MQ

 View Only
Expand all | Collapse all

MQ RESLEVEL user revocation

  • 1.  MQ RESLEVEL user revocation

    Posted Thu September 16, 2021 03:48 PM
    I have this question from a client:

    I have a user id on the access list of the RESLEVEL MQ profile that has ALTER access and I want to remove it from the access list.

    However, this user id is used by many jobs.

    I have attempted to find the jobs which are using this user id and accessing the RESLEVEL profile (using SMF data) but to no avail so far.

    I have asked them to alter RESAUDIT (currently set to NO) to YES to get the required SMF reporting, but once that is achieved, is the only method of remediation on a job by job basis?.

     



    ------------------------------
    Peter Siddell
    ------------------------------


  • 2.  RE: MQ RESLEVEL user revocation

    IBM Champion
    Posted Fri September 17, 2021 06:47 AM

    The RESLEVEL profile is very different from most other MQ RACF profiles. You may find this blog post a useful read if you are not familiar with RESLEVEL. In short, every job that this user ID runs that interacts with MQ in some way will check for access to the RESLEVEL profile.

    If this user id you mention has ALTER access, then this means it is effectively bypassing all other authority checking. If you remove it from the RESLEVEL profile ACL then the jobs that are running will not succeed at any authority check they try. You are going to need to add in alternative access to normal authority profiles in order to compensate for this.

    What kind of security do you currently have switched on for this queue manager - try DISPLAY SECURITY to discover this. Happy to advise further as more details are provided. Unsure how much you already know.

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------