Grant access for publish and subscribe
This topic is the last in a list of tasks that tells you how to grant access to publish and subscribe to topics by more than one user.
Before starting
This topic uses the setup described in Grant access to a user to publish to a topic deeper within the tree.
In a previous task USER1 was given access to subscribe to the topic Price/Fruit
. This topic tells you how to grant access to that user to publish to that topic.
| Topic | Subscribe access required | Publish access required | Topic object |
|---|---|---|---|
| Price | No user | No user | None |
| Price/Fruit | USER1 | USER1 | FRUIT |
| Price/Fruit/Apples | USER1 and USER2 | APPLE | |
| Price/Fruit/Oranges | USER1 | ORANGE |
Procedure
Grant access as follows:- z/OS :
In an earlier task USER1 was granted access to subscribe to topic
Price/Fruit
by granting the user access to the hlq.SUBSCRIBE.FRUIT profile.In order to publish to the
Price/Fruit
topic, grant access to USER1 to the hlq.PUBLISH.FRUIT profile. Do this, using the following RACF commands:RDEFINE MXTOPIC hlq.PUBLISH.FRUIT UACC(NONE) PERMIT hlq.PUBLISH.FRUIT CLASS(MXTOPIC) ID(USER1) ACCESS(ALTER)
- Other platforms:
Grant access to USER1 to publish to topic
Price/Fruit
by granting the user publish access to the FRUIT profile. Do this, using the authorization command for the platform:- Windows, UNIX and Linux systems
-
setmqaut -t topic -n FRUIT -p USER1 +pub
- IBM i
-
GRTMQAUT OBJ(FRUIT) OBJTYPE(*TOPIC) USER(USER1) AUT(*PUB)
Results
On z/OS, when USER1 attempts to publish to topic Price/Fruit
the security check on the MQOPEN call passes.
Price/Fruitthe result is failure with an MQRC_NOT_AUTHORIZED message, together with:
- On z/OS, the following messages seen on the console that show the full security path through the topic tree that has been attempted:
ICH408I USER(USER2 ) ... hlq.PUBLISH.FRUIT ... ICH408I USER(USER2 ) ... hlq.PUBLISH.SYSTEM.BASE.TOPIC ...
- On Windows, UNIX, and Linux platforms, the following authorization event:
MQRC_NOT_AUTHORIZED ReasonQualifier MQRQ_OPEN_NOT_AUTHORIZED UserIdentifier USER2 AdminTopicNames FRUIT, SYSTEM.BASE.TOPIC TopicString "Price/Fruit"
- On IBMi, the following authorization event:
MQRC_NOT_AUTHORIZED ReasonQualifier MQRQ_OPEN_NOT_AUTHORIZED UserIdentifier USER2 AdminTopicNames FRUIT, SYSTEM.BASE.TOPIC TopicString "Price/Fruit"
Following the complete set of these tasks, gives USER1 and USER2 the following access authorities for publish and subscribe to the topics listed:
| Topic | Subscribe access required | Publish access required | Topic object |
|---|---|---|---|
| Price | No user | No user | None |
| Price/Fruit | USER1 | USER1 | FRUIT |
| Price/Fruit/Apples | USER1 and USER2 | APPLE | |
| Price/Fruit/Oranges | USER1 | ORANGE | |
| Price/Vegetables | USER1 | VEG | |
| Price/Vegetables/Potatoes | |||
| Price/Vegetables/Onions |
Where you have different requirements for security access at different levels within the topic tree, careful planning ensures that we do not receive extraneous security warnings on the z/OS console log. Setting up security at the correct level within the tree avoids misleading security messages.
Parent topic: Example publish/subscribe security setup