Authority checks on z/OS

IBM MQ for z/OS uses the System Authorization Facility (SAF) to route requests for authority checks to an external security manager (ESM) such as the z/OS Security Server Resource Access Control Facility ( RACF ). IBM MQ does no authority checks of its own.

It is assumed that we are using RACF as your ESM. If we are using a different ESM, you might need to interpret the information provided for RACF in a way that is relevant to your ESM.

We can specify whether we want authority checks turned on or off for each queue manager individually or for every queue manager in a queue sharing group. This level of control is called subsystem security. If you turn subsystem security off for a particular queue manager, no authority checks are carried out for that queue manager.

Queue sharing group level security

Authority checks use RACF profiles that are shared by all queue managers in the queue sharing group. This means that there are fewer profiles to define and maintain, making security administration easier.

Queue manager level security

Authority checks use RACF profiles specific to the queue manager.

We can use a combination of queue sharing group and queue manager level security. For example, we can arrange for profiles specific to a queue manager to override those of the queue sharing group to which it belongs.

Subsystem security, queue sharing group level security, and queue manager level security are turned on or off by defining switch profiles. A switch profile is a normal RACF profile that has a special meaning to IBM MQ.