WebSphere Message Brokers
File: ae14040_
Writer: Bill Oppenheimer

Reference topic

This build: July 31, 2007 21:27:42

Summary of required access (z/OS)

The following information summarizes the access that the professionals in your organization require.

Authorizations required for the WebSphere Message Broker started-task user ID

The directory authorizations required for all components are:
  • READ/EXECUTE access to <INSTPATH>, where <INSTPATH> is the directory where WebSphere Message Broker for z/OS is installed by SMP/E.
  • READ/WRITE/EXECUTE access to the component directory ++COMPONENTDIRECTORY++.
  • READ/WRITE access to the home directory.
  • READ/WRITE access to the directory identified by ++HOME++.
  • In UNIX System Services, the started task user ID and the WebSphere Message Broker administrator user ID must both be members of the groups that have access to the installation and component directories, because they both need privileges over these. The owner of these directories needs to give the appropriate permissions to this group.

The following PDSE and DB2 authorizations are required only for a broker component, that is, not a Configuration Manager or User Name Server

READ access to the component PDSE is required.

DB2 authorizations for the started task user ID and the table owner ID are required:
  • If there is a profile for db2subsystem.RRSAF in the DSNR class the started task user ID needs access to the profile. For example, the following RACF command shows whether the profile exists:
    RLIST  DSNR (DB2P.RRSAF) 
    and the following command gives the required access:
    PERMIT  DB2P.RRSAF  CLASS(DSNR) ID(WQMITASK)  ACCESS(READ)
  • SELECT privilege on the tables SYSIBM.SYSTABLES, SYSIBM.SYSSYNONYMS, and SYSIBM.SYSDATABASE.
  • SELECT, UPDATE, INSERT, and DELETE privileges on all broker system tables.
  • DB2_TABLE_OWNER must be a valid authorization ID of the started task user ID.
  • EXECUTE authority on the DSNACLI plan, or equivalent for the started task user ID.

WebSphere MQ authorizations:

Enable WebSphere MQ security to protect your WebSphere MQ resources. If all WebSphere MQ security switches are enabled, define the following profiles and give the started task user ID the listed access to each profile. For each profile access listed, <MQ_QMNAME> represents the WebSphere MQ queue manager that the WebSphere Message Broker component is connected to, and TASKID represents the WebSphere Message Broker started-task user ID.

  • Connection security: READ access to profile <MQ_QMNAME>.BATCH of class MQCONN. For example, for queue manager MQP1 and started task ID TASKID, use the RACF commands:
    RDEFINE MQCONN MQP1.BATCH UACC(NONE)
    PERMIT MQP1.BATCH CLASS(MQCONN) ID(TASKID) ACCESS(READ)
  • Queue security: UPDATE access to profile <MQ_QMNAME>.queue of class MQQUEUE for all queues. Consider creating profiles for the following queues:
    • All component queues using the generic profile SYSTEM.BROKER.**
    • Any transmissions queues defined between component queue managers.
    • Any queues defined in message flows.
    • Dead-letter queues.
    For example, for queue manager MQP1 and started task ID TASKID, use the following RACF commands to restrict access to the component queues:
    RDEFINE MQQUEUE MQP1.SYSTEM.BROKER.** UACC(NONE)
    PERMIT MQP1.SYSTEM.BROKER.** CLASS(MQQUEUE) ID(TASKID) ACCESS(UPDATE)
  • Context security: CONTROL access to profile <MQ_QMNAME>.CONTEXT of class MQADMIN. For example, for queue manager MQP1 and started task ID TASKID, use the following RACF commands:
    RDEFINE MQADMIN MQP1.CONTEXT UACC(NONE)
    PERMIT MQP1.CONTEXT CLASS(MQADMIN) ID(TASKID) ACCESS(CONTROL)
  • Alternate user security: Define the alternate user authority as: UPDATE access to profile <MQ_QMNAME>.ALTERNATE.USER.id of class MQADMIN, where id represents the service ID of the Windows Configuration Manager component. For example, for queue manager MQP1, started task ID TASKID, and configuration service ID CFGID, use the following RACF commands:
    RDEFINE MQADMIN MQP1.ALTERNATE.USER.CFGID UACC(NONE)
    PERMIT MQP1.ALTERNATE.USER.CFGID  CLASS(MQADMIN) ID(TASKID) ACCESS(UPDATE) 
    UPDATE access to profile <MQ_QMNAME>.ALTERNATE.USER.id of class MQADMIN, where id represents the user ID of, for example, a Publish/Subscribe request.
  • Process and namelist security: If you have WebSphere MQ security switches enabled in your system for process and namelist security, you do not need to define any access profiles in a WebSphere Message Broker default configuration.
For users connecting remotely from either the Message Broker Toolkit or from a Configuration Manager Proxy application to the Configuration Manager on z/OS the following authorizations are required :
  • Connection security: READ access to profile <MQ_QMNAME>.CHIN of class MQCONN. For example, for queue manager MQP1 and started task ID TASKID, use the following RACF commands:
    RDEFINE MQCONN MQP1.CHIN UACC(NONE)
    PERMIT MQP1.CHIN CLASS(MQCONN) ID(TASKID) ACCESS(READ)
  • Alternate user security: Define the alternate user authority as: UPDATE access to profile <MQ_QMNAME>.ALTERNATE.USER.id of class MQADMIN, where id represents the user ID of the Message Broker Toolkit or Configuration Manager Proxy application. For example, for queue manager MQP1, started task ID TASKID, and user ID USERID, use the following RACF commands:
    RDEFINE MQADMIN MQP1.ALTERNATE.USER.USERID UACC(NONE)
    PERMIT MQP1.ALTERNATE.USER.USERID  CLASS(MQADMIN) ID(TASKID) ACCESS(UPDATE)

Authorizations required for the WebSphere Message Broker administrator

The broker administrator requires the following authorizations:

  • ALTER access to the component PDSE.
  • READ, WRITE, and EXECUTE access to the component directory ++COMPONENTDIRECTORY++.
  • READ/EXECUTE access to <INSTPATH>, where <INSTPATH> is the directory where WebSphere Message Broker for z/OS is installed by SMP/E.
  • READ/WRITE access to the directory identified by ++HOME++.
  • In UNIX System Services, the started task user ID and the WebSphere Message Broker administrator user ID must both be members of the groups that have access to the installation and component directories, because they both need privileges over these. The owner of these directories needs to give the appropriate permissions to this group.
  • To run the DB2 pass when creating and deleting components DBADM authority for the broker database is required.

Authorizations required for the DB2 administrator

The DB2 administrator needs to have the following authorizations to run the DB2 configuration jobs BIPCRDB and BIPDLDB:
  • ALTER access to the component PDSE.
  • DB2 authorizations: SYSCTRL or SYSADM authority.
  • CREATE STOGROUP, CREATE DATABASE, and CREATE TABLESPACEs.
  • DROP DATABASE and DROP STOGROUP.
If the DB2 administrator runs the DB2 pass when creating and deleting a component, the administrator user ID also needs the following authorizations. Alternatively, you can grant authorization to the WebSphere Message Broker administrator to run the DB2 pass.
  • READ, WRITE, and EXECUTE access to the component directory ++COMPONENTDIRECTORY++.
  • READ/EXECUTE access to <INSTPATH>, where <INSTPATH> is the directory where WebSphere Message Broker for z/OS is installed by SMP/E.
  • READ/WRITE access to the directory identified by ++HOME++.
  • In UNIX System Services, the started task user ID and the WebSphere Message Broker administrator user ID must both be members of the groups that have access to the installation and component directories, because they both need privileges over these. The owner of these directories needs to give the appropriate permissions to this group.

Authorizations required for the WebSphere MQ administrator

If the WebSphere MQ administrator runs the WebSphere MQ pass when creating a component, the administrator user ID requires the following authorizations. Alternatively WebSphere MQ, you can grant authorization to the WebSphere Message Broker administrator to run the WebSphere MQ pass.
  • ALTER access to the component PDSE.
  • Directory authorizations:
    • READ/EXECUTE access to <INSTPATH>, where <INSTPATH> is the directory where WebSphere Message Broker for z/OS is installed by SMP/E.
    • READ, WRITE, and EXECUTE access to the component directory ++COMPONENTDIRECTORY++.
    • READ/WRITE access to the directory identified by ++HOME++.
Enable WebSphere MQ security to protect your WebSphere MQ resources. If all WebSphere MQ security switches are enabled, define the following profiles and give the WebSphere MQ administrator the listed access to each profile in order to run the WebSphere MQ configurations jobs. For each profile access listed, MQ_QMNAME represents the WebSphere MQ queue manager that the WebSphere Message Broker component is connected to, and MQADMIN represents the WebSphere MQ administrator ID:
  • Connection security: READ access to profile <MQ_QMNAME>.BATCH of class MQCONN. For example, for queue manager MQP1 and WebSphere MQ administrator ID MQADMIN, use the following RACF commands:
    RDEFINE MQCONN MQP1.BATCH UACC(NONE)
    PERMIT MQP1.BATCH CLASS(MQCONN) ID(MQADMIN) ACCESS(READ)
  • Queue security: UPDATE access to profile <MQ_QMNAME>.queue of class MQQUEUE for component queues created or deleted. You can create a generic profile SYSTEM.BROKER.** For example, for queue manager MQP1 and WebSphere MQ administrator ID MQADMIN, use the following RACF commands to restrict access to the component queues:
    RDEFINE MQQUEUE MQP1.SYSTEM.BROKER.** UACC(NONE)
    PERMIT MQP1.SYSTEM.BROKER.** CLASS(MQQUEUE) ID(MQADMIN) ACCESS(UPDATE) 
  • System command server: UPDATE access to profile <MQ_QMNAME>.queue of class MQQUEUE for SYSTEM.COMMAND.**. For example, for queue manager MQP1 and WebSphere MQ administrator ID MQADMIN, use the following RACF commands to restrict access to the system command server:
    RDEFINE MQQUEUE MQP1.SYSTEM.COMMAND.** UACC(NONE)
    PERMIT MQP1.SYSTEM.COMMAND.** CLASS(MQQUEUE) ID(MQADMIN) ACCESS(UPDATE) 
    UPDATE access to profile <MQ_QMNAME>.queue of class MQQUEUE for some system queues used during the create/delete job. You can create a generic profile <MQ_QMNAME>.**
  • Command security:
    • To run the WebSphere MQ pass when creating a component you need:
      • ALTER access to <MQ_QMNAME>.DEFINE.QLOCAL of class MQCMDS.
      • ALTER access to <MQ_QMNAME>.DEFINE.QMODEL of class MQCMDS.
      • ALTER access to <MQ_QMNAME>.DEFINE.CHANNEL of class MQCMDS.
    • To run the WebSphere MQ pass when deleting a component you need:
      • ALTER access to <MQ_QMNAME>.DELETE.QLOCAL of class MQCMDS.
      • ALTER access to <MQ_QMNAME>.DELETE.QMODEL of class MQCMDS.
      • ALTER access to <MQ_QMNAME>.DELETE.CHANNEL of class MQCMDS.
    For queue manager MQP1 and WebSphere MQ administrator ID MQADMIN, use the following RACF commands:
    RDEFINE MQCMDS MQP1.DELETE.QLOCAL UACC(NONE)
    PERMIT MQP1.DELETE.QLOCAL CLASS(MQCMDS) ID(MQADMIN) ACCESS(ALTER)
  • Resource command security: ALTER access to MQP1.QUEUE.queue of class MQADMIN for each queue created or deleted. You can create a generic profile SYSTEM.BROKER.**. For example, for queue manager MQP1 and WebSphere MQ administrator ID MQADMIN, use the RACF commands:
    RDEFINE MQADMIN MQP1.QUEUE.SYSTEM.BROKER.** UACC(NONE)
    PERMIT MQP1.SYSTEM.BROKER.** CLASS(MQADMIN) ID(MQADMIN) ACCESS(ALTER)
  • Process and namelist security: If you have WebSphere MQ security switches enabled in your system for process and namelist security, you do not need to define any access profiles in a WebSphere Message Broker default configuration.

For a description of how to implement WebSphere MQ security using RACF, see Setting up WebSphere MQ.

Authorizations required for the DB2 subsystem started-task user ID

DB2 needs ALTER access to the catalog value specified in DB2_STOR_GROUP_VCAT because it creates data sets with this high-level qualifier.

Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2007Copyright IBM Corporation 1999, 2007. All Rights Reserved.
This build: July 31, 2007 21:27:42

ae14040_ This topic's URL is: