MQ security examples

To activate security for all users and for all queue managers and their resources on a sysplex, define the following resource:

RDEFINE FACILITY FMNMQ.SECURITY.sysplex.* UACC(READ) 
SETROPTS RACLIST(FACILITY) REFRESH

Where sysplex is the name of the sysplex hosting the queue managers. Without further permissions, this will disable all File Manager MQ function for all queue managers on the sysplex.

To activate security for all users of a specific queue manager and its resources, define the following resource:

RDEFINE FACILITY FMNMQ.SECURITY.sysplex.qmgr UACC(READ) 
SETROPTS RACLIST(FACILITY) REFRESH

Where sysplex is the name of the sysplex hosting the queue manager, and qmgr is the name of the relevant queue manager on the sysplex. Without further permissions, this will disable all File Manager MQ function for the nominated queue manager.

When security is active, to permit all users read access to all resources of a specific queue manager, define the following resources:

RDEFINE XFACILIT FMNMQ.sysplex.qmgr UACC(READ) 
RDEFINE XFACILIT FMNMQ.sysplex.qmgr.* UACC(READ) 
SETROPTS RACLIST(XFACILIT) REFRESH

Where sysplex is the name of the sysplex hosting the queue manager, and qmgr is the name of the relevant queue manager on the sysplex. This will allow all users to list the queue manager’s attributes, its queues, and its queue’s attributes, as well as read messages from its queues.

To permit all but a single user read access to all resources of a specific queue manager, define the following resources and permissions:

RDEFINE XFACILIT FMNMQ.sysplex.qmgr UACC(READ)
RDEFINE XFACILIT FMNMQ.sysplex.qmgr.* UACC(READ)
PERMIT FMNMQ.sysplex.qmgr CLASS(XFACILIT) id(userid) ACCESS(NONE)
PERMIT FMNMQ.sysplex.qmgr.* CLASS(XFACILIT) id(userid) ACCESS(NONE)
SETROPTS RACLIST(XFACILIT) REFRESH

Where sysplex is the name of the sysplex hosting the queue manager, qmgr is the name of the relevant queue manager on the sysplex, and userid represents the restricted user. This will allow all but the nominated user to list the queue manager's attributes, its queues, and its queue’s attributes, as well as read messages from its queues.

To permit only a single user read access to all resources of a specific queue manager, define the following resources and permissions:

RDEFINE XFACILIT FMNMQ.sysplex.qmgr UACC(NONE)
RDEFINE XFACILIT FMNMQ.sysplex.qmgr.* UACC(NONE)
PERMIT FMNMQ.sysplex.qmgr CLASS(XFACILIT) id(userid) ACCESS(READ)
PERMIT FMNMQ.sysplex.qmgr.* CLASS(XFACILIT) id(userid) ACCESS(READ)
SETROPTS RACLIST(XFACILIT) REFRESH

Where sysplex is the name of the sysplex hosting the queue manager, qmgr is the name of the relevant queue manager on the sysplex, and userid represents the permitted user. This will allow only the nominated user to list the queue manager’s attributes, its queues, and its queue’s attributes, as well as read messages from its queues.

When security is active, to permit all users update access to all queue's message data of a specific queue manager, define the following resources:

RDEFINE XFACILIT FMNMQ.sysplex.qmgr UACC(READ)
RDEFINE XFACILIT FMNMQ.sysplex.qmgr.* UACC(UPDATE)
SETROPTS RACLIST(XFACILIT) REFRESH

Where sysplex is the name of the sysplex hosting the queue manager, and qmgr is the name of the relevant queue manager on the sysplex. This will allow all users to list the queue manager’s attributes, its queues, and its queue’s attributes, as well as create, read, update, and delete messages from its queues.

To permit all but a single user update access to all message data of a specific queue manager, define the following resources and permissions:

RDEFINE XFACILIT FMNMQ.sysplex.qmgr UACC(READ)
RDEFINE XFACILIT FMNMQ.sysplex.qmgr.* UACC(UPDATE)
PERMIT FMNMQ.sysplex.qmgr CLASS(XFACILIT) id(userid) ACCESS(NONE|READ)
PERMIT FMNMQ.sysplex.qmgr.* CLASS(XFACILIT) id(userid) ACCESS(NONE|READ)
SETROPTS RACLIST(XFACILIT) REFRESH

Where sysplex is the name of the sysplex hosting the queue manager, qmgr is the name of the relevant queue manager on the sysplex, and userid represents the restricted user. This will allow all but the nominated user to list the queue manager’s attributes, its queues, and its queue's attributes, as well as create, read, update, and delete messages from its queues.

To permit only a single user update access to all message data of a specific queue manager, define the following resources and permissions:

RDEFINE XFACILIT FMNMQ.sysplex.qmgr UACC(NONE)
RDEFINE XFACILIT FMNMQ.sysplex.qmgr.* UACC(NONE)
PERMIT FMNMQ.sysplex.qmgr CLASS(XFACILIT) id(userid) ACCESS(READ)
PERMIT FMNMQ.sysplex.qmgr.* CLASS(XFACILIT) id(userid) ACCESS(UPDATE)
SETROPTS RACLIST(XFACILIT) REFRESH

Where sysplex is the name of the sysplex hosting the queue manager, qmgr is the name of the relevant queue manager on the sysplex, and userid represents the permitted user. This will allow only the nominated user to list the queue manager’s attributes, its queues, and its queue’s attributes, as well as create, read, update, and delete messages from its queues.

When security is active, to permit all users alter access to all resources of a specific queue manager, define the following resources:

RDEFINE XFACILIT FMNMQ.sysplex.qmgr UACC(ALTER)
RDEFINE XFACILIT FMNMQ.sysplex.qmgr.* UACC(UPDATE)
SETROPTS RACLIST(XFACILIT) REFRESH

Where sysplex is the name of the sysplex hosting the queue manager, and qmgr is the name of the relevant queue manager on the sysplex. This will allow all users to list and update the queue manager’s attributes, its queues, and its queue’s attributes, as well as create, read, update, and delete messages from its queues.

To permit all but a single user alter access to all resources of a specific queue manager, define the following resources and permissions:

RDEFINE XFACILIT FMNMQ.sysplex.qmgr UACC(ALTER)
RDEFINE XFACILIT FMNMQ.sysplex.qmgr.* UACC(UPDATE)
PERMIT FMNMQ.sysplex.qmgr CLASS(XFACILIT) id(userid) ACCESS(NONE|READ)
PERMIT FMNMQ.sysplex.qmgr.* CLASS(XFACILIT) id(userid) ACCESS(NONE|READ)
SETROPTS RACLIST(XFACILIT) REFRESH

Where sysplex is the name of the sysplex hosting the queue manager, qmgr is the name of the relevant queue manager on the sysplex, and userid represents the restricted user. This will allow all but the nominated user to list and update the queue manager’s attributes, its queues, and its queue’s attributes, as well as create, read, update, and delete messages from its queues.

To permit only a single user alter access to all resources of a specific queue manager, define the following resources and permissions:

RDEFINE XFACILIT FMNMQ.sysplex.qmgr UACC(NONE)
RDEFINE XFACILIT FMNMQ.sysplex.qmgr.* UACC(NONE)
PERMIT FMNMQ.sysplex.qmgr CLASS(XFACILIT) id(userid) ACCESS(ALTER)
PERMIT FMNMQ.sysplex.qmgr.* CLASS(XFACILIT) id(userid) ACCESS(UPDATE)
SETROPTS RACLIST(XFACILIT) REFRESH

Where sysplex is the name of the sysplex hosting the queue manager, qmgr is the name of the relevant queue manager on the sysplex, and userid represents the permitted user. This will allow only the nominated user to list and update the queue manager's attributes, its queues, and its queue’s attributes, as well as create, read, update, and delete messages from its queues.

To permit a single user access to a subset of resources of a queue manager, define the following resources and permissions:

RDEFINE XFACILIT FMNMQ.sysplex.qmgr.DEV.* UACC(NONE)
PERMIT FMNMQ.sysplex.qmgr.DEV.* CLASS(XFACILIT) id(userid) ACCESS(READ|UPDATE)
SETROPTS RACLIST(XFACILIT) REFRESH

Where sysplex is the name of the sysplex hosting the queue manager, qmgr is the name of the relevant queue manager on the sysplex, and userid represents the permitted user. This will allow the nominated user relevant access to queues prefixed "DEV.".