Profiles for Queue Security

If queue security is active, you must define profiles in the MQQUEUE class and permit the necessary groups or user IDs access to these profiles, so they can issue WebSphere MQ API requests that use queues.

Profiles for queue security take the form:

qmgr-name.queuename

where qmgr-name (queue manager name) and queuename is the name of the queue being opened, as specified in the object descriptor on the MQOPEN or MQPUT1 call.

A profile prefixed by the queue manager name controls access to a single queue on that queue manager.

The RACF access required to open a queue depends on the MQOPEN or MQPUT1 options specified. If more than one of the MQOO_* and MQPMO_* options are coded, the queue security check is performed for the highest RACF authority required.

TMQOPEN or MQPUT1 option RACF access level required to access qmgr-name.queuename
MQOO_BIND_* UPDATE
MQOO_BROWSE READ
MQOO_INPUT_* UPDATE
MQOO_INQUIRE READ
MQOO_OUTPUT or MQPUT1 UPDATE
MQOO_PASS_ALL_CONTEXT UPDATE
MQOO_PASS_IDENTITY_CONTEXT UPDATE
MQOO_SAVE_ALL_CONTEXT UPDATE
MQOO_SET ALTER
MQOO_SET_ALL_CONTEXT UPDATE
MQOO_SET_IDENTITY_CONTEXT UPDATE
MQPMO_PASS_ALL_CONTEXT UPDATE
MQPMO_PASS_IDENTITY_CONTEXT UPDATE
MQPMO_SET_ALL_CONTEXT UPDATE
MQPMO_SET_IDENTITY_CONTEXT UPDATE