Profiles for processes
If process security is active, we must define profiles in the appropriate classes and permit the necessary groups or user IDs access to those profiles.
If process security is active, we must:- Define profiles in the MQPROC or GMQPROC classes if using uppercase profiles.
- Define profiles in the MXPROC or GMXPROC classes if using mixed case profiles.
- Permit the necessary groups or user IDs access to these profiles, so that they can issue IBM MQ API requests that use processes.
Profiles for processes take the form:
hlq.processnamewhere hlq can be either qmgr-name (queue manager name) or qsg-name (queue sharing group name), and processname is the name of the process being opened.
A profile prefixed by the queue manager name controls access to a single process definition on that queue manager. A profile prefixed by the queue sharing group name controls access to one or more process definitions with that name on all queue managers within the queue sharing group. This access can be overridden on an individual queue manager by defining a queue manager level profile for that process definition on that queue manager.
If your queue manager is a member of a queue sharing group and we are using both queue manager and queue sharing group level security, IBM MQ checks for a profile prefixed by the queue manager name first. If it does not find one, it looks for a profile prefixed by the queue sharing group name.
The following table shows the access required for opening a process.
| MQOPEN option | RACF access level required to hlq.processname |
|---|---|
| MQOO_INQUIRE | READ |
RDEFINE MQPROC MQS9.V* UACC(NONE) PERMIT MQS9.V* CLASS(MQPROC) ID(INQVPRC) ACCESS(READ)
Alternate user security might also be active, depending on the open options specified when a process definition object is opened.
Parent topic: Profiles used to control access to IBM MQ resources