RACF profiles
All RACF profiles used by WebSphere MQ contain a prefix. For queue-sharing group level security, this is the queue-sharing group name. For queue manager level security, the prefix is the queue manager name. If you are using a mixture of queue manager and queue-sharing group level security, you will use profiles with both types of prefix. (Queue-sharing group and queue manager level security are described in the WebSphere MQ for z/OS Concepts and Planning Guide.)
For example, if you want to protect a queue called QUEUE_FOR_SUBSCRIBER_LIST in queue-sharing group QSG1 at queue-sharing group level, the appropriate profile would be defined to RACF as:
RDEFINE MQQUEUE QSG1.QUEUE_FOR_SUBSCRIBER_LISTIf you want to protect a queue called QUEUE_FOR_LOST_CARD_LIST, that belongs to queue manager STCD at queue manager level, the appropriate profile would be defined to RACF as:
RDEFINE MQQUEUE STCD.QUEUE_FOR_LOST_CARD_LISTThis means that different queue managers and queue-sharing groups can share the same RACF database and yet have different security options.
Do not use generic queue manager names in profiles to avoid unanticipated user access.
WebSphere MQ allows the use of the percent character (%) in object names. However, RACF uses the % character as a single-character wild card. This means that when you define an object name with a % character in its name, consider this when you define the corresponding profile.
For example, for the queue CREDIT_CARD_%_RATE_INQUIRY, on queue manager CRDP, the profile would be defined to RACF as follows: