Resource level checks

Resource level checks

A number of switch profiles are used to control access to resources. Some stop checking being performed on either a queue manager or a queue sharing group. These can be overridden by profiles that enable checking for specific queue managers.
Table 1 shows the switch profiles used to control access to IBM MQ resources.
If your queue manager is part of a queue sharing group and you have both queue manager and queue sharing group security active, we can use a YES.* switch profile to override queue sharing group level profiles and specifically turn on security for a particular queue manager.

Some profiles apply to both queue managers and queue sharing groups. These are prefixed by the string hlq and we should substitute the name of our queue sharing group or queue manager, as applicable. Profile names shown prefixed by qmgr-name are queue manager override profiles; we should substitute the name of our queue manager.

Type of resource checking that is controlled Switch profile name Override profile for a particular queue manager

Connection security hlq.NO.CONNECT.CHECKS qmgr-name.YES.CONNECT.CHECKS

Queue security hlq.NO.QUEUE.CHECKS qmgr-name.YES.QUEUE.CHECKS

Process security hlq.NO.PROCESS.CHECKS qmgr-name.YES.PROCESS.CHECKS

Namelist security hlq.NO.NLIST.CHECKS qmgr-name.YES.NLIST.CHECKS

Context security hlq.NO.CONTEXT.CHECKS qmgr-name.YES.CONTEXT.CHECKS

Alternate user security hlq.NO.ALTERNATE.USER.CHECKS qmgr-name.YES.ALTERNATE.USER.CHECKS

Command security hlq.NO.CMD.CHECKS qmgr-name.YES.CMD.CHECKS

Command resource security hlq.NO.CMD.RESC.CHECKS qmgr-name.YES.CMD.RESC.CHECKS

Topic security hlq.NO.TOPIC.CHECKS qmgr-name.YES.TOPIC.CHECKS

Note: Generic switch profiles such as hlq.NO.** are ignored by IBM MQ

For example, if we want to perform process security checks on queue manager QM01, which is a member of queue sharing group QSG3 but we do not want to perform process security checks on any of the other queue managers in the group, define the following switch profiles:
QSG3.NO.PROCESS.CHECKS
QM01.YES.PROCESS.CHECKS
To have queue security checks performed on all the queue managers in the queue sharing group, except QM02, define the following switch profile:
QM02.NO.QUEUE.CHECKS
(There is no need to define a profile for the queue sharing group because the checks are automatically enabled if there is no profile defined.)
Parent topic: Switch profiles

Last updated: 2020-10-04

Type of resource checking that is controlled	Switch profile name	Override profile for a particular queue manager
Connection security	hlq.NO.CONNECT.CHECKS	qmgr-name.YES.CONNECT.CHECKS
Queue security	hlq.NO.QUEUE.CHECKS	qmgr-name.YES.QUEUE.CHECKS
Process security	hlq.NO.PROCESS.CHECKS	qmgr-name.YES.PROCESS.CHECKS
Namelist security	hlq.NO.NLIST.CHECKS	qmgr-name.YES.NLIST.CHECKS
Context security	hlq.NO.CONTEXT.CHECKS	qmgr-name.YES.CONTEXT.CHECKS
Alternate user security	hlq.NO.ALTERNATE.USER.CHECKS	qmgr-name.YES.ALTERNATE.USER.CHECKS
Command security	hlq.NO.CMD.CHECKS	qmgr-name.YES.CMD.CHECKS
Command resource security	hlq.NO.CMD.RESC.CHECKS	qmgr-name.YES.CMD.RESC.CHECKS
Topic security	hlq.NO.TOPIC.CHECKS	qmgr-name.YES.TOPIC.CHECKS
Note: Generic switch profiles such as hlq.NO.** are ignored by IBM MQ