| Author |
Message
|
| mktgurutsm |
 Posted: Thu Mar 30, 2006 1:09 pm Post subject: z/OS MQ object security Administration ownership |
 |
|
Novice
Joined: 08 Jan 2004
Posts: 21
Location: New York
|
This is a general question to z/OS MQ System Administrator's. We are a very large company running many instances of z/OS QMGR's. There is some discussion as to whether z/OS System Administrator's or the RACF group should implement MQ Queue and other object security.
For MQ object security (Queue Security), who at your site is responsible for implementing MQ Queue and Object security? |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Thu Mar 30, 2006 1:13 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
I would think that this job was best handled by the MQ administrator.
EDIT:
Well, at least knowing what security should be granted or not granted is the job of the MQ administrator. Implementing the security rules would probably be the security administrator's job, as well as validating that the rules don't violate policy without justification.
_________________
I am *not* the model of the modern major general.
Last edited by jefflowrey on Thu Mar 30, 2006 1:33 pm; edited 1 time in total |
|
| Back to top |
|
|
| mktgurutsm |
| Posted: Thu Mar 30, 2006 1:27 pm Post subject: |
|
|
Novice
Joined: 08 Jan 2004
Posts: 21
Location: New York
|
Thanks Jeff
The way we do it now is we build the actual RACF PERMIT statements assigning the proper security to the queues, but the RACF security department actually runs the RACF PERMIT commands. We (The MQ SA's do not have authority to run RACF commands), but we build what the rules are and have RACF run them for us. There is some discussion going on if we (the MQ SA's) should build the rules or it should be handled entirely by the RACF group. That is really the question. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Mar 30, 2006 1:33 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
The RACF group probably does not want to be involved with the application teams to the level that would be necessary for them to determine what rules need to be set.
So if that analysis remains with your group, then you need to communicate what the rules should be to the RACF group. Everything else is a discussion of what that communication actually looks like.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| JoePanjang |
| Posted: Thu Mar 30, 2006 4:47 pm Post subject: |
|
|
Voyager
Joined: 10 Jul 2002
Posts: 88
Location: Dengkil MALAYSIA
|
in our shop, mq sys admin will put a request to racf admin to have the mq object security define in place. normally this 2 team work together. mq admin do have the access to create all the objects but only for temporary ie during the project when they requested thru the change request.
_________________
Every good deed is charity... |
|
| Back to top |
|
|
| JT |
| Posted: Thu Mar 30, 2006 7:15 pm Post subject: |
|
|
Padawan
Joined: 27 Mar 2003
Posts: 1564
Location: Hartford, CT.
|
| Quote: |
| We are a very large company running many instances of z/OS QMGR's. There is some discussion as to whether z/OS System Administrator's or the RACF group should implement MQ Queue and other object security. |
Tom, it sure would have made life a little easier for us if you had that responsibility. |
|
| Back to top |
|
|
|
|
