Grant another user access to subscribe to only the topic deeper within the tree
This topic is the third in a list of tasks that tells you how to grant access to subscribe to topics by more than one user.
Before starting
This topic uses the setup described in Grant access to a user to subscribe to a topic deeper within the tree.
In the previous task USER2 was refused access to topic Price/Fruit/Apples
. This topic tells you how to grant access to that topic, but not to any other topics.
| Topic | Subscribe access required | Topic object |
|---|---|---|
| Price | No user | None |
| Price/Fruit | USER1 | FRUIT |
| Price/Fruit/Apples | USER1 and USER2 | APPLE |
| Price/Fruit/Oranges | USER1 |
Define a new topic object as follows:
Procedure
- Issue the MQSC command DEF TOPIC(APPLE) TOPICSTR('Price/Fruit/Apples').
-
Grant access as follows:
- z/OS :
In the previous task USER1 was granted access to subscribe to topic
Price/Fruit/Apples
by granting the user access to the hlq.SUBSCRIBE.FRUIT profile.This single profile also granted USER1 access to subscribe to
Price/Fruit/Oranges
Price/Fruit/#
and this access remains even with the addition of the new topic object and the profiles associated with it.Grant access to USER2 to subscribe to topic
Price/Fruit/Apples
by granting the user access to the hlq.SUBSCRIBE.APPLE profile. Do this, using the following RACF commands:RDEFINE MXTOPIC hlq.SUBSCRIBE.APPLE UACC(NONE) PERMIT hlq.SUBSCRIBE.FRUIT APPLE(MXTOPIC) ID(USER2) ACCESS(ALTER)
- Other platforms:
In the previous task USER1 was granted access to subscribe to topic
Price/Fruit/Apples
by granting the user subscribe access to the FRUIT profile.This single profile also granted USER1 access to subscribe to
Price/Fruit/Oranges
andPrice/Fruit/#
, and this access remains even with the addition of the new topic object and the profiles associated with it.Grant access to USER2 to subscribe to topic
Price/Fruit/Apples
by granting the user subscribe access to the APPLE profile. Do this, using the authorization command for the platform:- Windows, UNIX and Linux systems
-
setmqaut -t topic -n APPLE -p USER2 +sub
- IBM i
-
GRTMQAUT OBJ(APPLE) OBJTYPE(*TOPIC) USER(USER2) AUT(*SUB)
- z/OS :
Results
On z/OS, when USER1 attempts to subscribe to topicPrice/Fruit/Applesthe first security check on the hlq.SUBSCRIBE.APPLE profile fails, but on moving up the tree the hlq.SUBSCRIBE.FRUIT profile allows USER1 to subscribe, so the subscription succeeds and no return code is sent to the MQSUB call. However, a RACF ICH message is generated for the first check:
ICH408I USER(USER1 ) ... hlq.SUBSCRIBE.APPLE ...
When USER2 attempts to subscribe to topic Price/Fruit/Apples
the result is success because the security check passes on the first profile.
Price/Fruit/Orangesthe result is failure with an MQRC_NOT_AUTHORIZED message, together with:
- On z/OS, the following messages seen on the console that show the full security path through the topic tree that has been attempted:
ICH408I USER(USER2 ) ... hlq.SUBSCRIBE.FRUIT ... ICH408I USER(USER2 ) ... hlq.SUBSCRIBE.SYSTEM.BASE.TOPIC ...
- On Windows, UNIX and Linux platforms, the following authorization event:
MQRC_NOT_AUTHORIZED ReasonQualifier MQRQ_SUB_NOT_AUTHORIZED UserIdentifier USER2 AdminTopicNames FRUIT, SYSTEM.BASE.TOPIC TopicString "Price/Fruit/Oranges"
- On IBMi, the following authorization event:
MQRC_NOT_AUTHORIZED ReasonQualifier MQRQ_SUB_NOT_AUTHORIZED UserIdentifier USER2 AdminTopicNames FRUIT, SYSTEM.BASE.TOPIC TopicString "Price/Fruit/Oranges"
The disadvantage of this setup is that, on z/OS, you receive additional ICH messages on the console. We can avoid this if you secure the topic tree in a different manner.
Parent topic: Example publish/subscribe security setup