We had to allow the Userid of the CICS environment the ability to access
any queue in that queue manager. However, we use ACF2. For non-terminal
transactions, the userid of the CICS region is used for the GET, PUT, or
PUT1.

Thank you,

Glen Shubert
Associate Director - Operations
T|SYS| - MQSeries Technical Support
email: ***@tsys.com



From: "Yagudayeva, Irina" <***@VERISK.COM>
To: ***@LISTSERV.MEDUNIWIEN.AC.AT
Date: 07/25/2013 11:33 AM
Subject: RACF rules for reply-To-Queues in z/OS qmgrs
Sent by: MQSeries List <***@LISTSERV.MEDUNIWIEN.AC.AT>



Hello,
We are running reply-to-q processing with some of our MQ customers. So,
when the message is being put into qmgr from CICS the queue name provided
by the customer in MQMD is being used.
Does anybody know how to define RACF rules for this kind of queues when
the name is unpredictable. We don’t want to allow everybody from CICS to
access a generic MQQUEUE class QUEUE_MANAGER_NAME.** .
Any suggestions are greatly appreciated.
Thank you.

Irina Yagudayeva
Infrastructure Architect
Verisk Analytics
(201)469-3648



This email is intended for the recipient only. If you are not the intended
recipient please disregard, and do not use the information for any
purpose.


List Archive - Manage Your List Settings - Unsubscribe
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com


-----------------------------------------
The information contained in this communication (including any
attachments hereto) is confidential and is intended solely for the
personal and confidential use of the individual or entity to whom
it is addressed. If the reader of this message is not the intended
recipient or an agent responsible for delivering it to the intended
recipient, you are hereby notified that you have received this
communication in error and that any review, dissemination, copying,
or unauthorized use of this information, or the taking of any
action in reliance on the contents of this information is strictly
prohibited. If you have received this communication in error,
please notify us immediately by e-mail, and delete the original
message. Thank you

On Thu, 25 Jul 2013 11:22:01 -0400, Yagudayeva, Irina
the name is unpredictable.

I don't know how to define such a rule. But I do know that I would not accept the
queue names to be unpredictable. You have to have a naming convention (to be
agreed upon between you and your customers) that will make the names
predictable.

Cheers,

Jantje.

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES

ReplyToQueue names can be somewhat unpredictable, as when the requesting
application MQOPENs a QModel definition. The naming-rule determines the
resulting queue name.

RACF (ACF, OAM) rules should be created to restrict access to queue names
based on application type, as you would for access to data sets (z/OS
terminology). Payroll applications, for example, should only be able to
create PAY.* or PAY.PAY52.* kinds of names, and not CSQ. (or AMQ. for
midrannge qmgrs), or other random names.

Security rules about who (or what) can execute a specific application will
then restrict creating of queues names, again, just as with data set rules.

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES