MQ security examples
These examples illustrate techniques for controlling access to MQ resources in File Manager.
Activate security for all queue managers on a sysplex
To activate security for all users and for all queue managers and their resources on a sysplex,
define the following
resource:
RDEFINE FACILITY FMNMQ.SECURITY.sysplex.* UACC(READ)
SETROPTS RACLIST(FACILITY) REFRESH
Where
sysplex is the name of the sysplex hosting the queue managers. Without further
permissions, this will disable all File Manager MQ function for all queue
managers on the sysplex. Activate security for a specific queue manager on a sysplex
To activate security for all users of a specific queue manager and its resources, define the
following resource:
RDEFINE FACILITY FMNMQ.SECURITY.sysplex.qmgr UACC(READ)
SETROPTS RACLIST(FACILITY) REFRESH
Where
sysplex is the name of the sysplex hosting the queue manager, and
qmgr is the name of the relevant queue manager on the sysplex. Without further
permissions, this will disable all File Manager MQ function for the
nominated queue manager. Permit all users read access to a queue manager's resources
When security is active, to permit all users read access to all resources of a specific queue
manager, define the following resources:
RDEFINE XFACILIT FMNMQ.sysplex.qmgr UACC(READ)
RDEFINE XFACILIT FMNMQ.sysplex.qmgr.* UACC(READ)
SETROPTS RACLIST(XFACILIT) REFRESH
Where
sysplex is the name of the sysplex hosting the queue manager, and
qmgr is the name of the relevant queue manager on the sysplex. This will allow
all users to list the queue manager’s attributes, its queues, and its queue’s attributes, as well as
read messages from its queues. Permit all but a single user read access to a queue manager’s resources
To permit all but a single user read access to all resources of a specific queue manager, define
the following resources and
permissions:
RDEFINE XFACILIT FMNMQ.sysplex.qmgr UACC(READ)
RDEFINE XFACILIT FMNMQ.sysplex.qmgr.* UACC(READ)
PERMIT FMNMQ.sysplex.qmgr CLASS(XFACILIT) id(userid) ACCESS(NONE)
PERMIT FMNMQ.sysplex.qmgr.* CLASS(XFACILIT) id(userid) ACCESS(NONE)
SETROPTS RACLIST(XFACILIT) REFRESH
Where sysplex is
the name of the sysplex hosting the queue manager, qmgr is the
name of the relevant queue manager on the sysplex, and userid
represents the restricted user. This will allow all but the nominated user to list
the queue manager's attributes, its queues, and its queue’s attributes, as well as
read messages from its queues. Permit a single user read access to a queue manager's resources
To permit only a single user read access to all resources of a specific queue manager, define the
following resources and permissions:
RDEFINE XFACILIT FMNMQ.sysplex.qmgr UACC(NONE)
RDEFINE XFACILIT FMNMQ.sysplex.qmgr.* UACC(NONE)
PERMIT FMNMQ.sysplex.qmgr CLASS(XFACILIT) id(userid) ACCESS(READ)
PERMIT FMNMQ.sysplex.qmgr.* CLASS(XFACILIT) id(userid) ACCESS(READ)
SETROPTS RACLIST(XFACILIT) REFRESH
Where
sysplex is the name of the sysplex hosting the queue manager,
qmgr is the name of the relevant queue manager on the sysplex, and
userid represents the permitted user. This will allow only the nominated user to
list the queue manager’s attributes, its queues, and its queue’s attributes, as well as read
messages from its queues. Permit all users update access to all message data
When security is active, to permit all users update access to all queue's message data of a
specific queue manager, define the following resources:
RDEFINE XFACILIT FMNMQ.sysplex.qmgr UACC(READ)
RDEFINE XFACILIT FMNMQ.sysplex.qmgr.* UACC(UPDATE)
SETROPTS RACLIST(XFACILIT) REFRESH
Where sysplex is
the name of the sysplex hosting the queue manager, and qmgr is
the name of the relevant queue manager on the sysplex. This will allow all users to
list the queue manager’s attributes, its queues, and its queue’s attributes, as well
as create, read, update, and delete messages from its queues. Permit all but a single user update access to all message data
To permit all but a single user update access to all message data of a specific queue manager,
define the following resources and permissions:
RDEFINE XFACILIT FMNMQ.sysplex.qmgr UACC(READ)
RDEFINE XFACILIT FMNMQ.sysplex.qmgr.* UACC(UPDATE)
PERMIT FMNMQ.sysplex.qmgr CLASS(XFACILIT) id(userid) ACCESS(NONE|READ)
PERMIT FMNMQ.sysplex.qmgr.* CLASS(XFACILIT) id(userid) ACCESS(NONE|READ)
SETROPTS RACLIST(XFACILIT) REFRESH
Where sysplex is
the name of the sysplex hosting the queue manager, qmgr is the
name of the relevant queue manager on the sysplex, and userid
represents the restricted user. This will allow all but the nominated user to list
the queue manager’s attributes, its queues, and its queue's attributes, as well as
create, read, update, and delete messages from its queues. Permit a single user update access to all message data
To permit only a single user update access to all message data of a specific queue manager,
define the following resources and permissions:
RDEFINE XFACILIT FMNMQ.sysplex.qmgr UACC(NONE)
RDEFINE XFACILIT FMNMQ.sysplex.qmgr.* UACC(NONE)
PERMIT FMNMQ.sysplex.qmgr CLASS(XFACILIT) id(userid) ACCESS(READ)
PERMIT FMNMQ.sysplex.qmgr.* CLASS(XFACILIT) id(userid) ACCESS(UPDATE)
SETROPTS RACLIST(XFACILIT) REFRESH
Where
sysplex is the name of the sysplex hosting the queue manager,
qmgr is the name of the relevant queue manager on the sysplex, and
userid represents the permitted user. This will allow only the nominated user to
list the queue manager’s attributes, its queues, and its queue’s attributes, as well as create,
read, update, and delete messages from its queues. Permit all users alter access to a queue manager’s resources
When security is active, to permit all users alter access to all resources of a specific queue
manager, define the following resources:
RDEFINE XFACILIT FMNMQ.sysplex.qmgr UACC(ALTER)
RDEFINE XFACILIT FMNMQ.sysplex.qmgr.* UACC(UPDATE)
SETROPTS RACLIST(XFACILIT) REFRESH
Where
sysplex is the name of the sysplex hosting the queue manager, and
qmgr is the name of the relevant queue manager on the sysplex. This will allow
all users to list and update the queue manager’s attributes, its queues, and its queue’s attributes,
as well as create, read, update, and delete messages from its queues.Permit all but a single user alter access to a queue manager's resources
To permit all but a single user alter access to all resources of a specific queue manager, define
the following resources and permissions:
RDEFINE XFACILIT FMNMQ.sysplex.qmgr UACC(ALTER)
RDEFINE XFACILIT FMNMQ.sysplex.qmgr.* UACC(UPDATE)
PERMIT FMNMQ.sysplex.qmgr CLASS(XFACILIT) id(userid) ACCESS(NONE|READ)
PERMIT FMNMQ.sysplex.qmgr.* CLASS(XFACILIT) id(userid) ACCESS(NONE|READ)
SETROPTS RACLIST(XFACILIT) REFRESH
Where
sysplex is the name of the sysplex hosting the queue manager,
qmgr is the name of the relevant queue manager on the sysplex, and
userid represents the restricted user. This will allow all but the nominated user
to list and update the queue manager’s attributes, its queues, and its queue’s attributes, as well
as create, read, update, and delete messages from its queues.Permit a single user alter access to a queue manager's resources
To permit only a single user alter access to all resources of a specific queue manager, define
the following resources and
permissions:
RDEFINE XFACILIT FMNMQ.sysplex.qmgr UACC(NONE)
RDEFINE XFACILIT FMNMQ.sysplex.qmgr.* UACC(NONE)
PERMIT FMNMQ.sysplex.qmgr CLASS(XFACILIT) id(userid) ACCESS(ALTER)
PERMIT FMNMQ.sysplex.qmgr.* CLASS(XFACILIT) id(userid) ACCESS(UPDATE)
SETROPTS RACLIST(XFACILIT) REFRESH
Where sysplex is
the name of the sysplex hosting the queue manager, qmgr is the
name of the relevant queue manager on the sysplex, and userid
represents the permitted user. This will allow only the nominated user to list and
update the queue manager's attributes, its queues, and its queue’s attributes, as
well as create, read, update, and delete messages from its queues.Permit a single user access to a subset of queues
To permit a single user access to a subset of resources of a queue manager, define the following
resources and permissions:
RDEFINE XFACILIT FMNMQ.sysplex.qmgr.DEV.* UACC(NONE)
PERMIT FMNMQ.sysplex.qmgr.DEV.* CLASS(XFACILIT) id(userid) ACCESS(READ|UPDATE)
SETROPTS RACLIST(XFACILIT) REFRESH
Where sysplex is
the name of the sysplex hosting the queue manager, qmgr is the
name of the relevant queue manager on the sysplex, and userid
represents the permitted user. This will allow the nominated user relevant access to
queues prefixed "DEV.".