RACF security classes

RACF classes are used to hold the profiles required for IBM MQ security checking. Many of the member classes have equivalent group classes. We must activate the classes and enable them to accept generic profiles

Each RACF class holds one or more profiles used at some point in the checking sequence, as shown in Table 1.

Member class Group class Contents
MQADMIN GMQADMIN Profiles: Used mainly for holding profiles for administration-type functions. For example:

  • Profiles for IBM MQ security switches
  • The RESLEVEL security profile
  • Profiles for alternate user security
  • The context security profile
  • Profiles for command resource security

MXADMIN GMXADMIN Profiles: Used mainly for holding profiles for administration-type functions. For example:

  • Profiles for IBM MQ security switches
  • The RESLEVEL security profile
  • Profiles for alternate user security
  • The context security profile
  • Profiles for command resource security

This class can hold both uppercase and mixed case RACF profiles.

MQCONN Profiles used for connection security
MQCMDS Profiles used for command security
MQQUEUE GMQQUEUE Profiles used in queue resource security
MXQUEUE GMXQUEUE Mixed case and uppercase profiles used in queue resource security
MQPROC GMQPROC Profiles used in process resource security
MXPROC GMXPROC Mixed case and uppercase profiles used in process resource security
MQNLIST GMQNLIST Profiles used in namelist resource security
MXNLIST GMXNLIST Mixed case and uppercase profiles used in namelist resource security
MXTOPIC GMXTOPIC Mixed case and uppercase profiles used in topic security

Some classes have a related group class that enables you to put together groups of resources that have similar access requirements. For details about the difference between the member and group classes and when to use a member or group class, see the z/OS SecureWay Security Server RACF Security Administrator's Guide.

The classes must be activated before security checks can be made. To activate all the IBM MQ classes, we can use this RACF command:
SETROPTS CLASSACT(MQADMIN,MXADMIN,MQQUEUE,MXQUEUE,MQPROC,MXPROC,
                  MQNLIST,MXNLIST,MXTOPIC,MQCONN,MQCMDS)
We should also ensure that you set up the classes so that they can accept generic profiles. You also do this with the RACF command SETROPTS, for example:
SETROPTS GENERIC(MQADMIN,MXADMIN,MQQUEUE,MXQUEUE,MQPROC,MXPROC,
                 MQNLIST,MXNLIST,MXTOPIC,MQCONN,MQCMDS)
Parent topic: Set up security on z/OS