Profiles for alternate user security

If alternate user security is active, you must define profiles in the appropriate classes and permit the necessary groups or user IDs access to those profiles.

For more information about AlternateUserId, see AlternateUserID (MQCHAR12).

If alternate user security is active, you must:

  • Define profiles in the MQADMIN or GMQADMIN classes if you are using uppercase profiles.
  • Define profiles in the MXADMIN or GMXADMIN classes if you are using mixed case profiles.
Permit the necessary groups or user IDs access to these profiles, so that they can use the ALTERNATE_USER_AUTHORITY options when the object is opened. Profiles for alternate user security can be specified at subsystem level or at queue-sharing group level and take the following form: 
hlq.ALTERNATE.USER.alternateuserid

Where hlq can be either qmgr-name (queue manager name) or qsg-name (queue sharing group name), and alternateuserid is the value of the AlternateUserId field in the object descriptor.

A profile prefixed by the queue manager name controls use of an alternative user ID on that queue manager. A profile prefixed by the queue sharing group name controls use of an alternative user ID on all queue managers within the queue sharing group. This alternative user ID can be used on any queue manager within the queue sharing group by a user that has the correct access. This access can be overridden on an individual queue manager by defining a queue manager level profile for that alternative user ID on that queue manager.

If your queue manager is a member of a queue sharing group and you are using both queue manager and queue sharing group level security, IBM MQ checks for a profile prefixed by the queue manager name first. If it does not find one, it looks for a profile prefixed by the queue sharing group name.

The following table shows the access when specifying an alternative user option.

Table 1. Access levels for alternate user security
MQOPEN, MQSUB, or MQPUT1 option RACF® access level required
MQOO_ALTERNATE_USER_AUTHORITY MQSO_ALTERNATE_USER_AUTHORITY MQPMO_ALTERNATE_USER_AUTHORITY UPDATE
In addition to alternate user security checks, other security checks for queue, process, namelist, and context security can also be made. The alternative user ID, if provided, is only used for security checks on queue, process definition, or namelist resources. For alternate user and context security checks, the user ID requesting that the check is used. For details about how user IDs are handled, see User IDs for security checking on z/OS. For a summary table showing the open options and the security checks required when queue, context and alternate user security are all active, see Table 1.

An alternative user profile gives the requesting user ID access to resources associated with the user ID specified in the alternative user ID. For example, the payroll server running under user ID PAYSERV on queue manager QMPY processes requests from personnel user IDs, all of which start with PS. To cause the work performed by the payroll server to be carried out under the user ID of the requesting user, alternative user authority is used. The payroll server knows which user ID to specify as the alternative user ID because the requesting programs generate messages using the MQPMO_DEFAULT_CONTEXT put message option. See User IDs for security checking on z/OS for more details about from where alternative user IDs are obtained.

The following example RACF definitions enable the server program to specify alternative user IDs starting with the characters PS: 
RDEFINE MQADMIN QMPY.ALTERNATE.USER.PS* UACC(NONE)
PERMIT QMPY.ALTERNATE.USER.PS* CLASS(MQADMIN) ID(PAYSERV) ACCESS(UPDATE)
Note:
  1. The AlternateUserId fields in the object descriptor and subscription descriptor are 12 bytes long. All 12 bytes are used in the profile checks, but only the first 8 bytes are used as the user ID by IBM MQ. If this user ID truncation is not desirable, application programs making the request must translate any alternative user ID over 8 bytes into something more appropriate.
  2. If you specify MQOO_ALTERNATE_USER_AUTHORITY, MQSO_ALTERNATE_USER_AUTHORITY, or MQPMO_ALTERNATE_USER_AUTHORITY and we do not specify an AlternateUserId field in the object descriptor, a user ID of blanks is used. For the purposes of the alternate user security check the user ID used for the AlternateUserId qualifier is -BLANK-. For example RDEF MQADMIN hlq.ALTERNATE.USER.-BLANK-.

    If the user is allowed to access this profile, all further checks are made with a user ID of blanks. For details of blank user IDs, see Blank user IDs and UACC levels.

The administration of alternative user IDs is easier if we have a naming convention for user IDs that enables you to use generic alternative user profiles. If they do not, we can use the RACF RACVARS feature. For details about using RACVARS, see the z/OS® SecureWay Security Server RACF Security Administrator's Guide.

When a message is put to a queue that has been opened with alternative user authority and the context of the message has been generated by the queue manager, the MQMD_USER_IDENTIFIER field is set to the alternative user ID.