ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » WMQ V7 on z/OS 1.11: administrator privileges segregation.

Post new topic  Reply to topic
 WMQ V7 on z/OS 1.11: administrator privileges segregation. « View previous topic :: View next topic » 
Author Message
masfab64
PostPosted: Wed Jan 04, 2012 3:37 am    Post subject: WMQ V7 on z/OS 1.11: administrator privileges segregation. Reply with quote

Newbie

Joined: 04 Jan 2012
Posts: 1
Hello to everybody, I've searched in this forum but I haven't found what I was looking for, neither in IBM documentation. In my company there are strong security rules so I have to limit the MQ administrator privileges. MQ administrator has the authority to "administer" WMQ objects but he must not have UPDATE access to the production queues. The UPDATE/ALTER access must be assigned to administrators only for Last Level Support on those queues or for authorized changes.
To do so it seems that I have to define specific RACF profiles for production queues:

class profile
MQQUEUE MQ1X.Qname.*
MQADMIN MQ1X.CONTEXT.Qname.*
MQADMIN MQ1X.QUEUE.Qname.*

with UPDATE access assigned only to applications, ALTER access assigned to LLS RACF group and READ access assigned to administrators group.

The LLS RACF group contains the administrator userid with REVOKED status and only "on-demand" it will be RESUMED.

Now the question is: Are these definitions correct (and enough) to obtain the segregation of administrator privileges on production queues? Or is there a more simple way to do so?

Thank you for your opinions and help.
Back to top
View user's profile Send private message
Mr Butcher
PostPosted: Wed Jan 04, 2012 5:05 am    Post subject: Reply with quote

Padawan

Joined: 23 May 2005
Posts: 1716
is it okay for the administrators group to browse messages in production queues? IMHO you allow this.

in the security section of the z/OS system setup manual in the "setting up security" section (or now somewhere in the online information center) there are tabels which security is required for which action, both for application and administration security. just go through these tables and pick the proper rows / columns and assign these profiles to the proper groups, depending on what they should be able to do (or not)
_________________
Regards, Butcher
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » WMQ V7 on z/OS 1.11: administrator privileges segregation.
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.