Blank user IDs and UACC levels

Blank user IDs can exist when a user is manipulating messages using context or alternate-user security, or when WebSphere MQ is passed a blank user ID. For example, a blank user ID is used when a message is written to the system-command input queue without context.

Note:
A user ID of '"* "' (that is, an asterisk character followed by seven spaces) is treated as a blank user ID.

WebSphere MQ passes the blank user ID to RACF and a RACF undefined user is signed on. All security checks then use the universal access (UACC) for the relevant profile. Depending on how you have set your access levels, the UACC might give the undefined user a wide-ranging access.

For example, if you issue this RACF command from TSO:

RDEFINE MQQUEUE Q.AVAILABLE.TO.EVERYONE UACC(UPDATE)

you define a profile that enables both z/OS-defined user IDs (that have not been put in the access list) and the RACF undefined user ID to put messages on, and get messages from, that queue.

To protect against blank user IDs plan your access levels carefully, and limit the number of people who can use context and alternate-user security. You must prevent people using the RACF undefined user ID from getting access to resources that they should not. However, at the same time, allow access to people with defined user IDs. To do this, we can specify a user ID of asterisk (*) in a RACF command PERMIT. For example, these RACF commands prevent the RACF undefined user ID from gaining access to the queue to put or get messages:

RDEFINE MQQUEUE Q.AVAILABLE.TO.RACF.DEFINED.USERS.ONLY UACC(NONE)
PERMIT Q.AVAILABLE.TO.RACF.DEFINED.USERS.ONLY CLASS(MQQUEUE) ACCESS(UPDATE) ID(*)