Summary of required access (z/OS)

The following information summarizes the access that the professionals in your organization require.

Authorizations required for the WebSphere Business Integration Message Broker started-task user ID

No access is required to the component PDSE.

The directory authorizations required are:
  • READ/EXECUTE access to the executables in <INSTPATH>/bin, where <INSTPATH> is the directory where WebSphere Business Integration Message Broker for z/OS is installed by SMP/E.
  • READ/WRITE/EXECUTE access to the component directory.
  • READ/WRITE access to the home directory.
  • In UNIX System Services, the started task user ID and the WebSphere Business Integration Message Broker administrator user ID must both be members of the groups that have access to the installation and component directories, because they both need privileges over these. The owner of these directories needs to give the appropriate permissions to this group.
DB2 authorizations for the started task user ID and the table owner ID are required:
  • If there is a profile for db2subsystem.RRSAF in the DSNR class the started task user ID needs access to the profile. For example, the following RACF command shows whether the profile exists:
    RLIST  DSNR (DB2P.RRSAF) 
    and the following command gives the required access:
    PERMIT  DB2P.RRSAF  CLASS(DSNR) ID(WQMITASK)  ACCESS(READ)
  • SELECT privilege on the tables SYSIBM.SYSTABLES, SYSIBM.SYSSYNONYMS, and SYSIBM.SYSDATABASE.
  • SELECT, UPDATE, INSERT, and DELETE privileges on all broker system tables.
  • DB2_TABLE_OWNER must be a valid authorization ID of the started task user ID.
  • EXECUTE authority on the DSNACLI plan, or equivalent for the started task user ID.

WebSphere MQ authorizations:

Enable WebSphere MQ security to protect your WebSphere MQ resources. If all WebSphere MQ security switches are enabled, define the following profiles and give the started task user ID the listed access to each profile. For each profile access listed, <MQ_QMNAME> represents the WebSphere MQ queue manager that the WebSphere Business Integration Message Broker component is connected to, and TASKID represents the WebSphere Business Integration Message Broker started-task user ID.

  • Connection security: READ access to profile <MQ_QMNAME>.BATCH of class MQCONN. For example, for queue manager MQP1 and started task ID TASKID, use the RACF commands:
    RDEFINE MQCONN MQP1.BATCH UACC(NONE)
    PERMIT MQP1.BATCH CLASS(MQCONN) ID(TASKID) ACCESS(READ)
  • Queue security: UPDATE access to profile <MQ_QMNAME>.queue of class MQQUEUE for all queues. Consider creating profiles for the following queues:
    • All component queues using the generic profile SYSTEM.BROKER.**
    • Any transmissions queues defined between component queue managers.
    • Any queues defined in message flows.
    • Dead-letter queues.
    For example, for queue manager MQP1 and started task ID TASKID, use the following RACF commands to restrict access to the component queues:
    RDEFINE MQQUEUE MQP1.SYSTEM.BROKER.** UACC(NONE)
    PERMIT MQP1.SYSTEM.BROKER.** CLASS(MQQUEUE) ID(TASKID) ACCESS(UPDATE)
  • Context security: CONTROL access to profile <MQ_QMNAME>.CONTEXT of class MQADMIN. For example, for queue manager MQP1 and started task ID TASKID, use the following RACF commands:
    RDEFINE MQADMIN MQP1.CONTEXT UACC(NONE)
    PERMIT MQP1.CONTEXT CLASS(MQADMIN) ID(TASKID) ACCESS(CONTROL)
  • Alternate user security: Define the alternate user authority as: UPDATE access to profile <MQ_QMNAME>.ALTERNATE.USER.id of class MQADMIN, where id represents the service ID of the Windows Configuration Manager component. For example, for queue manager MQP1, started task ID TASKID, and configuration service ID CFGID, use the following RACF commands:
    RDEFINE MQADMIN MQP1.ALTERNATE.USER.CFGID UACC(NONE)
    PERMIT MQP1.ALTERNATE.USER.CFGID  CLASS(MQADMIN) ID(TASKID) ACCESS(UPDATE) 
    UPDATE access to profile <MQ_QMNAME>.ALTERNATE.USER.id of class MQADMIN, where id represents the user ID of, for example, a Publish/Subscribe request.
  • Process and namelist security: If you have WebSphere MQ security switches enabled in your system for process and namelist security, you do not need to define any access profiles in a WebSphere Business Integration Message Broker default configuration.

Authorizations required for the WebSphere Business Integration Message Broker administrator

  • ALTER access to the component PDSE.
  • READ, WRITE, and EXECUTE access to the component directory.
  • READ/EXECUTE access to <INSTPATH>, where <INSTPATH> is the directory where WebSphere Business Integration Message Broker for z/OS is installed by SMP/E.
  • EXECUTE access to the shell scripts in <INSTPATH>/bin.
  • In UNIX System Services, the started task user ID and the WebSphere Business Integration Message Broker administrator user ID must both be members of the groups that have access to the installation and component directories, because they both need privileges over these. The owner of these directories needs to give the appropriate permissions to this group.

Authorizations required for the DB2 administrator

If you use security, the DB2 coordinator needs to have the following authorizations to run the DB2 configuration jobs (BIPxDBxx):
  • PDSE authorizations: ALTER access to the component PDSE.
  • Directory authorizations: EXECUTE access to the component directory.
  • DB2 authorizations: SYSCTRL or SYSADM authority.

Authorizations required for the WebSphere MQ administrator

To run the WebSphere MQ configuration jobs (BIPxMQxx) you require the following authorizations:
  • PDSE authorizations: READ access to the component PDSE.
  • Directory authorizations:
    • READ/EXECUTE access to the executables in <INSTPATH>/bin, where <INSTPATH> is the directory where WebSphere Business Integration Message Broker for z/OS is installed by SMP/E.
    • EXECUTE access to the component directory.
Enable WebSphere MQ security to protect your WebSphere MQ resources. If all WebSphere MQ security switches are enabled, define the following profiles and give the WebSphere MQ administrator the listed access to each profile in order to run the WebSphere MQ configurations jobs. For each profile access listed, MQ_QMNAME represents the WebSphere MQ queue manager that the WebSphere Business Integration Message Broker component is connected to, and MQADMIN represents the WebSphere MQ administrator ID:
  • Connection security: READ access to profile <MQ_QMNAME>.BATCH of class MQCONN. For example, for queue manager MQP1 and WebSphere MQ administrator ID MQADMIN, use the following RACF commands:
    RDEFINE MQCONN MQP1.BATCH UACC(NONE)
    PERMIT MQP1.BATCH CLASS(MQCONN) ID(MQADMIN) ACCESS(READ)
  • Queue security: UPDATE access to profile <MQ_QMNAME>.queue of class MQQUEUE for component queues created or deleted. You can create a generic profile SYSTEM.BROKER.** For example, for queue manager MQP1 and WebSphere MQ administrator ID MQADMIN, use the following RACF commands to restrict access to the component queues:
    RDEFINE MQQUEUE MQP1.SYSTEM.BROKER.** UACC(NONE)
    PERMIT MQP1.SYSTEM.BROKER.** CLASS(MQQUEUE) ID(MQADMIN) ACCESS(UPDATE) 
    UPDATE access to profile <MQ_QMNAME>.queue of class MQQUEUE for some system queues used during the create/delete job. You can create a generic profile <MQ_QMNAME>.**
  • Command security:
    • To run the BIP$MQ01 job you need:
      • ALTER access to <MQ_QMNAME>.DEFINE.QLOCAL of class MQCMDS.
      • ALTER access to <MQ_QMNAME>.DEFINE.QMODEL of class MQCMDS.
    • To run the BIP#MQ01 job you need:
      • ALTER access to <MQ_QMNAME>.DELETE.QLOCAL of class MQCMDS.
      • ALTER access to <MQ_QMNAME>.DELETE.QMODEL of class MQCMDS.
    For queue manager MQP1 and WebSphere MQ administrator ID MQADMIN, use the following RACF commands:
    RDEFINE MQADMIN MQP1.DELETE.QLOCAL UACC(NONE)
    PERMIT MQP1.DELETE.QLOCAL CLASS(MQADMIN) ID(MQADMIN) ACCESS(ALTER)
  • Resource command security: ALTER access to MQP1.QUEUE.queue of class MQADMIN for each queue created or deleted. You can create a generic profile SYSTEM.BROKER.**. For example, for queue manager MQP1 and WebSphere MQ administrator ID MQADMIN, use the RACF commands:
    RDEFINE MQADMIN MQP1.QUEUE.SYSTEM.BROKER.** UACC(NONE)
    PERMIT MQP1.QUEUE.SYSTEM.BROKER.** CLASS(MQADMIN) ID(MQADMIN) ACCESS(ALTER)
  • Process and namelist security: If you have WebSphere MQ security switches enabled in your system for process and namelist security, you do not need to define any access profiles in a WebSphere Business Integration Message Broker default configuration.

For a description of how to implement WebSphere MQ security using RACF, see z/OS: Security requirements for RACF.

Authorizations required for the DB2 subsystem started-task user ID

DB2 needs ALTER access to the catalog value specified in DB2_STOR_GROUP_VCAT because it creates data sets with this high-level qualifier.

Related tasks
Setting up z/OS security

Related reference
Customization tasks and roles (z/OS)