| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| RACF - Command Resource Security and Groups |
« View previous topic :: View next topic » |
| Author |
Message
|
| PeterPotkay |
 Posted: Tue Jan 26, 2010 10:06 am Post subject: RACF - Command Resource Security and Groups |
 |
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
The z/OS MQ Sys Admin Guide does a good job providing example RACF commands of the various profiles, but doesn't give any example for command resource security. I will be meeting with the RACF guys tomorrow and don't want to waste their time with silly little syntax commands or things that are conceptually wrong. Is the below correct?
Queue Manager = MQX1
No one has access to any commands, other than the MQ Admins (MQTEAM in the below example)
Anyone can issue the display command.
There is a batch job needs to issue ALTER commands via CSQUTIL to change some queues to turn triggering on and off, they are triggered by depth.
(Edit: removed MQSET which implies an MQ API call. They are calling CSQUTIL)
BATCHID is the ID in the below example.
I use 3 queues below, but the real # will be higher, so I want to use a group. Not sure if I am going about that correctly.
| Code: |
**************************************************************************************************
*Make sure Command and Command Resource security is on
**************************************************************************************************
RDELETE MQADMIN MQX1.NO.CMD.CHECKS
RDELETE MQADMIN MQX1.NO.CMD.RESC.CHECKS
**************************************************************************************************
*By default no one can issue any commands, but the MQ Admins can
**************************************************************************************************
RDEF MQCMDS MQX1.** UACC(NONE) AUDIT(ALL(READ))
PERMIT MQX1.** CLASS(MQCMDS) ID(MQTEAM) ACCESS(ALTER)
**************************************************************************************************
* If anyone could issue a command, by default they can't for any specific MQ object
**************************************************************************************************
RDEF MQADMIN MQX1.** UACC(NONE) AUDIT(ALL(READ))
PERMIT MQX1.** CLASS(MQADMIN) ID(MQTEAM) ACCESS(ALTER)
**************************************************************************************************
* Allow everyone to display. There is no Command Resource level check for Display
**************************************************************************************************
RDEF MQCMDS MQX1.DISPLAY.** UACC(READ) AUDIT(ALL(UPDATE))
**************************************************************************************************
* Allow BATCHID to MQSET its queues
**************************************************************************************************
PERMIT MQX1.ALTER.QLOCAL CLASS(MQCMDS) ID(BATCHID) ACCESS(ALTER)
RDEFINE GMQADMIN TRIGGER.QUEUES UACC(NONE) -
ADDMEM(THIS.QUEUE,
SOME.OTHER.QUEUE.1,
THAT.QUEUE)
PERMIT TRIGGER.QUEUES(GMQADMIN) ID(BATCHID) ACCESS(ALTER) |
_________________
Peter Potkay
Keep Calm and MQ On
Last edited by PeterPotkay on Tue Jan 26, 2010 11:59 am; edited 1 time in total |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Jan 26, 2010 10:33 am Post subject: Re: RACF - Command Resource Security and Groups |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| PeterPotkay wrote: |
| Code: |
*************************************
* Allow BATCHID to MQSET its queues
**************************************************************************************************
PERMIT MQX1.ALTER.QLOCAL CLASS(MQCMDS) ID(BATCHID) ACCESS(ALTER)
RDEFINE GMQADMIN TRIGGER.QUEUES UACC(NONE) -
ADDMEM(THIS.QUEUE,
SOME.OTHER.QUEUE.1,
THAT.QUEUE)
PERMIT TRIGGER.QUEUES(GMQADMIN) ID(BATCHID) ACCESS(ALTER) |
|
Not entirely confident here, but in additional to the profile in MQCMDS (which I agree with) shouldn't the matching profile in MQADMIN be more
| Code: |
| MQX1.QUEUE.THIS.QUEUE UACC(NONE) |
or
| Code: |
| MQX1.QUEUE.** UACC(NONE) |
with relevent PERMIT for the id in question?
It's been a while & I'd welcome a 2nd opinion here 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Jan 26, 2010 10:37 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Already there Vitor. See the 5th command in my original post.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jan 26, 2010 11:00 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| PeterPotkay wrote: |
| Already there Vitor. See the 5th command in my original post. |
On the plus side I was right.
On the minus side, I clearly need new batteries in these glasses.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
