Posted: Wed Jan 04, 2012 3:37 am Post subject: WMQ V7 on z/OS 1.11: administrator privileges segregation.
Newbie
Joined: 04 Jan 2012 Posts: 1
Hello to everybody, I've searched in this forum but I haven't found what I was looking for, neither in IBM documentation. In my company there are strong security rules so I have to limit the MQ administrator privileges. MQ administrator has the authority to "administer" WMQ objects but he must not have UPDATE access to the production queues. The UPDATE/ALTER access must be assigned to administrators only for Last Level Support on those queues or for authorized changes.
To do so it seems that I have to define specific RACF profiles for production queues:
class profile
MQQUEUE MQ1X.Qname.*
MQADMIN MQ1X.CONTEXT.Qname.*
MQADMIN MQ1X.QUEUE.Qname.*
with UPDATE access assigned only to applications, ALTER access assigned to LLS RACF group and READ access assigned to administrators group.
The LLS RACF group contains the administrator userid with REVOKED status and only "on-demand" it will be RESUMED.
Now the question is: Are these definitions correct (and enough) to obtain the segregation of administrator privileges on production queues? Or is there a more simple way to do so?
is it okay for the administrators group to browse messages in production queues? IMHO you allow this.
in the security section of the z/OS system setup manual in the "setting up security" section (or now somewhere in the online information center) there are tabels which security is required for which action, both for application and administration security. just go through these tables and pick the proper rows / columns and assign these profiles to the proper groups, depending on what they should be able to do (or not) _________________ Regards, Butcher
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum