Setting queue-based permissions on z/OS systems

Grant or revoke queue-based permissions for users to complete specific tasks on an integration node running on z/OS®.

Before you begin

Use the mqsichangeauthmode command to activate administration security and to specify the queue-based mode of administration security for the integration node.

About this task

Configure the external security manager (ESM) that you are using with WebSphere® MQ to grant the required permissions on z/OS systems. For example, if you are using RACF®, set up profiles to hold the information required for WebSphere MQ security checking. The examples in this topic assume that you are using RACF.

Complete the following steps:

Procedure

Activate security on the queue manager that is associated with the integration node.
Activate queue security on the same queue manager:
- If you use uppercase profiles, you must define profiles in MQQUEUE (Member Class) or GMQQUEUE (Group Class).
- If you use mixed case profiles, you must define profiles in MXQUEUE (Member Class) or GMXQUEUE (Group Class).
For example:
- Define the integration node profile for queue manager MQ01:
```
RDEFINE MQQUEUE MQ01.SYSTEM.BROKER.AUTH UACC(NONE)
```
- Define the profile for all integration servers on queue manager MQ01:
```
RDEFINE MXQUEUE MQ01.SYSTEM.BROKER.AUTH.** UACC(NONE)
```
- Define a profile for the specific integration server called default for queue manager MQ01:
```
RDEFINE MXQUEUE MQ01.SYSTEM.BROKER.AUTH.default UACC(NONE)
```
Activate the WebSphere MQ class so that security checks can be made by the integration node.
For example, activate the class MQQUEUE:
```
SETROPTS CLASSACT(MQQUEUE)
```
Define WebSphere MQ permissions.
The mapping between integration node permissions, associated WebSphere MQ permissions, and associated RACF access levels is shown in the following table.

Integration node permission WebSphere MQ permission RACF access level

Read Inquire READ

Write Put UPDATE

Execute Set ALTER

Integration node permission	WebSphere MQ permission	RACF access level
Read	Inquire	READ
Write	Put	UPDATE
Execute	Set	ALTER

Examples

All the examples shown here are for an integration node that is associated with the queue manager MQ01.

Add execute permission for group GROUP1 to the integration node:

PERMIT MQ01.SYSTEM.BROKER.AUTH CLASS(MQQUEUE) ID(GROUP1) ACCESS(ALTER)

Remove execute permission from the integration node for group GROUP2:

PERMIT MQ01.SYSTEM.BROKER.AUTH CLASS(MQQUEUE) ID(GROUP2) ACCESS(ALTER) DEL

Add write permission to all integration servers for group GROUP3:

PERMIT MQ01.SYSTEM.BROKER.AUTH.** CLASS(MXQUEUE) ID(GROUP3) ACCESS(UPDATE)

Remove write permission from all integration servers for group GROUP4:

PERMIT MQ01.SYSTEM.BROKER.AUTH.** CLASS(MXQUEUE) ID(GROUP4) DEL

Add read permission to a specific integration server called default for group GROUP5:

PERMIT MQ01.SYSTEM.BROKER.AUTH.default CLASS(MXQUEUE) ID(GROUP5) ACCESS(READ)

The following JCL file shows one way in which you can check the RACF permissions that you have set for the integration node MQTEST:

//RACFDUMP JOB ,MQTEST,USER=MQTEST,TIME=1,MSGCLASS=H       
//STEP1 EXEC PGM=IKJEFT01,REGION=64M,DYNAMNBR=99           
//SYSTSPRT DD SYSOUT=*                                     
//SYSTSIN  DD *                                            
 /* LIST ALL EXISTING PROFILES IN THE MQADMIN CLASS */     
 SEARCH CLASS(MQADMIN)                                     
 /* LIST UPPERCASE PROFILES IN THE MQQUEUE MEMBER CLASS */ 
 SEARCH CLASS(MQQUEUE)                                     
 /* LIST MIXED CASE PROFILES IN THE MQQUEUE MEMBER CLASS */
 SEARCH CLASS(MXQUEUE)                                     
 /* LIST THE QMGR PROFILE */                               
 RLIST MQADMIN MI09.NO.SUBSYS.SECURITY ALL                 
/*

This JCL job might produce results like the following output:

READY                                                 
 /* LIST ALL EXISTING PROFILES IN THE MQADMIN CLASS */
READY                                                 
 SEARCH CLASS(MQADMIN)                                
EP00.NO.SUBSYS.SECURITY                               
EP01.NO.SUBSYS.SECURITY                               
EP02.NO.SUBSYS.SECURITY                               
EP03.NO.SUBSYS.SECURITY                               
EP04.NO.SUBSYS.SECURITY                               
MA00.NO.SUBSYS.SECURITY                               
MA01.NO.SUBSYS.SECURITY                               
MA02.NO.SUBSYS.SECURITY                               
MA03.NO.SUBSYS.SECURITY                               
MA04.NO.SUBSYS.SECURITY                               
MA05.NO.SUBSYS.SECURITY                               
MA06.NO.SUBSYS.SECURITY                               
MA07.NO.SUBSYS.SECURITY                               
MA08.NO.SUBSYS.SECURITY                               
MA09.NO.SUBSYS.SECURITY                               
MA10.NO.SUBSYS.SECURITY                               
MA11.ALTERNATE.USER.KMCMUL                            
MA11.ALTERNATE.USER.KMCMUL3                           
MA11.ALTERNATE.USER.MA15USR                           
MA11.CHANNEL.MA11.TO.REG1                             
MA11.CONTEXT                                          
MA11.NO.CMD.CHECKS                                    
MA11.NO.CMD.RESC.CHECKS                               
MA11.NO.CMDS.CHECKS        
MA11.NO.CMDS.RESC.CHECKS   
MA11.NO.SUBSYS.SECURITY    
MA11.RESLEVEL              
MA12.NO.SUBSYS.SECURITY    
MA13.NO.SUBSYS.SECURITY    
MA14.NO.SUBSYS.SECURITY    
MA15.NO.SUBSYS.SECURITY    
MA16.NO.SUBSYS.SECURITY    
MA17.NO.SUBSYS.SECURITY    
MA18.NO.SUBSYS.SECURITY    
MA19.NO.SUBSYS.SECURITY    
MA20.NO.SUBSYS.SECURITY    
MI00.NO.SUBSYS.SECURITY    
MI01.NO.SUBSYS.SECURITY    
MI02.NO.SUBSYS.SECURITY    
MI03.NO.SUBSYS.SECURITY    
MI04.NO.SUBSYS.SECURITY    
MI05.NO.SUBSYS.SECURITY    
MI06.NO.SUBSYS.SECURITY    
MI07.NO.SUBSYS.SECURITY    
MI08.NO.SUBSYS.SECURITY    
MI09.ALTERNATE.USER.MI09STC
MI09.ALTERNATE.USER.NHARRIS
MI09.NO.CMD.CHECKS         
MI09.NO.CONNECT.CHECKS     
MI09.NO.CONTEXT.CHECKS     
MI09.NO.SUBSYS.SECURITY                                   
MI10.NO.SUBSYS.SECURITY                                   
MI11.NO.SUBSYS.SECURITY                                   
MI12.NO.SUBSYS.SECURITY                                   
MI13.NO.SUBSYS.SECURITY                                   
MI14.NO.SUBSYS.SECURITY                                   
MI15.NO.SUBSYS.SECURITY                                   
MI16.NO.SUBSYS.SECURITY                                   
MI17.NO.SUBSYS.SECURITY                                   
MI18.NO.SUBSYS.SECURITY                                   
MI19.NO.SUBSYS.SECURITY                                   
MI20.NO.SUBSYS.SECURITY                                   
MI09.CHANNEL.** (G)                                       
MI09.QUEUE.** (G)                                         
READY                                                     
 /* LIST UPPERCASE PROFILES IN THE MQQUEUE MEMBER CLASS */
READY                                                     
 SEARCH CLASS(MQQUEUE)                                    
MA11.INPUT2.QUEUE                                         
MA11.KMBRK                                                
MA11.MA11.DEAD.QUEUE                                      
MA11.MA15                                                 
MA11.REG1                                                 
MA11.SUBSCRIBER.RESULTS.QUEUE                             
MA11.SUBSCRIBER3.RESULTS.QUEUE                            
MA11.SUBSCRIBER4.RESULTS.QUEUE                            
MA11.SUBSCRIBER5.RESULTS.QUEUE                            
MA11.SUBSCRIBER6.RESULTS.QUEUE                             
MA11.SUBSCRIBER9.RESULTS.QUEUE                             
MA11.SYSTEM.CHANNEL.EVENT                                  
MA11.SYSTEM.CHANNEL.SYNCQ                                  
MA11.SYSTEM.CLUSTER.COMMAND.QUEUE                          
MA11.SYSTEM.COMMAND.INPUT                                  
MA11.SYSTEM.COMMAND.REPLY.MODEL                            
MI09.SYSTEM.BROKER.AUTH.SECURITY_EXE                       
MA11.SYSTEM.BROKER.** (G)                                  
MA11.SYSTEM.** (G)                                         
MA11.** (G)                                                
MI09.** (G)                                                
READY                                                      
 /* LIST MIXED CASE PROFILES IN THE MQQUEUE MEMBER CLASS */
READY                                                      
 SEARCH CLASS(MXQUEUE)                                     
NO ENTRIES MEET SEARCH CRITERIA                            
READY                                                      
 /* LIST THE QMGR PROFILE */                               
READY                                                      
 RLIST MQADMIN MI09.NO.SUBSYS.SECURITY ALL                 
CLASS      NAME                                            
-----      ----                                            
MQADMIN    MI09.NO.SUBSYS.SECURITY                         
                                                           
GROUP CLASS NAME                                           
----- ----- ----                                           
GMQADMIN                                                
                                                        
RESOURCE GROUPS                                         
-------- ------                                         
NONE                                                    
                                                        
LEVEL  OWNER      UNIVERSAL ACCESS  YOUR ACCESS  WARNING
-----  --------   ----------------  -----------  -------
 00    MQTEST          NONE               NONE    NO    
                                                        
INSTALLATION DATA                                       
-----------------                                       
NONE                                                    
                                                        
APPLICATION DATA                                        
----------------                                        
NONE                                                    
                                                        
SECLEVEL                                                
--------                                                
NO SECLEVEL                                             
                                                        
CATEGORIES                                              
----------                                              
NO CATEGORIES                                           
                                                        
SECLABEL                                                
--------                                                                       
NO SECLABEL                                                                    
                                                                               
AUDITING                                                                       
--------                                                                       
FAILURES(READ)                                                                 
                                                                               
NOTIFY                                                                         
------                                                                         
NO USER TO BE NOTIFIED                                                         
                                                                               
CREATION DATE  LAST REFERENCE DATE  LAST CHANGE DATE                           
 (DAY) (YEAR)       (DAY) (YEAR)      (DAY) (YEAR)                             
-------------  -------------------  ----------------                           
  237    09          237    09         237    09                               
                                                                               
ALTER COUNT   CONTROL COUNT   UPDATE COUNT   READ COUNT                        
-----------   -------------   ------------   ----------                        
  000000         000000         000000         000000                          
                                                                               
USER      ACCESS   ACCESS COUNT                                                
----      ------   ------ -----                                                
NO USERS IN ACCESS LIST                                                        
                                                                               
   ID     ACCESS  ACCESS COUNT  CLASS                   ENTITY  NAME           
-------- -------  ------------ -------- ---------------------------------------
NO ENTRIES IN CONDITIONAL ACCESS LIST                                          
READY 
END