If queue security is active, you must define profiles in the MQQUEUE class and permit the necessary groups or user IDs access to these profiles, so they can issue WebSphere MQ API requests that use queues.
Profiles for queue security take the form:
qmgr-name.queuename
where qmgr-name (queue manager name) and queuename is the name of the queue being opened, as specified in the object descriptor on the MQOPEN or MQPUT1 call.
A profile prefixed by the queue manager name controls access to a single queue on that queue manager.
The RACF access required to open a queue depends on the MQOPEN or MQPUT1 options specified. If more than one of the MQOO_* and MQPMO_* options are coded, the queue security check is performed for the highest RACF authority required.
| TMQOPEN or MQPUT1 option | RACF access level required to access qmgr-name.queuename |
|---|---|
| MQOO_BIND_* | UPDATE |
| MQOO_BROWSE | READ |
| MQOO_INPUT_* | UPDATE |
| MQOO_INQUIRE | READ |
| MQOO_OUTPUT or MQPUT1 | UPDATE |
| MQOO_PASS_ALL_CONTEXT | UPDATE |
| MQOO_PASS_IDENTITY_CONTEXT | UPDATE |
| MQOO_SAVE_ALL_CONTEXT | UPDATE |
| MQOO_SET | ALTER |
| MQOO_SET_ALL_CONTEXT | UPDATE |
| MQOO_SET_IDENTITY_CONTEXT | UPDATE |
| MQPMO_PASS_ALL_CONTEXT | UPDATE |
| MQPMO_PASS_IDENTITY_CONTEXT | UPDATE |
| MQPMO_SET_ALL_CONTEXT | UPDATE |
| MQPMO_SET_IDENTITY_CONTEXT | UPDATE |