API-resource security access quick reference

Table 43 summarizes the MQOPEN, MQPUT1, and MQCLOSE options and the access required by the different resource security types.

Table 43. MQOPEN, MQPUT1, and MQCLOSE options and the security authorization required Callouts shown like this (1) refer to the notes following this table.
Minimum RACF access level required
RACF class: MQQUEUE (1) MQADMIN MQADMIN
RACF profile: (2) (3) (4)
MQOPEN option
MQOO_INQUIRE (1) READ (5) No check No check
MQOO_BROWSE READ No check No check
MQOO_INPUT_* UPDATE No check No check
MQOO_SAVE_ALL_CONTEXT (6) UPDATE No check No check
MQOO_OUTPUT (USAGE=NORMAL) (7) UPDATE No check No check
MQOO_PASS_IDENTITY_CONTEXT (8) UPDATE READ No check
MQOO_PASS_ALL_CONTEXT (8) (9) UPDATE READ No check
MQOO_SET_IDENTITY_CONTEXT (8) (9) UPDATE UPDATE No check
MQOO_SET_ALL_CONTEXT (8) (10) UPDATE CONTROL No check
MQOO_OUTPUT (USAGE (XMITQ)) (11) UPDATE CONTROL No check
MQOO_SET ALTER No check No check
MQOO_ALTERNATE_USER_AUTHORITY (1) (12) (12) UPDATE
MQPUT1 option
Put on a normal queue (7) UPDATE No check No check
MQPMO_PASS_IDENTITY_CONTEXT UPDATE READ No check
MQPMO_PASS_ALL_CONTEXT UPDATE READ No check
MQPMO_SET_IDENTITY_CONTEXT UPDATE UPDATE No check
MQPMO_SET_ALL_CONTEXT UPDATE CONTROL No check
MQOO_OUTPUT

Put on a transmission queue (11)

UPDATE CONTROL No check
MQPMO_ALTERNATE_USER_AUTHORITY (13) (13) UPDATE
MQCLOSE option
MQCO_DELETE (14) ALTER No check No check
MQCO_DELETE_PURGE (14) ALTER No check No check
Notes:

  1. This option is not restricted to queues. Use the MQNLIST class for namelists, and the MQPROC class for processes.

  2. Use RACF profile: hlq.resourcename

  3. Use RACF profile: hlq.CONTEXT.queuename

  4. Use RACF profile: hlq.ALTERNATE.USER.

    alternateuserid

    alternateuserid is the user identifier that is specified in the AlternateUserId field of the object descriptor. Note that up to 12 characters of the AlternateUserId field are used for this check, unlike other checks where only the first 8 characters of a user identifier are used.

  5. No check is made when opening the queue manager for inquiries.

  6. MQOO_INPUT_* must be specified as well. This is valid for a local, model or alias queue.

  7. This check is done for a local or model queue that has a Usage queue attribute of MQUS_NORMAL, and also for an alias or remote queue (that is defined to the connected queue manager.) If the queue is a remote queue that is opened specifying an ObjectQMgrName (not the name of the connected queue manager) explicitly, the check is carried out against the queue with the same name as ObjectQMgrName (which must be a local queue with a Usage queue attribute of MQUS_TRANSMISSION).

  8. MQOO_OUTPUT must be specified as well.

  9. MQOO_PASS_IDENTITY_CONTEXT is implied as well by this option.

  10. MQOO_PASS_IDENTITY_CONTEXT, MQOO_PASS_ALL_CONTEXT and MQOO_SET_IDENTITY_CONTEXT are implied as well by this option.

  11. This check is done for a local or model queue that has a Usage queue attribute of MQUS_TRANSMISSION, and is being opened directly for output. It does not apply if a remote queue is being opened.

  12. At least one of MQOO_INQUIRE, MQOO_BROWSE, MQOO_INPUT_*, MQOO_OUTPUT or MQOO_SET must be specified as well. The check carried out is the same as that for the other options specified.

  13. The check carried out is the same as that for the other options specified.

  14. This only applies for permanent dynamic queues that have been opened directly, that is, not opened through a model queue. No security is required to delete a temporary dynamic queue.