Profiles for queue security
If queue security is active, define profiles in the MQQUEUE or GMQQUEUE classes and permit the necessary groups or user IDs access to these profiles, so they can issue WebSphere MQ API requests that use queues.
Profiles for queue security take the form:
hlq.queuenamewhere
hlq can be either qmgr-name (queue manager name) or
qsg-name (queue-sharing group name), and queuename is the name of the queue being opened, as specified in the object descriptor on the MQOPEN or MQPUT1 call.
A profile prefixed by the queue manager name controls access to a single queue on that queue manager. A profile prefixed by the queue-sharing group name controls access to access to one or more queues with that queue name on all queue managers within the queue-sharing group, or access to a shared queue by any queue manager within the group. This access can be overridden on an individual queue manager by defining a queue-manager level profile for that queue on that queue manager.
If your queue manager is a member of a queue-sharing group and you are using both queue manager and queue-sharing group level security, WebSphere MQ checks for a profile prefixed by the queue manager name first. If it does not find one, it looks for a profile prefixed by the queue-sharing group name.
If you are using shared queues, you are recommended to use queue-sharing group level security.
For details of how queue security operates when the queue name is that of an alias or a model queue, see Considerations for alias queues and Considerations for model queues.
The RACF access required to open a queue depends on the MQOPEN or MQPUT1 options specified. If more than one of the MQOO_* and MQPMO_* options is coded, the queue security check is performed for the highest RACF authority required.
Table 39. Access levels for queue security MQOPEN or MQPUT1 option RACF access level required to access hlq.queuename MQOO_BROWSE READ MQOO_INQUIRE READ MQOO_BIND_* UPDATE MQOO_INPUT_* UPDATE MQOO_OUTPUT or MQPUT1 UPDATE MQOO_PASS_ALL_CONTEXT MQPMO_PASS_ALL_CONTEXT UPDATE MQOO_PASS_IDENTITY_CONTEXT MQPMO_PASS_IDENTITY_CONTEXT UPDATE MQOO_SAVE_ALL_CONTEXT UPDATE MQOO_SET_IDENTITY_CONTEXT MQPMO_SET_IDENTITY_CONTEXT UPDATE MQOO_SET_ALL_CONTEXT MQPMO_SET_ALL_CONTEXT UPDATE MQOO_SET ALTER For example, on WebSphere MQ queue manager QM77, all user IDs in the RACF group PAYGRP are to be given access to get messages from or put messages to all queues with names beginning with 'PAY.'. We can do this using these RACF commands:
RDEFINE MQQUEUE QM77.PAY.** UACC(NONE) PERMIT QM77.PAY.** CLASS(MQQUEUE) ID(PAYGRP) ACCESS(UPDATE)Also, all user IDs in the PAYGRP group must have access to put messages on queues that do not follow the PAY naming convention. For example:
REQUEST_QUEUE_FOR_PAYROLL SALARY.INCREASE.SERVER REPLIES.FROM.SALARY.MODELWe can do this by defining profiles for these queues in the GMQQUEUE class and giving access to that class as follows:
RDEFINE GMQQUEUE PAYROLL.EXTRAS UACC(NONE) ADDMEM(QM77.REQUEST_QUEUE_FOR_PAYROLL, QM77.SALARY.INCREASE.SERVER, QM77.REPLIES.FROM.SALARY.MODEL) PERMIT PAYROLL.EXTRAS CLASS(GMQQUEUE) ID(PAYGRP) ACCESS(UPDATE)Notes:
- If the RACF access level that an application has to a queue security profile is changed, the changes only take effect for any new object handles obtained (that is, new MQOPENs) for that queue. Those handles already in existence at the time of the change retain their existing access to the queue. If an application is required to use its changed access level to the queue rather than its existing access level, it must close and reopen the queue for each object handle that requires the change.
- In the example, the queue manager name
QM77 could also be the name of a queue-sharing group.
Other types of security checks might also occur at the time the queue is opened depending on the open options specified and the types of security that are active. See also Profiles for context security and Profiles for alternate user security. For a summary table showing the open options and the security authorization needed when queue, context, and alternate user security are all active, see Table 43.