Setting up the security environment for IBM® MQ

To secure a queue manager, you must define a security resource indicating that security is required for a nominated queue manager on a given sysplex.

RDEFINE FACILITY HFMMQ.SECURITY.SYSPLEXD.CSQ1 UACC(READ)

Granting READ access to a user indicates that Z Data Tools security is applicable to that user for the nominated queue manager on the nominated sysplex. If no access is granted, security is not active. When security is active, users must be granted further access to resources to access the queue manager’s attributes and queues. If security is not active for a queue manager, Z Data Tools permissions related to the queue manager do not apply.

When security is active for a queue manager, a user cannot access any of a queue manager’s resources unless the user has at least READ access to a security resource of the form HFMMQ.sysplex.qmgr defined to the XFACILIT class.

RDEFINE XFACILIT HFMMQ.SYSPLEXD.CSQ1 UACC(NONE) 
PERMIT HFMMQ.SYSPLEXD.CSQ1 CLASS(XFACILIT) ID(JOHND) ACCESS(READ)

PERMIT HFMMQ.SYSPLEXD.CSQ1 CLASS(XFACILIT) ID(JOHND) ACCESS(ALTER) ALTER

When security is active for a queue manager, a user cannot access a queue’s messages unless the user has at least READ access to a security resource of the form HFMMQ.sysplex.qmgr.queue defined to the XFACILIT class.

RDEFINE XFACILIT HFMMQ.SYSPLEXD.CSQ1.* UACC(NONE)
PERMIT HFMMQ.SYSPLEXD.CSQ1.* CLASS(XFACILIT) ID(JOHND) ACCESS(READ)

PERMIT HFMMQ.SYSPLEXD.CSQ1.* CLASS(XFACILIT) ID(JOHND) ACCESS(UPDATE)

UPDATE authority also allows a user to reset or clear a queue’s messages.

When security is active for a queue manager, a user must have appropriate access to target MQ resources pertinent to the Z Data Tools command being executed.

There is a range of commands that can affect IBM® MQ resources. In each case the following security resource definitions and permissions are required:

• When a command reads a queue manager’s attributes or its queue’s attributes, the requesting user must have READ authority to resource HFMMQ.sysplex.qmgr in the XFACILIT class for the queue manager being read.
• When a command alters a queue manager’s attributes or defines a queue, the requesting user must have ALTER authority to resource HFMMQ.sysplex.qmgr in the XFACILIT class for the queue manager being modified.
• When a command reads message data, the requesting user must have READ authority to resource HFMMQ.sysplex.qmgr.queue in the XFACILIT class for the queue being read.
• When a command updates message data, the requesting user must have UPDATE authority to resource HFMMQ.sysplex.qmgr.queue in the XFACILIT class for the queue being updated.

Z Data Tools uses MQ security controls to edit messages and message context.

When a Z Data Tools session is started, Z Data Tools checks if the user has CONTROL access to the qmgr.CONTEXT.queue resource in the MQADMIN class. For some External Security Managers, this check might require certain permissions. When a message is updated, the MQ message context is preserved if the user has CONTROL access to the qmgr.CONTEXT.queue resource in the MQADMIN class. If not, the message context is replaced with a default message context in accordance with the MQ normal operation.