+

Search Tips | Advanced Search

Change access control to avoid additional messages

This topic is the fourth in a list of tasks that tells you how to grant access to subscribe to topics by more than one user and to avoid additional RACF ICH408I messages on z/OS .


Before starting

This topic enhances the setup described in Grant another user access to subscribe to only the topic deeper within the tree so that you avoid additional error messages.


About this task

This topic tells you how to grant access to topics deeper in the tree, and how to remove access to the topic lower down the tree when no user requires it.
Figure 1. Example of granting access control to avoid additional messages.

Define a new topic object as follows:


Procedure

  1. Issue the MQSC command DEF TOPIC(ORANGE) TOPICSTR('Price/Fruit/Oranges').
  2. Grant access as follows:

    • z/OS :

      Define a new profile and add access to that profile, and the existing profiles. Do this, using the following RACF commands: 

      RDEFINE MXTOPIC hlq.SUBSCRIBE.ORANGE UACC(NONE)
PERMIT hlq.SUBSCRIBE.ORANGE CLASS(MXTOPIC) ID(USER1) ACCESS(ALTER)
PERMIT hlq.SUBSCRIBE.APPLE CLASS(MXTOPIC) ID(USER1) ACCESS(ALTER)
    • Other platforms:

      Set up the equivalent access by using the authorization commands for the platform:

        Windows, UNIX and Linux systems
        setmqaut -t topic -n ORANGE -p USER1 +sub
setmqaut -t topic -n APPLE -p USER1 +sub

        IBM i
        GRTMQAUT OBJ(ORANGE) OBJTYPE(*TOPIC) USER(USER1) AUT(*SUB)
GRTMQAUT OBJ(APPLE) OBJTYPE(*TOPIC) USER(USER1) AUT(*SUB)


Results

On z/OS, when USER1 attempts to subscribe to topic Price/Fruit/Apples the first security check on the hlq.SUBSCRIBE.APPLE profile succeeds.

Similarly, when USER2 attempts to subscribe to topic Price/Fruit/Apples the result is success because the security check passes on the first profile.

When USER2 attempts to subscribe to topic Price/Fruit/Oranges the result is failure with an MQRC_NOT_AUTHORIZED message, together with:

  • On z/OS, the following messages seen on the console that show the full security path through the topic tree that has been attempted: 
    ICH408I USER(USER2   ) ...
  hlq.SUBSCRIBE.ORANGE ...

ICH408I USER(USER2   ) ...
  hlq.SUBSCRIBE.FRUIT ...

ICH408I USER(USER2   ) ...
  hlq.SUBSCRIBE.SYSTEM.BASE.TOPIC ...
  • On other platforms, the following authorization event: 
    MQRC_NOT_AUTHORIZED
ReasonQualifier	  MQRQ_SUB_NOT_AUTHORIZED
UserIdentifier	    USER2
AdminTopicNames	  ORANGE, FRUIT, SYSTEM.BASE.TOPIC
TopicString		   "Price/Fruit/Oranges"
  • On IBMi, the following authorization event: 
    MQRC_NOT_AUTHORIZED
ReasonQualifier	  MQRQ_SUB_NOT_AUTHORIZED
UserIdentifier	    USER2
AdminTopicNames	  ORANGE, FRUIT, SYSTEM.BASE.TOPIC
TopicString		   "Price/Fruit/Oranges"

Parent topic: Example publish/subscribe security setup

Last updated: 2020-10-04