Authorizing connections to CQS structures
When a client issues the CQSCONN request to connect to a CQS structure, CQS issues a RACROUTE REQUEST=AUTH call to determine whether the client is authorized to access the structure. RACF® checks the user ID of the client that issued the CQSCONN request. This user ID must have at least UPDATE authority to connect to the structure through CQS.
The RACF security administrator should define profiles in the FACILITY class to control the connection to CQS structures. The profile names must be of the form CQSSTR.structure_name, where structure_name is the name of the primary CQS structure that is to be protected. Use the same structure name that you define in the CQSSGxxx and CQSSLxxx PROCLIB member data sets.
The CQSSTR.structure_name profiles only control access to the specified structures through CQS; they do not control direct access to the structures using IXL macros. You can provide control over direct structure access by defining RACF profiles of the form IXLSTR.structure_name. If you create such profiles, you must give the user IDs under which you run CQS access to the structures.
Related reading: For information on protecting direct
access to coupling facility structures, see Authorizing Coupling
Facility Requests
in z/OS® MVS Programming: Sysplex Services Guide.
For more information on defining structure names, see IMS Version 15.3 System Definition. CQS does not perform a separate check on the overflow structure name, because the primary and overflow structures are considered one unit.
Example: To define a profile for a CQS primary structure named IMSMSGQ01, and to allow only user CQSUSER to connect to it, issue the RACF commands shown in the following example.
RDEFINE FACILITY CQSSTR.IMSMSGQ01 UACC(NONE)
PERMIT CQSSTR.IMSMSGQ01 CLASS(FACILITY) ID(CQSUSER) ACCESS(UPDATE)
SETROPTS CLASSACT(FACILITY) If you do not define a profile for a particular CQS structure, the structure is not protected, and any user ID can issue a CQSCONN request to access the structure.