Profiles used to control access to IBM MQ resources

We must define RACF profiles to control access to IBM MQ resources, in addition to the switch profiles that might have been defined. This collection of topics contains information about the RACF profiles for the different types of IBM MQ resource.

If we do not have a resource profile defined for a particular security check, and a user issues a request that would involve making that check, IBM MQ denies access. You do not have to define profiles for security types relating to any security switches that we have deactivated.

  • Profiles for connection security
    If connection security is active, we must define profiles in the MQCONN class and permit the necessary groups or user IDs access to those profiles, so that they can connect to IBM MQ.
  • Profiles for queue security
    If queue security is active, we must define profiles in the appropriate classes and permit the necessary groups or user IDs access to these profiles. Queue security profiles are named after the queue manager or queue sharing group, and the queue to be opened.
  • Profiles for topic security
    If topic security is active, we must define profiles in the appropriate classes and permit the necessary groups or user IDs access to those profiles.
  • Profiles for processes
    If process security is active, we must define profiles in the appropriate classes and permit the necessary groups or user IDs access to those profiles.
  • Profiles for namelists
    If namelist security is active, you define profiles in the appropriate classes and give the necessary groups or user IDs access to these profiles.
  • Profiles for alternate user security
    If alternate user security is active, we must define profiles in the appropriate classes and permit the necessary groups or user IDs access to those profiles.
  • Profiles for context security
    IBM MQ uses profiles for controlling access to the context information specific to a particular message. The context is contained within the message descriptor (MQMD).
  • Profiles for command security
    To enable security checking for commands, add profiles to the MQCMDS class. The profile names are based on the MQSC commands but control both MQSC and PCF commands. Profiles can apply to a queue manager or a queue sharing group.
  • Profiles for command resource security
    If we have not defined the command resource security switch profile, because we want security checking for resources associated with commands, we must add resource profiles for each resource to the appropriate class. The same security profiles control both MQSC and PCF commands.

Parent topic: Set up security on z/OS