or
qsg-name
(queue sharing group name), and processname
is the name
of the process being opened. A profile prefixed by the queue manager name controls access to a single process definition on that queue manager. A profile prefixed by the queue sharing group name controls access to one or more process definitions with that name on all queue managers within the queue sharing group. This access can be overridden on an individual queue manager by defining a queue manager level profile for that process definition on that queue manager.
If your queue manager is a member of a queue sharing group and you are using both queue manager and queue sharing group level security, IBM MQ checks for a profile prefixed by the queue manager name first. If it does not find one, it looks for a profile prefixed by the queue sharing group name.
The following table shows the access required for opening a process.
MQOPEN option | RACF® access level required to hlq.processname |
---|---|
MQOO_INQUIRE | READ |
RDEFINE MQPROC MQS9.V* UACC(NONE)
PERMIT MQS9.V* CLASS(MQPROC) ID(INQVPRC) ACCESS(READ)
Alternate user security might also be active, depending on the open options specified when a process definition object is opened.