Grant users resource permissions for Advanced Message Security

Advanced Message Security users require relevant resource permissions.

Advanced Message Security users, that is users that are putting or getting Advanced Message Security protected messages, require:

• An OMVS segment associated with their user id
• Permissions for IRR.DIGTCERT.LISTRING or RDATALIB
• Permissions for ICSF class CSFSERV and CSFKEYS profiles

The Advanced Message Security task temporarily assumes the identity of its clients; that is, the task acts as a surrogate of the z/OS® user ID of users of Advanced Message Security during the processing of IBM MQ messages to queues that are protected by Advanced Message Security.

In order for the task to assume the z/OS identity of a user, the client z/OS user ID must have a defined OMVS segment associated with its user profile.

As an administration aid, RACF® provides the ability to define a default OMVS segment that may be associated with RACF user and group profiles. This default is used if the z/OS user ID or group profile does not have an OMVS segment explicitly defined. If you plan to have a large number of users using Advanced Message Security, you may choose to use this default rather than explicitly defining the OMVS segment for each user.

The z/OS: Security Server RACF Security Administrator's Guide contains the detailed procedure for defining default OMVS segments. Review the procedure as outlined in this publication to determine if the definition of default OMVS segments in RACF User and Group profiles is appropriate to your installation.

To grant READ permission to the IRR.DIGTCERT.LISTRING class facility to all Advanced Message Security users, issue this command:

RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(READ)

or grant READ permission on a per user basis by issuing this command:

PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(userid) ACCESS(READ)

where userid is the name of the Advanced Message Security user.

PERMIT user.DRQ.AMS.KEYRING.LST CLASS(RDATALIB) ID(user) ACC(READ)