Summary of required access (z/OS)
The professionals in your organization require access to components and resources on z/OS®.
Authorizations required for the IBM Integration Bus started-task user ID
The following directory authorizations are required for
all integration node:
- READ and EXECUTE access to
<INSTPATH>
, where<INSTPATH>
is the directory where IBM® Integration Bus for z/OS is installed by SMP/E. - READ, WRITE, and EXECUTE access to the component
directory
++COMPONENTDIRECTORY++
. - READ and WRITE access to the home directory.
- READ and WRITE access to the directory identified
by
++HOME++
. - In UNIX System Services, the started task user ID and the IBM Integration Bus administrator user ID must both be members of the groups that have access to the installation and component directories, because they both need privileges over these resources. The owner of these directories must give the appropriate permissions to this group.
All integration node need the following RACF® authorizations:
- READ and WRITE access to RACF class
BPX.SMF
, when you need to create SMF 117 records for accounting and statistics. - READ access to the CSFRNG resource in the CSFSERV class.
READ access to the component PDSE is required.
WebSphere MQ authorizations
Enable WebSphere® MQ security to protect your WebSphere MQ resources. If all WebSphere MQ security switches are enabled,
define the following profiles, and give the started task user ID the
listed access to each profile. For each profile access listed, <MQ_QMNAME>
represents
the WebSphere MQ queue manager that the IBM Integration Bus component is connected to,
and TASKID
represents the started task user ID.
- Connection security: READ access to profile
<MQ_QMNAME>.BATCH
of classMQCONN
. For example, for queue managerMQP1
and started task IDTASKID
, use the RACF commands:RDEFINE MQCONN MQP1.BATCH UACC(NONE) PERMIT MQP1.BATCH CLASS(MQCONN) ID(TASKID) ACCESS(READ)
- Connection security when content-based filtering with publish/subscribe
is used: UPDATE access to profile
<MQ_QMNAME>.BATCH
of classMQCONN
. For example, for queue managerMQP1
and started task IDTASKID
, use the RACF commands:RDEFINE MQCONN MQP1.BATCH UACC(NONE) PERMIT MQP1.BATCH CLASS(MQCONN) ID(TASKID) ACCESS(UPDATE)
- Queue security: UPDATE access to profile
<MQ_QMNAME>.queue
of classMQQUEUE
for all queues. Consider creating profiles for the following queues:- All component queues, by using the generic profile SYSTEM.BROKER.**
- All transmissions queues that you have defined between component queue managers.
- All queues that you have specified in message flows.
- Dead-letter queues.
- Model queues.
MQP1
and started task IDTASKID
, use the following RACF commands to restrict access to the component queues:RDEFINE MQQUEUE MQP1.SYSTEM.BROKER.** UACC(NONE) PERMIT MQP1.SYSTEM.BROKER.** CLASS(MQQUEUE) ID(TASKID) ACCESS(UPDATE)
- Context security: CONTROL access to profile
<MQ_QMNAME>.CONTEXT
of classMQADMIN
. For example, for queue managerMQP1
and started task IDTASKID
, use the following RACF commands:RDEFINE MQADMIN MQP1.CONTEXT UACC(NONE) PERMIT MQP1.CONTEXT.** CLASS(MQADMIN) ID(TASKID) ACCESS(CONTROL)
- Alternate user security: Define the alternate user authority
as: UPDATE access to profile
<MQ_QMNAME>.ALTERNATE.USER.id
of classMQADMIN
, whereid
represents the start task ID of the integration node component. For example, for queue managerMQP1
, started task IDTASKID
, and configuration service IDCFGID
, use the following RACF commands:
UPDATE access to profileRDEFINE MQADMIN MQP1.ALTERNATE.USER.CFGID UACC(NONE) PERMIT MQP1.ALTERNATE.USER.CFGID CLASS(MQADMIN) ID(TASKID) ACCESS(UPDATE)
<MQ_QMNAME>.ALTERNATE.USER.id
of classMQADMIN
, whereid
represents the user ID of, for example, a publish/subscribe request. - Process and namelist security: If you have WebSphere MQ security switches enabled in your system for process and namelist security, you do not have to define access profiles in an IBM Integration Bus default configuration.
- Topic security:
- Create an RACF profile
to control publishing and subscribing for the administrative MQ topic
SYSTEM.BROKER.MB.TOPIC
:RDEFINE MXTOPIC <MQ_QMNAME>.PUBLISH.SYSTEM.BROKER.MB.TOPIC UACC(NONE) RDEFINE MXTOPIC <MQ_QMNAME>.SUBSCRIBE.SYSTEM.BROKER.MB.TOPIC UACC(NONE)
- Grant the integration node's started task ID the ability to publish
on that topic:
PERMIT <MQ_QMNAME>.PUBLISH.SYSTEM.BROKER.MB.TOPIC CLASS(MXTOPIC) ID(TASKID) ACCESS(UPDATE)
- Allow the integration node to subscribe to its own topics:
PERMIT <MQ_QMNAME>.SUBSCRIBE.SYSTEM.BROKER.MB.TOPIC CLASS(MXTOPIC) ID(TASKID) ACCESS(ALTER)
- Optionally, allow additional users to subscribe to those topics
(required for web users or for external consumers of events)
PERMIT
as above for the additional user IDs.
- Create an RACF profile
to control publishing and subscribing for the administrative MQ topic
For users connecting remotely from the IBM Integration Toolkit or from a custom integration
application to the integration node on z/OS, the following authorizations
are required. Custom integration applications include the commands
that use that interface; mqsichangeresourcestats, mqsicreateexecutiongroup, mqsideleteexecutiongroup, mqsideploy, mqsilist, mqsimode, mqsireloadsecurity, mqsireportresourcestats, mqsistartmsgflow, and mqsistopmsgflow.
- Connection security: READ access to profile
<MQ_QMNAME>.CHIN
of classMQCONN
. For example, for queue managerMQP1
and started task IDTASKID
, use the following RACF commands:RDEFINE MQCONN MQP1.CHIN UACC(NONE) PERMIT MQP1.CHIN CLASS(MQCONN) ID(TASKID) ACCESS(READ)
- Alternate user security: Define the alternate user authority as: UPDATE access
to profile
<MQ_QMNAME>.ALTERNATE.USER.id
of classMQADMIN
, whereid
represents the user ID of the IBM Integration Toolkit or custom integration application. For example, for queue managerMQP1
, started task IDTASKID
, and user IDUSERID
, use the following RACF commands:RDEFINE MQADMIN MQP1.ALTERNATE.USER.USERID UACC(NONE) PERMIT MQP1.ALTERNATE.USER.USERID CLASS(MQADMIN) ID(TASKID) ACCESS(UPDATE)
Authorizations required for the IBM Integration Bus administrator
The integration administrator requires the following authorizations:
- ALTER access to the component PDSE.
- READ, WRITE, and EXECUTE access to the component
directory
++COMPONENTDIRECTORY++
. - READ and EXECUTE access to
<INSTPATH>
, where<INSTPATH>
is the directory where IBM Integration Bus for z/OS is installed by SMP/E. - READ and WRITE access to the directory identified
by
++HOME++
. - In UNIX System Services, the started task user ID and the IBM Integration Bus administrator user ID must both be members of the groups that have access to the installation and component directories, because they both need privileges over these resources. The owner of these directories needs to give the appropriate permissions to this group. In addition, the IBM Integration Bus administrator must be a member of the group that is the primary group of the started task user ID.
Authorizations required for the WebSphere MQ administrator
If the WebSphere MQ administrator
runs the WebSphere MQ pass when creating
an integration node, the administrator user ID requires the following
authorizations. Alternatively, you can grant authorization to the IBM Integration Bus administrator to run the WebSphere MQ pass.
- ALTER access to the component PDSE.
- Directory authorizations:
- READ and EXECUTE access to
<INSTPATH>
, where<INSTPATH>
is the directory where IBM Integration Bus for z/OS is installed by SMP/E. - READ, WRITE, and EXECUTE access to the component
directory
++COMPONENTDIRECTORY++
. - READ and WRITE access to the directory identified
by
++HOME++
.
- READ and EXECUTE access to
Enable WebSphere MQ security
to protect your WebSphere MQ resources.
If all WebSphere MQ security switches
are enabled, define the following profiles and give the WebSphere MQ administrator the listed access
to each profile in order to run the WebSphere MQ configurations
jobs. For each profile access listed,
MQ_QMNAME
represents
the WebSphere MQ queue manager that the IBM Integration Bus component is connected to,
and MQADMIN
represents the WebSphere MQ administrator ID:- Connection security: READ access to profile
<MQ_QMNAME>.BATCH
of classMQCONN
. For example, for queue managerMQP1
and WebSphere MQ administrator IDMQADMIN
, use the following RACF commands:RDEFINE MQCONN MQP1.BATCH UACC(NONE) PERMIT MQP1.BATCH CLASS(MQCONN) ID(MQADMIN) ACCESS(READ)
- Queue security: UPDATE access to profile
<MQ_QMNAME>.queue
of classMQQUEUE
for component queues created or deleted. You can create a generic profile SYSTEM.BROKER.** For example, for queue managerMQP1
and WebSphere MQ administrator IDMQADMIN
, use the following RACF commands to restrict access to the component queues:RDEFINE MQQUEUE MQP1.SYSTEM.BROKER.** UACC(NONE) PERMIT MQP1.SYSTEM.BROKER.** CLASS(MQQUEUE) ID(MQADMIN) ACCESS(UPDATE)
- System command server: UPDATE access to profile
<MQ_QMNAME>.queue
of classMQQUEUE
for SYSTEM.COMMAND.**. For example, for queue managerMQP1
and WebSphere MQ administrator IDMQADMIN
, use the following RACF commands to restrict access to the system command server:
UPDATE access to profileRDEFINE MQQUEUE MQP1.SYSTEM.COMMAND.** UACC(NONE) PERMIT MQP1.SYSTEM.COMMAND.** CLASS(MQQUEUE) ID(MQADMIN) ACCESS(UPDATE)
<MQ_QMNAME>.queue
of classMQQUEUE
for some system queues used during the create/delete job. You can create a generic profile<MQ_QMNAME>.**
- Command security:
- To run the WebSphere MQ pass when
creating a component you need:
- ALTER access to
<MQ_QMNAME>.DEFINE.QLOCAL
of classMQCMDS
. - ALTER access to
<MQ_QMNAME>.DEFINE.QMODEL
of classMQCMDS
. - ALTER access to
<MQ_QMNAME>.DEFINE.CHANNEL
of classMQCMDS
.
- ALTER access to
- To run the WebSphere MQ pass when
deleting a component you need:
- ALTER access to
<MQ_QMNAME>.DELETE.QLOCAL
of classMQCMDS
. - ALTER access to
<MQ_QMNAME>.DELETE.QMODEL
of classMQCMDS
. - ALTER access to
<MQ_QMNAME>.DELETE.CHANNEL
of classMQCMDS
.
- ALTER access to
MQP1
and WebSphere MQ administrator IDMQADMIN
, use the following RACF commands:RDEFINE MQCMDS MQP1.DELETE.QLOCAL UACC(NONE) PERMIT MQP1.DELETE.QLOCAL CLASS(MQCMDS) ID(MQADMIN) ACCESS(ALTER)
- To run the WebSphere MQ pass when
creating a component you need:
- Resource command security: ALTER access to
MQP1.QUEUE.queue
of classMQADMIN
for each queue created or deleted. You can create a generic profile SYSTEM.BROKER.**. For example, for queue managerMQP1
and WebSphere MQ administrator IDMQADMIN
, use the RACF commands:RDEFINE MQADMIN MQP1.QUEUE.SYSTEM.BROKER.** UACC(NONE) PERMIT MQP1.QUEUE.SYSTEM.BROKER.** CLASS(MQADMIN) ID(MQADMIN) ACCESS(ALTER)
- Process and namelist security: If you have WebSphere MQ security switches enabled in your system for process and namelist security, you do not need to define any access profiles in an IBM Integration Bus default configuration.