+

Search Tips | Advanced Search

Granting security permissions

When using command resource security you must set up permissions to allow Advanced Message Security to function. This topic uses RACF® commands in the examples. If your enterprise uses a different external security manager (ESM) you must use the equivalent commands for that ESM.

There are three aspects to granting security permissions:

Notes: The example commands use the following variables.
  1. QMgrName - the name of the queue manager.

    On z/OS®, this value can also be the name of a queue-sharing group.

  2. username - this can be a group name.
  3. The examples show the MQQUEUE class. this can also be MXQUEUE, GMQQUEUE or GMXQUEUE. See Profiles for queue security for further information.
Furthermore, if the profile already exists, we do not require the RDEFINE command.


The AMSM address space

You need to issue some IBM MQ security to the user name that the Advanced Message Security address space runs under.


CSQ0UTIL

The utility that allows users to run the setmqspl and dspmqspl commands requires the following permissions, where the user name is the job user ID:


Use queues that have an Advanced Message Security policy defined

When an application does any work with queues that have a policy defined on them, that application requires additional permissions to allow Advanced Message Security to protect messages.

The application requires: