Summary of required access (z/OS)

The professionals in your organization require access to components and resources on z/OS®.

Authorizations required for the IBM Integration Bus started-task user ID

The following directory authorizations are required for all integration node:
  • READ and EXECUTE access to <INSTPATH>, where <INSTPATH> is the directory where IBM® Integration Bus for z/OS is installed by SMP/E.
  • READ, WRITE, and EXECUTE access to the component directory ++COMPONENTDIRECTORY++.
  • READ and WRITE access to the home directory.
  • READ and WRITE access to the directory identified by ++HOME++.
  • In UNIX System Services, the started task user ID and the IBM Integration Bus administrator user ID must both be members of the groups that have access to the installation and component directories, because they both need privileges over these resources. The owner of these directories must give the appropriate permissions to this group.
All integration node need the following RACF® authorizations:
  • READ and WRITE access to RACF class BPX.SMF, when you need to create SMF 117 records for accounting and statistics.
  • READ access to the CSFRNG resource in the CSFSERV class.

READ access to the component PDSE is required.

WebSphere MQ authorizations

Enable WebSphere® MQ security to protect your WebSphere MQ resources. If all WebSphere MQ security switches are enabled, define the following profiles, and give the started task user ID the listed access to each profile. For each profile access listed, <MQ_QMNAME> represents the WebSphere MQ queue manager that the IBM Integration Bus component is connected to, and TASKID represents the started task user ID.

  • Connection security: READ access to profile <MQ_QMNAME>.BATCH of class MQCONN. For example, for queue manager MQP1 and started task ID TASKID, use the RACF commands: 
    RDEFINE MQCONN MQP1.BATCH UACC(NONE)
PERMIT MQP1.BATCH CLASS(MQCONN) ID(TASKID) ACCESS(READ)
  • Connection security when content-based filtering with publish/subscribe is used: UPDATE access to profile <MQ_QMNAME>.BATCH of class MQCONN. For example, for queue manager MQP1 and started task ID TASKID, use the RACF commands: 
    RDEFINE MQCONN MQP1.BATCH UACC(NONE)
PERMIT MQP1.BATCH CLASS(MQCONN) ID(TASKID) ACCESS(UPDATE)
  • Queue security: UPDATE access to profile <MQ_QMNAME>.queue of class MQQUEUE for all queues. Consider creating profiles for the following queues:
    • All component queues, by using the generic profile SYSTEM.BROKER.**
    • All transmissions queues that you have defined between component queue managers.
    • All queues that you have specified in message flows.
    • Dead-letter queues.
    • Model queues.
    For example, for queue manager MQP1 and started task ID TASKID, use the following RACF commands to restrict access to the component queues: 
    RDEFINE MQQUEUE MQP1.SYSTEM.BROKER.** UACC(NONE)
PERMIT MQP1.SYSTEM.BROKER.** CLASS(MQQUEUE) ID(TASKID) ACCESS(UPDATE)
  • Context security: CONTROL access to profile <MQ_QMNAME>.CONTEXT of class MQADMIN. For example, for queue manager MQP1 and started task ID TASKID, use the following RACF commands: 
    RDEFINE MQADMIN MQP1.CONTEXT UACC(NONE)
PERMIT MQP1.CONTEXT.** CLASS(MQADMIN) ID(TASKID) ACCESS(CONTROL)
  • Alternate user security: Define the alternate user authority as: UPDATE access to profile <MQ_QMNAME>.ALTERNATE.USER.id of class MQADMIN, where id represents the start task ID of the integration node component. For example, for queue manager MQP1, started task ID TASKID, and configuration service ID CFGID, use the following RACF commands: 
    RDEFINE MQADMIN MQP1.ALTERNATE.USER.CFGID UACC(NONE)
PERMIT MQP1.ALTERNATE.USER.CFGID  CLASS(MQADMIN) ID(TASKID) ACCESS(UPDATE)
    UPDATE access to profile <MQ_QMNAME>.ALTERNATE.USER.id of class MQADMIN, where id represents the user ID of, for example, a publish/subscribe request.
  • Process and namelist security: If you have WebSphere MQ security switches enabled in your system for process and namelist security, you do not have to define access profiles in an IBM Integration Bus default configuration.
  • Topic security:
    • Create an RACF profile to control publishing and subscribing for the administrative MQ topic SYSTEM.BROKER.MB.TOPIC:
      RDEFINE MXTOPIC <MQ_QMNAME>.PUBLISH.SYSTEM.BROKER.MB.TOPIC UACC(NONE)
RDEFINE MXTOPIC <MQ_QMNAME>.SUBSCRIBE.SYSTEM.BROKER.MB.TOPIC UACC(NONE)
    • Grant the integration node's started task ID the ability to publish on that topic:
      PERMIT <MQ_QMNAME>.PUBLISH.SYSTEM.BROKER.MB.TOPIC CLASS(MXTOPIC) ID(TASKID) ACCESS(UPDATE)
    • Allow the integration node to subscribe to its own topics:
      PERMIT <MQ_QMNAME>.SUBSCRIBE.SYSTEM.BROKER.MB.TOPIC CLASS(MXTOPIC) ID(TASKID) ACCESS(ALTER)
    • Optionally, allow additional users to subscribe to those topics (required for web users or for external consumers of events) PERMIT as above for the additional user IDs.
For users connecting remotely from the IBM Integration Toolkit or from a custom integration application to the integration node on z/OS, the following authorizations are required. Custom integration applications include the commands that use that interface; mqsichangeresourcestats, mqsicreateexecutiongroup, mqsideleteexecutiongroup, mqsideploy, mqsilist, mqsimode, mqsireloadsecurity, mqsireportresourcestats, mqsistartmsgflow, and mqsistopmsgflow.
  • Connection security: READ access to profile <MQ_QMNAME>.CHIN of class MQCONN. For example, for queue manager MQP1 and started task ID TASKID, use the following RACF commands: 
    RDEFINE MQCONN MQP1.CHIN UACC(NONE)
PERMIT MQP1.CHIN CLASS(MQCONN) ID(TASKID) ACCESS(READ)
  • Alternate user security: Define the alternate user authority as: UPDATE access to profile <MQ_QMNAME>.ALTERNATE.USER.id of class MQADMIN, where id represents the user ID of the IBM Integration Toolkit or custom integration application. For example, for queue manager MQP1, started task ID TASKID, and user ID USERID, use the following RACF commands: 
    RDEFINE MQADMIN MQP1.ALTERNATE.USER.USERID UACC(NONE)
PERMIT MQP1.ALTERNATE.USER.USERID  CLASS(MQADMIN) ID(TASKID) ACCESS(UPDATE)

Authorizations required for the IBM Integration Bus administrator

The integration administrator requires the following authorizations:

  • ALTER access to the component PDSE.
  • READ, WRITE, and EXECUTE access to the component directory ++COMPONENTDIRECTORY++.
  • READ and EXECUTE access to <INSTPATH>, where <INSTPATH> is the directory where IBM Integration Bus for z/OS is installed by SMP/E.
  • READ and WRITE access to the directory identified by ++HOME++.
  • In UNIX System Services, the started task user ID and the IBM Integration Bus administrator user ID must both be members of the groups that have access to the installation and component directories, because they both need privileges over these resources. The owner of these directories needs to give the appropriate permissions to this group. In addition, the IBM Integration Bus administrator must be a member of the group that is the primary group of the started task user ID.

Authorizations required for the WebSphere MQ administrator

If the WebSphere MQ administrator runs the WebSphere MQ pass when creating an integration node, the administrator user ID requires the following authorizations. Alternatively, you can grant authorization to the IBM Integration Bus administrator to run the WebSphere MQ pass.
  • ALTER access to the component PDSE.
  • Directory authorizations:
    • READ and EXECUTE access to <INSTPATH>, where <INSTPATH> is the directory where IBM Integration Bus for z/OS is installed by SMP/E.
    • READ, WRITE, and EXECUTE access to the component directory ++COMPONENTDIRECTORY++.
    • READ and WRITE access to the directory identified by ++HOME++.
Enable WebSphere MQ security to protect your WebSphere MQ resources. If all WebSphere MQ security switches are enabled, define the following profiles and give the WebSphere MQ administrator the listed access to each profile in order to run the WebSphere MQ configurations jobs. For each profile access listed, MQ_QMNAME represents the WebSphere MQ queue manager that the IBM Integration Bus component is connected to, and MQADMIN represents the WebSphere MQ administrator ID:
  • Connection security: READ access to profile <MQ_QMNAME>.BATCH of class MQCONN. For example, for queue manager MQP1 and WebSphere MQ administrator ID MQADMIN, use the following RACF commands: 
    RDEFINE MQCONN MQP1.BATCH UACC(NONE)
PERMIT MQP1.BATCH CLASS(MQCONN) ID(MQADMIN) ACCESS(READ)
  • Queue security: UPDATE access to profile <MQ_QMNAME>.queue of class MQQUEUE for component queues created or deleted. You can create a generic profile SYSTEM.BROKER.** For example, for queue manager MQP1 and WebSphere MQ administrator ID MQADMIN, use the following RACF commands to restrict access to the component queues: 
    RDEFINE MQQUEUE MQP1.SYSTEM.BROKER.** UACC(NONE)
PERMIT MQP1.SYSTEM.BROKER.** CLASS(MQQUEUE) ID(MQADMIN) ACCESS(UPDATE)
  • System command server: UPDATE access to profile <MQ_QMNAME>.queue of class MQQUEUE for SYSTEM.COMMAND.**. For example, for queue manager MQP1 and WebSphere MQ administrator ID MQADMIN, use the following RACF commands to restrict access to the system command server: 
    RDEFINE MQQUEUE MQP1.SYSTEM.COMMAND.** UACC(NONE)
PERMIT MQP1.SYSTEM.COMMAND.** CLASS(MQQUEUE) ID(MQADMIN) ACCESS(UPDATE)
    UPDATE access to profile <MQ_QMNAME>.queue of class MQQUEUE for some system queues used during the create/delete job. You can create a generic profile <MQ_QMNAME>.**
  • Command security:
    • To run the WebSphere MQ pass when creating a component you need:
      • ALTER access to <MQ_QMNAME>.DEFINE.QLOCAL of class MQCMDS.
      • ALTER access to <MQ_QMNAME>.DEFINE.QMODEL of class MQCMDS.
      • ALTER access to <MQ_QMNAME>.DEFINE.CHANNEL of class MQCMDS.
    • To run the WebSphere MQ pass when deleting a component you need:
      • ALTER access to <MQ_QMNAME>.DELETE.QLOCAL of class MQCMDS.
      • ALTER access to <MQ_QMNAME>.DELETE.QMODEL of class MQCMDS.
      • ALTER access to <MQ_QMNAME>.DELETE.CHANNEL of class MQCMDS.
    For queue manager MQP1 and WebSphere MQ administrator ID MQADMIN, use the following RACF commands: 
    RDEFINE MQCMDS MQP1.DELETE.QLOCAL UACC(NONE)
PERMIT MQP1.DELETE.QLOCAL CLASS(MQCMDS) ID(MQADMIN) ACCESS(ALTER)
  • Resource command security: ALTER access to MQP1.QUEUE.queue of class MQADMIN for each queue created or deleted. You can create a generic profile SYSTEM.BROKER.**. For example, for queue manager MQP1 and WebSphere MQ administrator ID MQADMIN, use the RACF commands: 
    RDEFINE MQADMIN MQP1.QUEUE.SYSTEM.BROKER.** UACC(NONE)
PERMIT MQP1.QUEUE.SYSTEM.BROKER.** CLASS(MQADMIN) ID(MQADMIN) ACCESS(ALTER)
  • Process and namelist security: If you have WebSphere MQ security switches enabled in your system for process and namelist security, you do not need to define any access profiles in an IBM Integration Bus default configuration.