Hello, i do not understand this (sorry, i am not a racf specialist).
the job has definitly granted access (alter) to the ressource profile of the queue. and it is also not a matter of "refresh security" i would like to try the hint with the MQADMIN class, but i do not know how to grant alter access to the MQADMIN Class. i can only grant access to a ressource defined in MQADMIN class, but which one? i checked application programmers guide / reference, security documentation etc. that comes with mq but no much information about context security in that case. any other hints or pointers to documentation? regards stefan -----Ursprüngliche Nachricht----- Von: Miller, Dennis [mailto:DMiller@;SNOPUD.COM] Gesendet: Montag, 28. Oktober 2002 16:53 An: [EMAIL PROTECTED] Betreff: Re: Context Security on OS/390 According to the error message you posted, that's not the case: > ICH408I,JOB(xxxxMSTR) STEP(xxxxMSTR) > xxxx.B.EXPIRY CL(MQQUEUE ) > INSUFFICIENT ACCESS AUTHORITY > FROM xxxx.B* (G) > ACCESS INTENT(UPDATE ) ACCESS ALLOWED(NONE ) means that you need UPDATE access, but have NO access. I'm guessing that you have granted ALTER access in the ADMIN class. You also need to grant UPDATE in the MQQUEUE class. > -----Original Message----- > From: Raabe, Stefan [SMTP:[EMAIL PROTECTED]] > Sent: Monday, October 28, 2002 3:45 AM > To: [EMAIL PROTECTED] > Subject: AW: Context Security on OS/390 > > Dennis, > > thanks for the anser. > > the stc (the user) has ALTER to MQF1.B* profile. > > any other ideas? > > regards > stefan > > > -----Ursprungliche Nachricht----- > Von: Miller, Dennis [mailto:DMiller@;SNOPUD.COM] > Gesendet: Donnerstag, 24. Oktober 2002 21:55 > An: [EMAIL PROTECTED] > Betreff: Re: Context Security on OS/390 > > > Context security exists in both the MQADMIN and MQQUEUE classes. The > MQADMIN > class controls whether you're allowed to save/set/pass the context > information and applies across all queues. The MQQUEUE class is > queue-specific and controls what context options are allowed on the open. > > PMO-SET-ALL-CONTEXT is subject the the MQQUEUE class, therefore, I do not > believe you can turn it off with sssi.NO.CONTEXT.CHECKS. > > In your case, I believe the error occurs when the qmgr attempts to open > the > replytoq for the expiry report message. It wants to pass context to the > report message. > > I think your stc needs update authority to MQF1.B* profile in the MQQUEUE > class > > > > -----Original Message----- > > From: Raabe, Stefan [SMTP:[EMAIL PROTECTED]] > > Sent: Thursday, October 24, 2002 5:40 AM > > To: [EMAIL PROTECTED] > > Subject: Context Security on OS/390 > > > > Hello Group, > > > > I only have very little experience with context security, > > so I hope someone of you can put some light on this one. > > > > Here is the saga: > > > > There is an application that puts messages to a queue > > with these options: > > > > MQRO-EXPIRATION-WITH-FULL-DATA in MQMD-REPORT > > MQFMT-STRING in MQMD-FORMAT > > 10 in MQMD-EXPIRY > > "B.EXPIRY" in MQMD-REPLYTOQ > > "qmgrname" in MQMD-REPLYTOQMGR > > MQPMO-SET-ALL-CONTEXT > > > > Messages are put to Queue A, and if they expire and are > > removed during get/browse operation a report message with full > > data will be put to queue B.EXPIRY. Queues A and B.EXPIRY > > reside on the same Queuemanager. > > > > This works fine on a queuemanager with "NO.SUBSYS.SECURITY" > > profile defined. > > > > It does not work on a queuemanager that has queue security ON and > > context security OFF even though the queuemanager (the stc userid) > > has proper security defined to put messages on queue B.EXPIRY. > > The MSTR joblog shows this error: > > > > ICH408I,JOB(xxxxMSTR) STEP(xxxxMSTR) > > xxxx.B.EXPIRY CL(MQQUEUE ) > > INSUFFICIENT ACCESS AUTHORITY > > FROM xxxx.B* (G) > > ACCESS INTENT(UPDATE ) ACCESS ALLOWED(NONE ) > > > > and messages are put to the DLQ with reason 2035. > > > > The RACF group the xxxxMSTR user is assigned to > > has ALTER access to MQF1.B* profile. > > The userid is equal to the jobname (xxxxMSTR). > > > > If I remove the PMO-SET-ALL-CONTEXT within the application program > > and try again, it works. > > > > So I think it is a matter of the context information in the message, > > but context security is OFF for this queuemanager. So I would > > expect it to work anyway. > > > > what am I missing here? > > What security definitions do I need to make it work? > > Is there a difference between the JOB(xxxxMSTR) and > > the the USER(xxxxMSTR) in this "context"? > > > > Regards > > > > Stefan > > > > Instructions for managing your mailing list subscription are provided in > > the Listserv General Users Guide available at http://www.lsoft.com > > Archive: http://vm.akh-wien.ac.at/MQSeries.archive > > Instructions for managing your mailing list subscription are provided in > the Listserv General Users Guide available at http://www.lsoft.com > Archive: http://vm.akh-wien.ac.at/MQSeries.archive > > Instructions for managing your mailing list subscription are provided in > the Listserv General Users Guide available at http://www.lsoft.com > Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
