Violation messages
A return code of MQRC_NOT_AUTHORIZED can be returned to an application
program because:
- A user is not allowed to connect to the queue manager. In this case,
you get an ICH408I message in the Batch/TSO, CICS(R), or IMS(TM) job log.
- A user sign-on to the queue manager has failed because, for example, the
job user ID is not valid or appropriate, or the task user ID or alternate
user ID is not valid. One or more of these user IDs might not be valid because
they have been revoked or deleted. In this case, you get an ICHxxxx message
and possibly an IRRxxxx message in the queue manager job log giving the reason
for the sign-on failure. For example:
ICH408I USER(NOTDFND ) GROUP( ) NAME(??? )
LOGON/JOB INITIATION - USER AT TERMINAL NOT RACF-DEFINED
IRR012I VERIFICATION FAILED. USER PROFILE NOT FOUND
- An alternate user has been requested, but the job or task user ID does
not have access to the alternate user ID. For this failure, you get a violation
message in the job log of the relevant queue manager.
- A context option has been used or is implied by opening a transmission
queue for output, but the job user ID or, where applicable, the task or alternate
user ID does not have access to the context option. In this case, a violation
message is put in the job log of the relevant queue manager.
- An unauthorized user has attempted to access a secured queue manager object,
for example, a queue. In this case, an ICH408I message for the violation
is put in the job log of the relevant queue manager. This violation might
be due to the job or, when applicable, the task or alternate user ID.
Violation messages for command security and command resource security can
also be found in the job log of the queue manager.
If the ICH408I violation message shows the queue manager jobname rather
than a user ID, this is normally the result of a blank alternate user ID being
specified. For example:
ICH408I JOB(MQS1MSTR) STEP(MQS1MSTR)
MQS1.PAYROLL.REQUEST CL(MQQUEUE)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(UPDATE ) ACCESS ALLOWED(NONE )
You can find out who is allowed to use blank alternate user IDs by checking
the access list of the MQADMIN profile hlq.ALTERNATE.USER.-BLANK-.
An ICH408I violation message can also be generated by:
- A command being sent to the system-command input queue without context.
User-written programs that write to the system-command input queue should
always use a context option. For more information, see Profiles for context security.
- When the job accessing the WebSphere MQ resource does not have a user ID associated
with it, or when a WebSphere MQ adapter cannot extract the user ID from the adapter
environment.
Violation messages might also be issued if you
are using both queue-sharing group and queue manager level security. You might
get messages indicating that no profile has been found at queue manager level,
but still be granted access because of a queue-sharing group level profile.
ICH408I JOB(MQS1MSTR) STEP(MQS1MSTR)
MQS1.PAYROLL.REQUEST CL(MQQUEUE)
PROFILE NOT FOUND - REQUIRED FOR AUTHORITY CHECKING
ACCESS INTENT(UPDATE ) ACCESS ALLOWED(NONE )