[z/OS]

RACF profiles

All RACF® profiles used by IBM® MQ contain a prefix, which is either the queue manager name or the queue sharing group name. Be careful when you use the percent sign as a wildcard.

All RACF profiles used by IBM MQ contain a prefix. For queue sharing group level security, this is the queue sharing group name. For queue manager level security, the prefix is the queue manager name. If you are using a mixture of queue manager and queue sharing group level security, you will use profiles with both types of prefix. (Queue sharing group and queue manager level security are described in IBM MQ for z/OS® concepts: security.)

For example, if you want to protect a queue called QUEUE_FOR_SUBSCRIBER_LIST in queue sharing group QSG1 at queue sharing group level, the appropriate profile would be defined to RACF as: 

RDEFINE MQQUEUE QSG1.QUEUE_FOR_SUBSCRIBER_LIST
If you want to protect a queue called QUEUE_FOR_LOST_CARD_LIST, that belongs to queue manager STCD at queue manager level, the appropriate profile would be defined to RACF as: 

RDEFINE MQQUEUE STCD.QUEUE_FOR_LOST_CARD_LIST

This means that different queue managers and queue sharing groups can share the same RACF database and yet have different security options.

Do not use generic queue manager names in profiles to avoid unanticipated user access.

IBM MQ allows the use of the percent sign (%) in object names. However, RACF uses the % character as a single-character wildcard. This means that when you define an object name with a % character in its name, you must consider this when you define the corresponding profile.

For example, for the queue CREDIT_CARD_%_RATE_INQUIRY, on queue manager CRDP, the profile would be defined to RACF as follows:

RDEFINE MQQUEUE CRDP.CREDIT_CARD_%_RATE_INQUIRY

This queue cannot be protected by a generic profile, such as, CRDP.**.

IBM MQ allows the use of mixed case characters in object names. You can protect these objects by defining:
  1. Mixed case profiles in the appropriate mixed case RACF classes, or
  2. Generic profiles in the appropriate uppercase RACF classes.

To use mixed case profiles and mixed case RACF classes you must follow the steps described in z/OS Migrating a queue manager to mixed case security.

There are some profiles, or parts of profiles, that remain uppercase only as the values are provided by IBM MQ. These are:
  • Switch profiles.
  • All high-level qualifiers (HLQ) including subsystem and queue sharing group identifiers.
  • Profiles for SYSTEM objects.
  • Profiles for Default objects.
  • The MQCMDS class, so all command profiles are uppercase only.
  • The MQCONN class, so all connection profiles are uppercase only.
  • RESLEVEL profiles.
  • The 'object' qualification in command resource profiles; for example, hlq.QUEUE.queuename. The resource name only is mixed case.
  • Dynamic queue profiles hlq.CSQOREXX.*, hlq.CSQUTIL.*, and CSQXCMD.*.
  • The 'CONTEXT ' part of hlq.CONTEXT.resourcename.
  • The 'ALTERNATE.USER' part of hlq.ALTERNATE.USER.userid.
For example, if you have a queue called PAYROLL.Dept1 on Queue Manager QM01 and you are using:
  • Mixed case profiles; you can define a profile in the IBM MQ RACF class MXQUEUE 
    
RDEFINE MXQUEUE MQ01.PAYROLL.Dept1
  • Uppercase profiles; you can define a profile in the IBM MQ RACF class MQQUEUE 
    
RDEFINE MQQUEUE MQ01.PAYROLL.*
The first example, using mixed case profiles, gives you more granular control over granting authority to access the resource.