I asked this question for midrange, and here are the answers for z/OS.
Key question are
- Is a user authorised to use this queue?
- Which profile gave what access to the queue?
- Who is authorised to this queue?
- Can I audit the list of people and their access to queues beginning with CP?
Displaying security information
The RACF commands are
RLIST to display profile information, and who has access to the profile
SEARCH This allows you to search for profiles matching a parameter.
RLIST display profile information
An example command and output
RLIST MQADMIN CSQ9.CONTEXT.CP0000 all CLASS NAME ----- ---- MQADMIN CSQ9.CONTEXT.** (G) ... LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING ----- -------- ---------------- ----------- ------- 00 IBMUSER NONE ALTER NO ... USER ACCESS ---- ------ IBMUSER ALTER
This says display the profile CSQ9.CONTEXT.CP0000. It returned
- MQADMIN CSQ9.CONTEXT.** this is the profile used by RACF to determine the permissions
- IBMUSER ALTER the only user authorised to this resource is IBMUSER, with ALTER access
- The default access for any userid not covered is NONE.
SEARCH for a profile
An example command to list all MQQueue profiles for queue manager CSQ9.
SEARCH CLASS(MQQUEUE) FILTER(CSQ9.*) CSQ9.AMSQ CSQ9.NONE CSQ9.ZZZZ CSQ9.** (G)
Is a user authorised to use this queue?
Use RLIST to tell you the profile used for checking
- Check the Universal Access
- Check to see if the userid in the list
- Check the groups in the list and see if the userid is a member of the group.
Which profile gave what access to the queue
Use the RLIST MQQUEUE qmgr.queueName.
Who is authorised to this queue
Use the rlist command as described above. You may have to write a script to post process the data, and replace the group name with the member of the group. I used the Rexx interface IRRXUTIL and wrote about 100 lines of code to do this. Please contact me if you are interested in this.
Can I audit the list of people and their access to queues beginning with CP?
SEARCH CLASS(MQQUEUE) FILTER(CSQ9.CP*)
gives ICH31005I NO ENTRIES MEET SEARCH CRITERIA
SEARCH CLASS(MQQUEUE) FILTER(CSQ9.A*)
Gives one queue (CSQ9.AMSQ). It does not list the default CSQ9.** for any other queues
You would have to issue the MQ command to get a list of queues, the parse the list, and pass the queue name to the RLIST command, and collect the set of userids and groups. Finally, change any groups to the list of members of the group.
I used the Rexx interface IRRXUTIL and wrote about 100 lines of code to do this. Please contact me if you are interested in this.