Authority to administer WebSphere MQ on z/OS

The following sections describe various aspects of the authority you need to administer WebSphere MQ for z/OS.

Authority checks on z/OS

WebSphere MQ uses the System Authorization Facility (SAF) to route requests for authority checks to an external security manager (ESM) such as the z/OS(R) Security Server Resource Access Control Facility (RACF(R)). WebSphere MQ does no authority checks of its own.

This book assumes that you are using RACF as your ESM. If you are using a different ESM, you might need to interpret the information provided for RACF in a way that is relevant to your ESM.

You can specify whether you want authority checks turned on or off for each queue manager individually or for every queue manager in a queue-sharing group. This level of control is called subsystem security. If you turn subsystem security off for a particular queue manager, no authority checks are carried out for that queue manager.

If you turn subsystem security on for a particular queue manager, authority checks can be performed at two levels:

Queue-sharing group level security
Authority checks use RACF profiles that are shared by all queue managers in the queue-sharing group. This means that there are fewer profiles to define and maintain, making security administration easier.
Queue manager level security
Authority checks use RACF profiles specific to the queue manager.

You can use a combination of queue-sharing group and queue manager level security. For example, you can arrange for profiles specific to a queue manager to override those of the queue-sharing group to which it belongs.

Subsystem security, queue-sharing group level security, and queue manager level security are turned on or off by defining switch profiles. A switch profile is a normal RACF profile that has a special meaning to WebSphere MQ.

Command security and command resource security

Authority checks are carried out when a WebSphere MQ administrator issues an MQSC command. This is called command security.

To implement command security, you must define certain RACF profiles and give the necessary groups and user IDs access to these profiles at the required levels. The name of a profile for command security contains the name of an MQSC command.

Some MQSC commands perform an operation on a WebSphere MQ resource, such as the DEFINE QLOCAL command to create a local queue. When an administrator issues an MQSC command, authority checks are carried out to determine whether the requested operation can be performed on the resource specified in the command. This is called command resource security.

To implement command resource security, you must define certain RACF profiles and give the necessary groups and user IDs access to these profiles at the required levels. The name of a profile for command resource security contains the name of a WebSphere MQ resource and its type (QUEUE, PROCESS, NAMELIST, AUTHINFO, or CHANNEL).

Command security and command resource security are independent. For example, when an administrator issues the command:

DEFINE QLOCAL(MOON.EUROPA)

the following authority checks are performed:

Command security and command resource security can be turned on or off by defining switch profiles.

MQSC commands and the system command input queue

Command security and command resource security are also used when the command server retrieves a message containing an MQSC command from the system command input queue. The user ID that is used for the authority checks is the one found in the UserIdentifier field in the message descriptor of the message containing the MQSC command. This user ID must have the required authorities on the queue manager where the command is processed. For more information about the UserIdentifier field and how it is set, see Message context.

Messages containing MQSC commands are sent to the system command input queue in the following circumstances:

Access to the queue manager data sets

WebSphere MQ administrators need authority to access the queue manager data sets. These data sets include:

You must protect the data sets so that no unauthorized user can start a queue manager or gain access to any queue manager data. To do this, use RACF data set protection.

Obtaining more information

For more information about the authority you need to administer WebSphere MQ on z/OS, see the WebSphere MQ for z/OS System Setup Guide.