If alternate user security is active, you must define profiles in the MQADMIN class and permit the necessary groups or user IDs access to these profiles, so that they can use the ALTERNATE_USER_AUTHORITY options when the object is opened.
Profiles for alternate user security can be specified at subsystem level or at queue-sharing group level and take the following form:
hlq.ALTERNATE.USER.alternateuserid
where hlq can be either qmgr-name (queue manager name) or qsg-name (queue-sharing group name), and alternateuserid is the value of the AlternateUserId field in the object descriptor.
A profile prefixed by the queue manager name controls use of an alternate user ID on that queue manager. A profile prefixed by the queue-sharing group name controls use of an alternate user ID on all queue managers within the queue-sharing group. This alternate user ID can be used on any queue manager within the queue-sharing group by a user that has the correct access. This access can be overridden on an individual queue manager by defining a queue-manager level profile for that alternate user ID on that queue manager.
If your queue manager is a member of a queue-sharing group and you are using both queue manager and queue-sharing group level security, WebSphere MQ checks for a profile prefixed by the queue manager name first. If it does not find one, it looks for a profile prefixed by the queue-sharing group name.
The following table shows the access when specifying an alternate user option.
MQOPEN or MQPUT1 option | RACF(R) access level required |
---|---|
MQOO_ALTERNATE_USER_AUTHORITY MQPMO_ALTERNATE_USER_AUTHORITY | UPDATE |
In addition to alternate user security checks, other security checks for queue, process, namelist, and context security can also be made. The alternate user ID, if provided, is only used for security checks on queue, process definition, or namelist resources. For alternate user and context security checks, the user ID requesting the check is used. For details about how user IDs are handled, see User IDs for security checking. For a summary table showing the open options and the security checks required when queue, context and alternate user security are all active, see Table 43.
An alternate user profile gives the requesting user ID access to resources associated with the user ID specified in the alternate user ID. For example, the payroll server running under user ID PAYSERV on queue manager QMPY processes requests from personnel user IDs, all of which start with PS. To cause the work performed by the payroll server to be carried out under the user ID of the requesting user, alternate user authority is used. The payroll server knows which user ID to specify as the alternate user ID because the requesting programs generate messages using the MQPMO_DEFAULT_CONTEXT put message option. See User IDs for security checking for more details about from where alternate user IDs are obtained.
The following example RACF definitions enable the server program to specify alternate user IDs starting with the characters PS:
RDEFINE MQADMIN QMPY.ALTERNATE.USER.PS* UACC(NONE) PERMIT QMPY.ALTERNATE.USER.PS* CLASS(MQADMIN) ID(PAYSERV) ACCESS(UPDATE)
If the user is allowed to access this profile, all further checks are made with a user ID of blanks. For details of blank user IDs, see Blank user IDs and UACC levels.
The administration of alternate user IDs is easier if you have a naming convention for user IDs that enables you to use generic alternate user profiles. If they do not, you could use the RACF RACVARS feature. For details about using RACVARS, see the z/OS SecureWay(R) Security Server RACF Security Administrator's Guide.
When a message is put to a queue that has been opened with alternate user authority and the context of the message has been generated by the queue manager, the MQMD_USER_IDENTIFIER field is set to the alternate user ID.
Notices |
Downloads |
Library |
Support |
Feedback
![]() ![]() |
csq83bh |