Grant or revoke authority to one or more groups or users to complete specific tasks against a broker running on z/OS®.
Activate broker administration security for the broker before you grant and revoke authority for requests sent to that broker.
Configure the external security manager (ESM) that you are using with WebSphere® MQ to grant the required permissions on z/OS systems. For example, if you are using RACF®, set up profiles to hold the information required for WebSphere MQ security checking. The examples in this topic assume that you are using RACF.
Complete the following steps:
All the examples shown here are for a broker that is associated with the queue manager MQ01.
PERMIT MQ01.SYSTEM.BROKER.AUTH CLASS(MQQUEUE) ID(GROUP1) ACCESS(ALTER)
PERMIT MQ01.SYSTEM.BROKER.AUTH CLASS(MQQUEUE) ID(GROUP2) ACCESS(ALTER) DEL
PERMIT MQ01.SYSTEM.BROKER.AUTH.** CLASS(MXQUEUE) ID(GROUP3) ACCESS(UPDATE)
PERMIT MQ01.SYSTEM.BROKER.AUTH.** CLASS(MXQUEUE) ID(GROUP4) DEL
PERMIT MQ01.SYSTEM.BROKER.AUTH.default CLASS(MXQUEUE) ID(GROUP5) ACCESS(READ)
//RACFDUMP JOB ,MQTEST,USER=MQTEST,TIME=1,MSGCLASS=H
//STEP1 EXEC PGM=IKJEFT01,REGION=64M,DYNAMNBR=99
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
/* LIST ALL EXISTING PROFILES IN THE MQADMIN CLASS */
SEARCH CLASS(MQADMIN)
/* LIST UPPERCASE PROFILES IN THE MQQUEUE MEMBER CLASS */
SEARCH CLASS(MQQUEUE)
/* LIST MIXED CASE PROFILES IN THE MQQUEUE MEMBER CLASS */
SEARCH CLASS(MXQUEUE)
/* LIST THE QMGR PROFILE */
RLIST MQADMIN MI09.NO.SUBSYS.SECURITY ALL
/*
READY
/* LIST ALL EXISTING PROFILES IN THE MQADMIN CLASS */
READY
SEARCH CLASS(MQADMIN)
EP00.NO.SUBSYS.SECURITY
EP01.NO.SUBSYS.SECURITY
EP02.NO.SUBSYS.SECURITY
EP03.NO.SUBSYS.SECURITY
EP04.NO.SUBSYS.SECURITY
MA00.NO.SUBSYS.SECURITY
MA01.NO.SUBSYS.SECURITY
MA02.NO.SUBSYS.SECURITY
MA03.NO.SUBSYS.SECURITY
MA04.NO.SUBSYS.SECURITY
MA05.NO.SUBSYS.SECURITY
MA06.NO.SUBSYS.SECURITY
MA07.NO.SUBSYS.SECURITY
MA08.NO.SUBSYS.SECURITY
MA09.NO.SUBSYS.SECURITY
MA10.NO.SUBSYS.SECURITY
MA11.ALTERNATE.USER.KMCMUL
MA11.ALTERNATE.USER.KMCMUL3
MA11.ALTERNATE.USER.MA15USR
MA11.CHANNEL.MA11.TO.REG1
MA11.CONTEXT
MA11.NO.CMD.CHECKS
MA11.NO.CMD.RESC.CHECKS
MA11.NO.CMDS.CHECKS
MA11.NO.CMDS.RESC.CHECKS
MA11.NO.SUBSYS.SECURITY
MA11.RESLEVEL
MA12.NO.SUBSYS.SECURITY
MA13.NO.SUBSYS.SECURITY
MA14.NO.SUBSYS.SECURITY
MA15.NO.SUBSYS.SECURITY
MA16.NO.SUBSYS.SECURITY
MA17.NO.SUBSYS.SECURITY
MA18.NO.SUBSYS.SECURITY
MA19.NO.SUBSYS.SECURITY
MA20.NO.SUBSYS.SECURITY
MI00.NO.SUBSYS.SECURITY
MI01.NO.SUBSYS.SECURITY
MI02.NO.SUBSYS.SECURITY
MI03.NO.SUBSYS.SECURITY
MI04.NO.SUBSYS.SECURITY
MI05.NO.SUBSYS.SECURITY
MI06.NO.SUBSYS.SECURITY
MI07.NO.SUBSYS.SECURITY
MI08.NO.SUBSYS.SECURITY
MI09.ALTERNATE.USER.MI09STC
MI09.ALTERNATE.USER.NHARRIS
MI09.NO.CMD.CHECKS
MI09.NO.CONNECT.CHECKS
MI09.NO.CONTEXT.CHECKS
MI09.NO.SUBSYS.SECURITY
MI10.NO.SUBSYS.SECURITY
MI11.NO.SUBSYS.SECURITY
MI12.NO.SUBSYS.SECURITY
MI13.NO.SUBSYS.SECURITY
MI14.NO.SUBSYS.SECURITY
MI15.NO.SUBSYS.SECURITY
MI16.NO.SUBSYS.SECURITY
MI17.NO.SUBSYS.SECURITY
MI18.NO.SUBSYS.SECURITY
MI19.NO.SUBSYS.SECURITY
MI20.NO.SUBSYS.SECURITY
MI09.CHANNEL.** (G)
MI09.QUEUE.** (G)
READY
/* LIST UPPERCASE PROFILES IN THE MQQUEUE MEMBER CLASS */
READY
SEARCH CLASS(MQQUEUE)
MA11.INPUT2.QUEUE
MA11.KMBRK
MA11.MA11.DEAD.QUEUE
MA11.MA15
MA11.REG1
MA11.SUBSCRIBER.RESULTS.QUEUE
MA11.SUBSCRIBER3.RESULTS.QUEUE
MA11.SUBSCRIBER4.RESULTS.QUEUE
MA11.SUBSCRIBER5.RESULTS.QUEUE
MA11.SUBSCRIBER6.RESULTS.QUEUE
MA11.SUBSCRIBER9.RESULTS.QUEUE
MA11.SYSTEM.CHANNEL.EVENT
MA11.SYSTEM.CHANNEL.SYNCQ
MA11.SYSTEM.CLUSTER.COMMAND.QUEUE
MA11.SYSTEM.COMMAND.INPUT
MA11.SYSTEM.COMMAND.REPLY.MODEL
MI09.SYSTEM.BROKER.AUTH.SECURITY_EXE
MA11.SYSTEM.BROKER.** (G)
MA11.SYSTEM.** (G)
MA11.** (G)
MI09.** (G)
READY
/* LIST MIXED CASE PROFILES IN THE MQQUEUE MEMBER CLASS */
READY
SEARCH CLASS(MXQUEUE)
NO ENTRIES MEET SEARCH CRITERIA
READY
/* LIST THE QMGR PROFILE */
READY
RLIST MQADMIN MI09.NO.SUBSYS.SECURITY ALL
CLASS NAME
----- ----
MQADMIN MI09.NO.SUBSYS.SECURITY
GROUP CLASS NAME
----- ----- ----
GMQADMIN
RESOURCE GROUPS
-------- ------
NONE
LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING
----- -------- ---------------- ----------- -------
00 MQTEST NONE NONE NO
INSTALLATION DATA
-----------------
NONE
APPLICATION DATA
----------------
NONE
SECLEVEL
--------
NO SECLEVEL
CATEGORIES
----------
NO CATEGORIES
SECLABEL
--------
NO SECLABEL
AUDITING
--------
FAILURES(READ)
NOTIFY
------
NO USER TO BE NOTIFIED
CREATION DATE LAST REFERENCE DATE LAST CHANGE DATE
(DAY) (YEAR) (DAY) (YEAR) (DAY) (YEAR)
------------- ------------------- ----------------
237 09 237 09 237 09
ALTER COUNT CONTROL COUNT UPDATE COUNT READ COUNT
----------- ------------- ------------ ----------
000000 000000 000000 000000
USER ACCESS ACCESS COUNT
---- ------ ------ -----
NO USERS IN ACCESS LIST
ID ACCESS ACCESS COUNT CLASS ENTITY NAME
-------- ------- ------------ -------- ---------------------------------------
NO ENTRIES IN CONDITIONAL ACCESS LIST
READY
END