Authority to work with IBM MQ objects on z/OS

On z/OS, there are seven categories of authority check associated with calls to the MQI. We must define certain RACF profiles and give appropriate access to these profiles. Use the RESLEVEL profile to control how many users IDs are checked.

The seven categories of authority check associated with calls to the MQI:

    Connection security
    The authority checks that are performed when an application connects to a queue manager

    Queue security
    The authority checks that are performed when an application opens a queue or deletes a permanent dynamic queue

    Process security
    The authority checks that are performed when an application opens a process object

    Namelist security
    The authority checks that are performed when an application opens a namelist object

    Alternate user security
    The authority checks that are performed when an application requests alternate user authority when opening an object

    Context security
    The authority checks that are performed when an application opens a queue and specifies that it intends to set or pass the context information in the messages it puts on the queue

    Topic security
    The authority checks that are performed when an application opens a topic

Each category of authority check is implemented in the same way that command security and command resource security are implemented. We must define certain RACF profiles and give the necessary groups and user IDs access to these profiles at the required levels. For queue security, the level of access determines the types of operation the application can perform on a queue. For context security, the level of access determines whether the application can:

  • Pass all the context fields
  • Pass all the context fields and set the identity context fields
  • Pass and set all the context fields

Each category of authority check can be turned on or off by defining switch profiles.

All the categories, except connection security, are known collectively as API-resource security.

By default, when an API-resource security check is performed as a result of an MQI call from an application using a batch connection, only one user ID is checked. When a check is performed as a result of an MQI call from a CICS or IMS application, or from the channel initiator, two user IDs are checked.

By defining a RESLEVEL profile, however, we can control whether zero, one, or two users IDs are checked. The number of user IDs that are checked is determined by the user ID associated with the type of connection when an application connects to the queue manager and the access level that user ID has to the RESLEVEL profile. The user ID associated with each type of connection is:

  • The user ID of the connecting task for batch connections
  • The CICS address space user ID for CICS connections
  • The IMS region address space user ID for IMS connections
  • The channel initiator address space user ID for channel initiator connections

See Authority to administer IBM MQ on z/OS.

Parent topic: Authorization for applications to use IBM MQ