Profiles for Alternate User Security

Restriction: This topic applies only when the Enterprise Server feature is enabled.

If alternate user security is active, you must define profiles in the MQADMIN class and permit the necessary groups or user IDs access to these profiles, so that they can use the ALTERNATE_USER_AUTHORITY options when the object is opened.

Profiles for alternate user security can be specified at subsystem level and take the following form:

qmgr-name.ALTERNATE.USER.alternateuserid

where qmgr-name (queue manager name) and alternateuserid is the value of the AlternateUserId field in the object descriptor.

A profile prefixed by the queue manager name controls use of an alternate user ID on that queue manager.

The following table shows the access when specifying an alternate user option.

MQOPEN or MQPUT1 option RACF access level required
MQOO_ALTERNATE_USER_AUTHORITY MQPMO_ALTERNATE_USER_AUTHORITY UPDATE

In addition to alternate user security checks, other security checks for queue, process, and context security can also be made. The alternate user ID, if provided, is only used for security checks on queue and process definition. For alternate user and context security checks, the user ID requesting the check is used.