You can change the user ID under
which an execution group runs so that it can access resources according
to the permissions assigned to it, rather than the permissions assigned
to the main broker user ID.
Before you start
Before starting this task,
read the following topics:
Complete the following steps to
specify an alternative user ID for the execution group, to be used
instead of the broker's user ID:
- Create the new RACF® started
task profile with a new user ID, which will be used to run the execution
group. Consider the following points when you are creating
the new started task:
- The new started task must be created with an OMVS segment including
a unique UID, home directory, and the ability to create data sets
under the broker's HLQ and alias.
- The started task procedure name to be used for the execution group
address space must start with the same four characters as the main
broker started task. For example, if the main broker started task
is MQ01BRK, the started task name for the execution
group could be MQ01EG1 but not MQ02EG2.
As a result, consistency is maintained between the main broker started
task, the execution group, and the queue manager, which helps to identify
the relationship between them. If the first four characters are not
the same, the execution group is started using the main broker started
task JCL.
- Ensure that the new user ID associated with the new started
task JCL has the same RACF primary
group as the existing broker user ID, so that they can access shared
resources. Also ensure that the new user ID has the required privileges
to the existing broker filesystem and dataset (which it should have
through the primary group access).
- Ensure that the MQ and SMF authorizations are updated for
the new user ID; for more information, see Summary of required access (z/OS).
- Copy the existing broker started task JCL to the new started
task JCL in the PROCLIB.
- Ensure that the main broker user ID has been granted permission
to the SUPERUSER.PROCESS.KILL RACF profile.
This permission is required so that the main control address space
can recover any existing execution group address spaces in the event
of a failure.
- Refresh the started RACF classes
to implement the updates.
- Change the user ID by adding the appropriate environment
variable to the broker’s profile.
- The execution group name specified in the environment variable
is the last 8 characters of the execution group, after any overrides
have been applied. This is the same 8-character name that is displayed
as the STEPNAME against the execution group address space in SDSF.
- Ensure that the execution group name contains only characters
that are valid in the environment variable. If invalid characters
are used, the user ID cannot be overridden.
- If you specify more than one environment variable, they are read
in the following order (with MQSI_STARTEDTASK_FIXED_executionGroupName taking
precedence):
- MQSI_STARTEDTASK_FIXED_executionGroupName
- MQSI_STARTEDTASK_MULTI_executionGroupName
- MQSI_STARTEDTASK_DEFAULT
where
executionGroupName is the name of
your execution group. For example:
- export MQSI_STARTEDTASK_FIXED_DEFAULT=MQ01EG1 changes
any execution group which has the last 8 characters equal to DEFAULT to
started task MQ01EG1
- export MQSI_STARTEDTASK_MULTI_TEST=MQ01EG2 changes
any execution group which has the last 8 characters starting with TEST to
started task MQ01EG2
- export MQSI_STARTEDTASK_DEFAULT=MQ01EG3 changes
all execution groups which are not overridden by MQSI_STARTEDTASK_FIXED_executionGroupName or MQSI_STARTEDTASK_MULTI_executionGroupName to
started task MQ01EG3.
- Submit BIPGEN to the broker's ENVFILE.
- Restart the broker.