IBM Support

PI26886: AUTHORITY GIVEN TO A GENERIC PROFILE SUCH AS SYSTEM.BROKER.** WILL OVERRIDE THE MORE SPECIFIC PROFILE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • If MQ Security is enabled, WebSphere Message Broker will check
the permissions granted to the user on the broker
SYSTEM.BROKER.AUTH queue, before checking the same on the EG
specific SYSTEM.BROKER.AUTH. queue. If a user has created a
specific security profile for an EG AUTH queue, then this should
be checked before the generic broker security profile.

If the access is set at the EG level, then the initial security
check on the SYSTEM.BROKER.AUTH will result in a RACF
information message, e.g.,

15:23:03.02 STC24856 00000090 ICH408I USER(JDOE ) GROUP(TSOUSER
)
  NAME(Doe, J (John) 849
  849 00000090 MQ01.SYSTEM.BROKER.AUTH CL(MQQUEUE )
  849 00000090 INSUFFICIENT ACCESS AUTHORITY
  849 00000090 ACCESS INTENT(ALTER ) ACCESS ALLOWED(READ )

This message does not represent a problem but can pollute the
syslog with unnecessary error like messages.
A new environment variable will be added to swap the order in
which the queues are checked.

Local fix

  • N/A

Problem summary

  • ****************************************************************
USERS AFFECTED:
All users of WebSphere Message Broker and IBM Integration Bus on
z/OS using execution group specific security profiles.


Platforms affected:
z/OS

****************************************************************
PROBLEM DESCRIPTION:
The product allows you to set the administration authorities at
the Broker or execution group (EG) level.
For example, in order to stop/start execution groups, EXECUTE
(ALTER) access is required on either SYSTEM.BROKER.AUTH or
SYSTEM.BROKER.AUTH.EG. The SYSTEM.BROKER.AUTH queue will be
checked for the correct level of authority first and only if
this is not set, will it then check the SYSTEM.BROKER.AUTH.
queue.

If the access is set at the EG level, then the initial security
check on the SYSTEM.BROKER.AUTH will result in a RACF
information message, e.g.,

15:23:03.02 STC24856 00000090 ICH408I USER(JDOE ) GROUP(TSOUSER
)
  NAME(Doe, J (John) 849
  849 00000090 MQ01.SYSTEM.BROKER.AUTH CL(MQQUEUE )
  849 00000090 INSUFFICIENT ACCESS AUTHORITY
  849 00000090 ACCESS INTENT(ALTER ) ACCESS ALLOWED(READ )

This error message does not represent a problem but can pollute
the syslog with unnecessary error like messages.

A new environment variable will be added that will need to be
set in order to swap the new order in which the queues are
checked. i.e., check the EG specific SYSTEM.BROKER.AUTH. queue
and only if this is unsuccessful, then check the Broker
SYSTEM.BROKER.AUTH queue.


There are a number of resource name changes between WebSphere
Message Broker and IBM Integration Bus Version 9.0. For details
visit
http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.i
bm.etools.mft.doc/bb23814_.htm

Problem conclusion

  • The MQSI_CHECK_EGPROFILE_FIRST environment variable has been
added to the product. When set, the order of the check on the
authority queues will change so that the SYSTEM.BROKER.AUTH.<EG>
is checked first, and only if this does not contain the correct
level of authority for the specified administration task, will
the SYSTEM.BROKER.AUTH queue be checked.

The environment variable can be set to any value, e.g.,
  MQSI_CHECK_EGPROFILE_FIRST=yes

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level
v8.0       8.0.0.7
v9.0       9.0.0.6

The latest available maintenance can be obtained from:
http://www-01.ibm.com/support/docview.wss?rs=849&uid=swg27006041

If the maintenance level is not yet available,information on
its planned availability can be found on:
http://www-1.ibm.com/support/docview.wss?rs=849&uid=swg27006308
---------------------------------------------------------------

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PI26886
    • 

  • Reported component name
    WEB MB Z/OS
    • 

  • Reported component ID
    5697P4400
    • 

  • Reported release
    800
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2014-10-03
    • 

  • Closed date
    2015-01-30
    • 

  • Last modified date
    2016-03-16
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WEB MB Z/OS
    • 

  • Fixed component ID
    5697P4400
    • 



Applicable component levels


    

  • R800  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            16 March 2016
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback