The following information summarizes the access that the professionals in your organization require.
The following PDSE and DB2 authorizations are required only for a broker component, that is, not a Configuration Manager or User Name Server
READ access to the component PDSE is required.
RLIST DSNR (DB2P.RRSAF)and the following command gives the required access:
PERMIT DB2P.RRSAF CLASS(DSNR) ID(WQMITASK) ACCESS(READ)
Enable WebSphere MQ security to protect your WebSphere MQ resources. If all WebSphere MQ security switches are enabled, define the following profiles and give the started task user ID the listed access to each profile. For each profile access listed, <MQ_QMNAME> represents the WebSphere MQ queue manager that the WebSphere Message Broker component is connected to, and TASKID represents the WebSphere Message Broker started-task user ID.
RDEFINE MQCONN MQP1.BATCH UACC(NONE) PERMIT MQP1.BATCH CLASS(MQCONN) ID(TASKID) ACCESS(READ)
RDEFINE MQQUEUE MQP1.SYSTEM.BROKER.** UACC(NONE) PERMIT MQP1.SYSTEM.BROKER.** CLASS(MQQUEUE) ID(TASKID) ACCESS(UPDATE)
RDEFINE MQADMIN MQP1.CONTEXT UACC(NONE) PERMIT MQP1.CONTEXT CLASS(MQADMIN) ID(TASKID) ACCESS(CONTROL)
RDEFINE MQADMIN MQP1.ALTERNATE.USER.CFGID UACC(NONE) PERMIT MQP1.ALTERNATE.USER.CFGID CLASS(MQADMIN) ID(TASKID) ACCESS(UPDATE)UPDATE access to profile <MQ_QMNAME>.ALTERNATE.USER.id of class MQADMIN, where id represents the user ID of, for example, a Publish/Subscribe request.
RDEFINE MQCONN MQP1.CHIN UACC(NONE) PERMIT MQP1.CHIN CLASS(MQCONN) ID(TASKID) ACCESS(READ)
RDEFINE MQADMIN MQP1.ALTERNATE.USER.USERID UACC(NONE) PERMIT MQP1.ALTERNATE.USER.USERID CLASS(MQADMIN) ID(TASKID) ACCESS(UPDATE)
The broker administrator requires the following authorizations:
RDEFINE MQCONN MQP1.BATCH UACC(NONE) PERMIT MQP1.BATCH CLASS(MQCONN) ID(MQADMIN) ACCESS(READ)
RDEFINE MQQUEUE MQP1.SYSTEM.BROKER.** UACC(NONE) PERMIT MQP1.SYSTEM.BROKER.** CLASS(MQQUEUE) ID(MQADMIN) ACCESS(UPDATE)
RDEFINE MQQUEUE MQP1.SYSTEM.COMMAND.** UACC(NONE) PERMIT MQP1.SYSTEM.COMMAND.** CLASS(MQQUEUE) ID(MQADMIN) ACCESS(UPDATE)UPDATE access to profile <MQ_QMNAME>.queue of class MQQUEUE for some system queues used during the create/delete job. You can create a generic profile <MQ_QMNAME>.**
RDEFINE MQCMDS MQP1.DELETE.QLOCAL UACC(NONE) PERMIT MQP1.DELETE.QLOCAL CLASS(MQCMDS) ID(MQADMIN) ACCESS(ALTER)
RDEFINE MQADMIN MQP1.QUEUE.SYSTEM.BROKER.** UACC(NONE) PERMIT MQP1.SYSTEM.BROKER.** CLASS(MQADMIN) ID(MQADMIN) ACCESS(ALTER)
For a description of how to implement WebSphere MQ security using RACF, see Setting up WebSphere MQ.