Using the RESLEVEL security profile
You can define a special profile in the MQADMIN class to control the number
of user IDs checked for API-resource security. How this RESLEVEL profile affects
API-resource security depends on how you are accessing WebSphere MQ.
This chapter discusses the following subjects:
Important notes about using RESLEVEL:
- RESLEVEL is a very powerful option; it can cause the bypassing of all
resource security checks for a particular connection. This means that RACF(R) cannot audit these resource checks.
- You can use the RESAUDIT system parameter to switch RESLEVEL auditing
off.
- Using the RESLEVEL profile means that normal security audit records are
not taken. For example, if you put UAUDIT on a user, the access to the hlq.RESLEVEL
profile in MQADMIN is not audited.
- If you use the RACF WARNING option on the hlq.RESLEVEL profile,
no RACF warning messages are produced for profiles in the RESLEVEL class.
- If you do not have a RESLEVEL profile defined, you must be careful that
no other profile in the MQADMIN class matches hlq.RESLEVEL. For example,
if you have a profile in MQADMIN called hlq.** and no hlq.RESLEVEL
profile, beware of the consequences of the hlq.** profile
because it is used for the RESLEVEL check.
You should define an hlq.RESLEVEL
profile and set the UACC to NONE, rather than not have a RESLEVEL profile
at all. You should have as few users or groups in the access list as possible.
For details about how to audit RESLEVEL access, see Auditing considerations.
- If you make any changes to the RESLEVEL profile users must disconnect
and connect again before the change takes place. (This includes stopping and
restarting the channel initiator if the access that the distributed queuing
address space user ID has to the RESLEVEL profile is changed.)