Setting queue-based permissions on z/OS systems
Grant or revoke queue-based permissions for users to complete specific tasks on an integration node running on z/OS®.
Before you begin
Use the mqsichangeauthmode command to activate administration security and to specify the queue-based mode of administration security for the integration node.
About this task
Configure the external security manager (ESM) that you are using with WebSphere® MQ to grant the required permissions on z/OS systems. For example, if you are using RACF®, set up profiles to hold the information required for WebSphere MQ security checking. The examples in this topic assume that you are using RACF.
Complete the following steps:
Procedure
Examples
All the examples shown here are
for an integration node that is associated with the queue manager MQ01
.
Add
execute permission for group GROUP1 to
the integration node:
PERMIT MQ01.SYSTEM.BROKER.AUTH CLASS(MQQUEUE) ID(GROUP1) ACCESS(ALTER)
Remove
execute permission from the integration node for group GROUP2:
PERMIT MQ01.SYSTEM.BROKER.AUTH CLASS(MQQUEUE) ID(GROUP2) ACCESS(ALTER) DEL
Add
write permission to all integration servers for group GROUP3:
PERMIT MQ01.SYSTEM.BROKER.AUTH.** CLASS(MXQUEUE) ID(GROUP3) ACCESS(UPDATE)
Remove
write permission from all integration servers for group GROUP4:
PERMIT MQ01.SYSTEM.BROKER.AUTH.** CLASS(MXQUEUE) ID(GROUP4) DEL
Add
read permission to a specific integration server called
default
for
group GROUP5: PERMIT MQ01.SYSTEM.BROKER.AUTH.default CLASS(MXQUEUE) ID(GROUP5) ACCESS(READ)
The following JCL file shows one way in which you can check
the RACF permissions that you
have set for the integration node
MQTEST
://RACFDUMP JOB ,MQTEST,USER=MQTEST,TIME=1,MSGCLASS=H
//STEP1 EXEC PGM=IKJEFT01,REGION=64M,DYNAMNBR=99
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
/* LIST ALL EXISTING PROFILES IN THE MQADMIN CLASS */
SEARCH CLASS(MQADMIN)
/* LIST UPPERCASE PROFILES IN THE MQQUEUE MEMBER CLASS */
SEARCH CLASS(MQQUEUE)
/* LIST MIXED CASE PROFILES IN THE MQQUEUE MEMBER CLASS */
SEARCH CLASS(MXQUEUE)
/* LIST THE QMGR PROFILE */
RLIST MQADMIN MI09.NO.SUBSYS.SECURITY ALL
/*
This JCL job might produce results like the following output:
READY
/* LIST ALL EXISTING PROFILES IN THE MQADMIN CLASS */
READY
SEARCH CLASS(MQADMIN)
EP00.NO.SUBSYS.SECURITY
EP01.NO.SUBSYS.SECURITY
EP02.NO.SUBSYS.SECURITY
EP03.NO.SUBSYS.SECURITY
EP04.NO.SUBSYS.SECURITY
MA00.NO.SUBSYS.SECURITY
MA01.NO.SUBSYS.SECURITY
MA02.NO.SUBSYS.SECURITY
MA03.NO.SUBSYS.SECURITY
MA04.NO.SUBSYS.SECURITY
MA05.NO.SUBSYS.SECURITY
MA06.NO.SUBSYS.SECURITY
MA07.NO.SUBSYS.SECURITY
MA08.NO.SUBSYS.SECURITY
MA09.NO.SUBSYS.SECURITY
MA10.NO.SUBSYS.SECURITY
MA11.ALTERNATE.USER.KMCMUL
MA11.ALTERNATE.USER.KMCMUL3
MA11.ALTERNATE.USER.MA15USR
MA11.CHANNEL.MA11.TO.REG1
MA11.CONTEXT
MA11.NO.CMD.CHECKS
MA11.NO.CMD.RESC.CHECKS
MA11.NO.CMDS.CHECKS
MA11.NO.CMDS.RESC.CHECKS
MA11.NO.SUBSYS.SECURITY
MA11.RESLEVEL
MA12.NO.SUBSYS.SECURITY
MA13.NO.SUBSYS.SECURITY
MA14.NO.SUBSYS.SECURITY
MA15.NO.SUBSYS.SECURITY
MA16.NO.SUBSYS.SECURITY
MA17.NO.SUBSYS.SECURITY
MA18.NO.SUBSYS.SECURITY
MA19.NO.SUBSYS.SECURITY
MA20.NO.SUBSYS.SECURITY
MI00.NO.SUBSYS.SECURITY
MI01.NO.SUBSYS.SECURITY
MI02.NO.SUBSYS.SECURITY
MI03.NO.SUBSYS.SECURITY
MI04.NO.SUBSYS.SECURITY
MI05.NO.SUBSYS.SECURITY
MI06.NO.SUBSYS.SECURITY
MI07.NO.SUBSYS.SECURITY
MI08.NO.SUBSYS.SECURITY
MI09.ALTERNATE.USER.MI09STC
MI09.ALTERNATE.USER.NHARRIS
MI09.NO.CMD.CHECKS
MI09.NO.CONNECT.CHECKS
MI09.NO.CONTEXT.CHECKS
MI09.NO.SUBSYS.SECURITY
MI10.NO.SUBSYS.SECURITY
MI11.NO.SUBSYS.SECURITY
MI12.NO.SUBSYS.SECURITY
MI13.NO.SUBSYS.SECURITY
MI14.NO.SUBSYS.SECURITY
MI15.NO.SUBSYS.SECURITY
MI16.NO.SUBSYS.SECURITY
MI17.NO.SUBSYS.SECURITY
MI18.NO.SUBSYS.SECURITY
MI19.NO.SUBSYS.SECURITY
MI20.NO.SUBSYS.SECURITY
MI09.CHANNEL.** (G)
MI09.QUEUE.** (G)
READY
/* LIST UPPERCASE PROFILES IN THE MQQUEUE MEMBER CLASS */
READY
SEARCH CLASS(MQQUEUE)
MA11.INPUT2.QUEUE
MA11.KMBRK
MA11.MA11.DEAD.QUEUE
MA11.MA15
MA11.REG1
MA11.SUBSCRIBER.RESULTS.QUEUE
MA11.SUBSCRIBER3.RESULTS.QUEUE
MA11.SUBSCRIBER4.RESULTS.QUEUE
MA11.SUBSCRIBER5.RESULTS.QUEUE
MA11.SUBSCRIBER6.RESULTS.QUEUE
MA11.SUBSCRIBER9.RESULTS.QUEUE
MA11.SYSTEM.CHANNEL.EVENT
MA11.SYSTEM.CHANNEL.SYNCQ
MA11.SYSTEM.CLUSTER.COMMAND.QUEUE
MA11.SYSTEM.COMMAND.INPUT
MA11.SYSTEM.COMMAND.REPLY.MODEL
MI09.SYSTEM.BROKER.AUTH.SECURITY_EXE
MA11.SYSTEM.BROKER.** (G)
MA11.SYSTEM.** (G)
MA11.** (G)
MI09.** (G)
READY
/* LIST MIXED CASE PROFILES IN THE MQQUEUE MEMBER CLASS */
READY
SEARCH CLASS(MXQUEUE)
NO ENTRIES MEET SEARCH CRITERIA
READY
/* LIST THE QMGR PROFILE */
READY
RLIST MQADMIN MI09.NO.SUBSYS.SECURITY ALL
CLASS NAME
----- ----
MQADMIN MI09.NO.SUBSYS.SECURITY
GROUP CLASS NAME
----- ----- ----
GMQADMIN
RESOURCE GROUPS
-------- ------
NONE
LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING
----- -------- ---------------- ----------- -------
00 MQTEST NONE NONE NO
INSTALLATION DATA
-----------------
NONE
APPLICATION DATA
----------------
NONE
SECLEVEL
--------
NO SECLEVEL
CATEGORIES
----------
NO CATEGORIES
SECLABEL
--------
NO SECLABEL
AUDITING
--------
FAILURES(READ)
NOTIFY
------
NO USER TO BE NOTIFIED
CREATION DATE LAST REFERENCE DATE LAST CHANGE DATE
(DAY) (YEAR) (DAY) (YEAR) (DAY) (YEAR)
------------- ------------------- ----------------
237 09 237 09 237 09
ALTER COUNT CONTROL COUNT UPDATE COUNT READ COUNT
----------- ------------- ------------ ----------
000000 000000 000000 000000
USER ACCESS ACCESS COUNT
---- ------ ------ -----
NO USERS IN ACCESS LIST
ID ACCESS ACCESS COUNT CLASS ENTITY NAME
-------- ------- ------------ -------- ---------------------------------------
NO ENTRIES IN CONDITIONAL ACCESS LIST
READY
END