Profiles for command resource security
If we have not defined the command resource security switch profile, because we want security checking for resources associated with commands, we must add resource profiles for each resource to the appropriate class. The same security profiles control both MQSC and PCF commands.
If we have not defined the command resource security switch profile, hlq.NO.CMD.RESC.CHECKS, because we want security checking for resources associated with commands, we must:- Add a resource profile in the MQADMIN class, if using uppercase profiles, for each resource.
- Add a resource profile in the MXADMIN class, if using mixed case profiles, for each resource.
The same security profiles control both MQSC and PCF commands. Profiles for command resource security checking take the form:
hlq.type.resourcename
where hlq can be either qmgr-name (queue manager name) or qsg-name (queue sharing group name).
A profile prefixed by the queue manager name controls access to the resources associated with commands on that queue manager. A profile prefixed by the queue sharing group name controls access to the resources associated with commands on all queue managers within the queue sharing group. This access can be overridden on an individual queue manager by defining a queue manager level profile for that command resource on that queue manager.
If your queue manager is a member of a queue sharing group and we are using both queue manager and queue sharing group level security, IBM MQ checks for a profile prefixed by the queue manager name first. If it does not find one, it looks for a profile prefixed by the queue sharing group name.
For example, the RACF profile name for command resource security checking against the model queue CREDIT.WORTHY in subsystem CSQ1 is:CSQ1.QUEUE.CREDIT.WORTHY
Because the profiles for all types of command resource are held in the MQADMIN class, the "type" part of the profile name is needed in the profile to distinguish between resources of different types that have the same name. The "type" part of the profile name can be CHANNEL, QUEUE, TOPIC, PROCESS, or NAMELIST. For example, a user might be authorized to define hlq.QUEUE.PAYROLL.ONE, but not authorized to define hlq.PROCESS.PAYROLL.ONE
If the resource type is a queue, and the profile is a queue sharing group level profile, it controls access to one or more local queues within the queue sharing group, or access to a single shared queue from any queue manager in the queue sharing group.
MQSC commands, profiles, and their access levels shows, for each IBM MQ MQSC command, the profiles required for command security checking to be carried out, and the corresponding access level for each profile in the MQCMDS class.
PCF commands, profiles, and their access levels shows, for each IBM MQ PCF command, the profiles required for command security checking to be carried out, and the corresponding access level for each profile in the MQCMDS class.
- Command resource security checking for alias queues and remote queues
Alias queue and remote queues both provide indirection to another queue. Additional points apply when you consider security checking for these queues.
Parent topic: Profiles used to control access to IBM MQ resources