Grant access to a user to subscribe to a topic
This topic is the first one in a list of tasks that tells you how to grant access to topics by more than one user.
This task assumes that no administrative topic objects exist, nor have any profiles been defined for subscription or publication. The applications are creating new subscriptions, rather than resuming existing ones, and are doing so using the topic string only.
An application can make a subscription by providing a topic object, or a topic string, or a combination of both. Whichever way the application selects, the effect is to make a subscription at a certain point in the topic tree. If this point in the topic tree is represented by an administrative topic object, a security profile is checked based on the name of that topic object.
| Topic | Subscribe access required | Topic object |
|---|---|---|
| Price | No user | None |
| Price/Fruit | USER1 | FRUIT |
Define a new topic object as follows:
Procedure
- Issue the MQSC command DEF TOPIC(FRUIT) TOPICSTR('Price/Fruit').
-
Grant access as follows:
- z/OS :
Grant access to USER1 to subscribe to topic
Price/Fruit
by granting the user access to the hlq.SUBSCRIBE.FRUIT profile. Do this, using the following RACF commands:RDEFINE MXTOPIC hlq.SUBSCRIBE.FRUIT UACC(NONE) PERMIT hlq.SUBSCRIBE.FRUIT CLASS(MXTOPIC) ID(USER1) ACCESS(ALTER)
- Other platforms:
Grant access to USER1 to subscribe to topic
Price/Fruit
by granting the user access to the FRUIT object. Do this, using the authorization command for the platform:- Windows, UNIX and Linux systems
-
setmqaut -t topic -n FRUIT -p USER1 +sub
- IBM i
-
GRTMQAUT OBJ(FRUIT) OBJTYPE(*TOPIC) USER(USER1) AUT(*SUB)
- z/OS :
Results
When USER1 attempts to subscribe to topic Price/Fruit
the result is success.
Price/Fruitthe result is failure with an MQRC_NOT_AUTHORIZED message, together with:
- On z/OS, the following messages seen on the console that show the full security path through the topic tree that has been attempted:
ICH408I USER(USER2 ) ... hlq.SUBSCRIBE.FRUIT ... ICH408I USER(USER2 ) ... hlq.SUBSCRIBE.SYSTEM.BASE.TOPIC ...
- On other platforms, the following authorization event:
MQRC_NOT_AUTHORIZED ReasonQualifier MQRQ_SUB_NOT_AUTHORIZED UserIdentifier USER2 AdminTopicNames FRUIT, SYSTEM.BASE.TOPIC TopicString "Price/Fruit"
- On IBMi, the following authorization event:
MQRC_NOT_AUTHORIZED ReasonQualifier MQRQ_SUB_NOT_AUTHORIZED UserIdentifier USER2 AdminTopicNames FRUIT, SYSTEM.BASE.TOPIC TopicString "Price/Fruit"
Note that this is an illustration of what you see; not all the fields.
Parent topic: Example publish/subscribe security setup