Using the RESLEVEL security profile
We can define a special profile in the MQADMIN class to control the number of user IDs checked for API-resource security. How this RESLEVEL profile affects API-resource security depends on how you are accessing WebSphere MQ.
This chapter discusses the following subjects:
- RESLEVEL and batch connections
- RESLEVEL and system functions
- RESLEVEL and CICS connections
- RESLEVEL and IMS connections
- RESLEVEL and channel initiator connections
- RESLEVEL and intra-group queuing
- The RESLEVEL profile
Important notes about using RESLEVEL:
- RESLEVEL is a very powerful option; it can cause the bypassing of all resource security checks for a particular connection. This means that RACF cannot audit these resource checks.
- We can use the RESAUDIT system parameter to switch RESLEVEL auditing off.
- Using the RESLEVEL profile means that normal security audit records are not taken. For example, if you put UAUDIT on a user, the access to the hlq.RESLEVEL profile in MQADMIN is not audited.
- If you use the RACF WARNING option on the hlq.RESLEVEL profile, no RACF warning messages are produced for profiles in the RESLEVEL class.
- If you do not have a RESLEVEL profile defined, be careful that no other profile in the MQADMIN class matches hlq.RESLEVEL. For example, if you have a profile in MQADMIN called hlq.** and no hlq.RESLEVEL profile, beware of the consequences of the hlq.** profile because it is used for the RESLEVEL check.
You should define an hlq.RESLEVEL profile and set the UACC to NONE, rather than not have a RESLEVEL profile at all. You should have as few users or groups in the access list as possible. For details about how to audit RESLEVEL access, see Auditing considerations.
- If you make any changes to the RESLEVEL profile users must disconnect and connect again before the change takes place. (This includes stopping and restarting the channel initiator if the access that the distributed queuing address space user ID has to the RESLEVEL profile is changed.)