| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| security mq RACF Mainframe |
« View previous topic :: View next topic » |
| Author |
Message
|
| Karine |
 Posted: Fri Jun 08, 2018 1:20 am Post subject: security mq RACF Mainframe |
 |
|
Newbie
Joined: 08 Jun 2018
Posts: 1
|
Hello,
I am not a RACF administrator but I have to ask the team in charge of RACF to set up rights mqseries. We are in version 8.
- On production, I need :
- Application teams can't put, get or delete messages via their website (SVRCONN channel).
- View all mqseries objects on a qmgr but not create, delete or modify objects.
- On development, I need:
- The application teams have the rights to put, get and delete messages via their website.
- View all mqseries objects on a qmgr but not create, delete or modify objects.
For each RACF class, what should I ask to RACF team ?
Thank you in advance for your help. |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Fri Jun 08, 2018 4:33 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
How do you ask your midrange admins for similar authorizations?
Have your asked your m/f security folks? What did they say?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Jun 08, 2018 5:08 am Post subject: Re: security mq RACF Mainframe |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Karine wrote: |
| For each RACF class, what should I ask to RACF team ? |
You shouldn't need new classes.
Have you read this?
If this is a new z/OS install, they will need to enable security as described. Once the RACF team have done this, you'll need to list out for them the profiles, users and access levels you need.
You mention a website; does that use a non-human id to access MQ or pass the users through? In any event you'll need to ask how (or if) distributed ids map to RACF ids at your site. If they don't, you will need to establish the correct UACC on the profile.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Jun 08, 2018 5:33 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Top tip - when someone tries an operation that fails, impress on them the need to record the exact date and time of the failure. RACF is very good at logging requests it refuses and the information contained in the syslog is invaluable in working out which profile was invoked and what happened.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sun Jun 10, 2018 7:41 am Post subject: Re: security mq RACF Mainframe |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Karine wrote: |
Hello,
I am not a RACF administrator ... |
Your requirements for securing MQ objects are no different on z/OS than on midrange windows/unix. That is, who (which groups/userids) can access what resources (queues) with what access (get, put, browse, ...). MQ admins do not specifically request o/s features (inodes, semaphores, RAM) for MQ-using apps.
As mentioned by my worthy associate, in order to meet your general requirements, the z/OS security folks will need to enable some RACF-specific things (user/group/resource profiles) - if they have not already done so.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Mon Jun 11, 2018 5:08 pm Post subject: Re: security mq RACF Mainframe |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
