Profiles for connection security

If connection security is active, define profiles in the MQCONN class and permit the necessary groups or user IDs access to those profiles, so that they can connect to WebSphere MQ.

To enable a connection to be made, grant users RACF READ access to the appropriate profile. (If no queue manager level profile exists, and your queue manager is a member of a queue-sharing group, checks might be made against queue-sharing group level profiles, if the security is set up to do this.)

A connection profile qualified with a queue manager name controls access to a specific queue manager and users given access to this profile can connect to that queue manager. A connection profile qualified with queue-sharing group name controls access to all queue managers within the queue-sharing group for that connection type. For example, a user with access to

QS01.BATCH can use a batch connection to any queue manager in queue-sharing group QS01 that has not got a queue manager level profile defined.

Notes:

1. For information about the user IDs checked for different security requests, see User IDs for security checking.

2. Resource level security (RESLEVEL) checks are also made at connection time. For details, see Using the RESLEVEL security profile.

WebSphere MQ security recognizes the following different types of connection:

• Batch (and batch-type) connections, these include:

  • z/OS batch jobs

  • TSO applications

  • USS sign-ons

  • DB2 stored procedures

• CICS connections

• IMS connections from control and application processing regions

• The WebSphere MQ channel initiator