Authority checks on z/OS
WebSphere MQ uses the System Authorization Facility (SAF) to route requests for authority checks to an external security manager (ESM) such as the z/OS Security Server Resource Access Control Facility (RACF). WebSphere MQ does no authority checks of its own.
This book assumes that you are using RACF as your ESM. If you are using a different ESM, you might need to interpret the information provided for RACF in a way that is relevant to your ESM.
We can specify whether you want authority checks turned on or off for each queue manager individually or for every queue manager in a queue-sharing group. This level of control is called subsystem security. If you turn subsystem security off for a particular queue manager, no authority checks are carried out for that queue manager.
If you turn subsystem security on for a particular queue manager, authority checks can be performed at two levels:
We can use a combination of queue-sharing group and queue manager level security. For example, we can arrange for profiles specific to a queue manager to override those of the queue-sharing group to which it belongs.
- Queue-sharing group level security
- Authority checks use RACF profiles that are shared by all queue managers in the queue-sharing group. This means that there are fewer profiles to define and maintain, making security administration easier.
- Queue manager level security
- Authority checks use RACF profiles specific to the queue manager.
Subsystem security, queue-sharing group level security, and queue manager level security are turned on or off by defining switch profiles. A switch profile is a normal RACF profile that has a special meaning to WebSphere MQ.
Parent topic:
Authority to administer WebSphere MQ on z/OS
sy10780_