PUT authority (PUTAUT)

This attribute specifies the type of security processing to be carried out by the MCA.

This attribute is valid for channel types of:

Receiver
Requester
Server connection ( z/OS® only)
Cluster receiver

Use this attribute to choose the type of security processing to be carried out by the MCA when executing:

An MQPUT command to the destination queue (for message channels), or
An MQI call (for MQI channels).

On z/OS, the user IDs that are checked, and how many user IDs are checked, depends on the setting of the MQADMIN RACF® class hlq.RESLEVEL profile. Depending on the level of access the user ID of the channel initiator has to hlq.RESLEVEL, zero, one or two user IDs are checked. To see how many user IDs are checked, see RESLEVEL and channel initiator connections. For more information about which user IDs are checked, see User IDs used by the channel initiator.

You can choose one of the following:

Process security, also called default authority (DEF)

The default user ID is used.

On platforms other than z/OS, the user ID used to check open authority on the queue is that of the process or user running the MCA at the receiving end of the message channel.

On z/OS, both the user ID received from the network, and the user ID derived from MCAUSER might be used, depending on the number of user IDs that are to be checked.

The queues are opened with this user ID and the open option MQOO_SET_ALL_CONTEXT.

Context security (CTX)

The user ID from the context information associated with the message is used as an alternate user ID.

The UserIdentifier in the message descriptor is moved into the AlternateUserId field in the object descriptor. The queue is opened with the open options MQOO_SET_ALL_CONTEXT and MQOO_ALTERNATE_USER_AUTHORITY.

On platforms other than z/OS, the user ID used to check open authority on the queue for MQOO_SET_ALL_CONTEXT and MQOO_ALTERNATE_USER_AUTHORITY is that of the process or user running the MCA at the receiving end of the message channel. The user ID used to check open authority on the queue for MQOO_OUTPUT is the UserIdentifier in the message descriptor.

On z/OS, the user ID received from the network or that derived from MCAUSER might be used, as well as the user ID from the context information in the message descriptor, depending on the number of user IDs that are to be checked.

Context security (CTX) is not supported on server-connection channels.

Only Message Channel Agent security (ONLYMCA)

The user ID derived from MCAUSER is used.

Queues are opened with the open option MQOO_SET_ALL_CONTEXT.

This value only applies to z/OS.

Alternate Message Channel Agent security (ALTMCA)

The user ID from the context information (the UserIdentifier field) in the message descriptor might be used, as well as the user ID derived from MCAUSER, depending on the number of user IDs that are to be checked.

This value only applies to z/OS.

Further details about context fields and open options can be found in Controlling context information.

More information about security can be found in:

Security
Setting up security on Windows, UNIX and Linux® systems for IBM MQ UNIX systems and Windows systems,
Setting up security on IBM i for IBM MQ for IBM i
Setting up security on z/OS for IBM MQ for z/OS