Hello Prakash,
Regarding the C2POLICE (zSecure Alert) started task and access for an MQ related resource; do you mean you see violations for C2PUSER for MQQUEUE class resources ssid.SYSTEM.COMMAND.INPUT and ssid.SYSTEM.COMMAND.REPLY.MODEL?
If so, I suggest you open a case with zSecure support because the default parameters for zSecure Alert's internal CKFCOLL execution specify MQ=N, so no MQ information will be collected.
(Background: If you have extended monitoring alerts active in your alert configuration, C2POLICE will execute zSecure Collect program CKFCOLL on a regular basis to be able to trigger alerts when selected changes are detected between CKFREEZE instances. However the default parameters for that internal CKFCOLL execution specify MQ=N, so no MQ information will be collected, and therefore no MQ authorizations should be required.)
Regards, Mike
------------------------------
Mike Riches
------------------------------
Original Message:
Sent: Mon March 06, 2023 12:46 PM
From: Prakash Lalaram
Subject: Splunk and MQ Profiles
Good Day
We have Setup SPLUNK Using Z/secure Alert to extract our RACF Logs – All going good so far
We have a new alert coming up from MQ. The MQ Profile is looking for access (SYSTEM.COMMAND profile) Before we grant the required access. We would like to see why is this access required
The user ID is C2PUSER and this is related to C2POLICE Started Task . This user id is looking for this access to the MQ Profile
We just need to ascertain why before we grant the required access.
Any assistance is appreciated.
------------------------------
Prakash Lalaram
------------------------------