Security profile checks when browsing messages in AMIOpsM for MQ

Knowledge Article

Security profile checks when browsing messages in AMIOpsM for MQ
TSO userids are checked when browsing messages
BMC AMI Ops Monitor for MQ
All AMI OpsM for MQ releases
BMC AMI Ops Monitor for MQ
All AMI OpsM for MQ releases
BMC AMI Ops Monitor for MQ
All AMI OpsM for MQ releases
Concerning the userid passed to the queue manager for security checks the following is valid in general:

The specification in field 'Security Userid' in the queue manager's profile determines, which userid will be passed to MQ to be checked for security. Here either 'User' or 'PAS' can be set, which means

PAS                                             
       The user ID that is associated with the  
       BBI-SS PAS Started Task will be passed to
       the queue manager.                       
User                                            
       The TSO user ID that is associated with  
       the connected TSO session will be passed
       to the queue manager.                    

The queue manager profiles defined in an environment will be displayed on view QMPROF.


However the following specialty needs to be considered in this context when it comes to browsing messages:

Even though Userid=PAS might be specified in a queue manager's profile, the security checking for browsing a message refers to the userid of the user that does the browse in the UI and not the ID of the PAS. So we are dealing here with an exception from the overall rule, that the PAS userid will be used, when 'Security Userid = PAS' is set in the profile definition.
This is for security reasons to be able to granularly control who is allowed to browse messages and who is not.

Here how you can check, which profile will be used (and checked in MQ) when browsing messages:

1. Invoke view SERDEF in our product.

2. Scroll down till you find the row named
    Message      - Message Text  
     
3. Select that row, then you will see this information:

>W1 =SERDEF===SERDEFD==MBGA=====*========(00 BROWSE        )====MVMQ
    Res Key..... BBS3AE10BROW Desc..... Message      - Message Text
     Enabled.... No           Comment.. *Unchanged*                 
                              Type..... VIEW                        
    ESM Info....                                                    
     Class...... MQQUEUE      Entity... &CONTEXT.#QNAME             
     VolSer..... *NONE*       Intent...                             
     LogAuth.... Allow        LogFail.. Allow                       
    Substitution Values                                             
     IntTable... SAE10        ExtTable. Message                     
     IntAction.. VIEWTAB      ExtAction VIEW                        
     IntActTab.. BBMTH0P0     Product.. MVMQS                       
     Parms?..... Yes          Fields?.. Yes                         
     ParmName 1. QNAME        Desc 1... Queue Name                  
              2. SMZQMCK           2... qsg or QMName               
              3.                   3...                             
              4.                   4...                             
    Update Info.              Mem Suff. 00                          
    UpdSystem... BMCB         UpdTime.. 07:06:00                    
    UpdUser..... IGRXXX       UpdDate.. 14DEC2020                   
    Res Version.                                                    
    Version..... 5            Release.. 6                           
                              ModLevel. 0             

The essential information here is:

- In MQ security class MQQUEUE the profile &CONTEXT.#QNAME will be checked.
- &CONTEXT will either resolve to the queue manager name or when working with
  queue sharing groups to the queue sharing group.
- #QNAME is the actual queue name              




 
Attachment(s):