John, I this is the only way documented. See below (taken from http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=/com.ibm .mq.csqsav.doc/csq83bt.htm):
Refreshing queue manager security When a queue is opened for the first time (or for the first time since a security refresh) WebSphere MQ performs a RACF(R) check to obtain the user's access rights and places this information in the cache. The cached data includes user IDs and resources on which security checking has been performed. If the queue is opened again by the same user the presence of the cached data means WebSphere MQ does not have to issue RACF checks, which improves performance. The action of a security refresh is to discard any cached security information and so force WebSphere MQ to make a new check against RACF. Whenever you add, change or delete a RACF resource profile that is held in the MQADMIN, MQPROC, MQQUEUE, or MQNLIST class, you must tell the queue managers that use this class to refresh the security information that they hold. To do this, issue the following commands: The RACF SETROPTS RACLIST(classname) REFRESH command to refresh at the RACF level. The WebSphere MQ REFRESH SECURITY command to refresh the security information held by the queue manager (described in the WebSphere MQ Script (MQSC) Command Reference manual). This command needs to be issued by each queue manager that accesses the profiles that have changed. If you have a queue-sharing group, you can use the command scope attribute to direct the command to all the queue managers in the group. If you are using generic profiles in any of the WebSphere MQ classes, you must also issue normal RACF refresh commands if you change, add, or delete any generic profiles. For example, SETROPTS GENERIC(classname) REFRESH. However, because WebSphere MQ utilizes the RACF dataspace, WebSphere MQ can use RACF profiles as soon as they become available. If a RACF resource profile is added, changed or deleted and the resource to which it applies has not yet been accessed (so no information is cached), WebSphere MQ will use the new RACF information without a security refresh being carried out. | Itschak Mugzach | Director | SecuriTeam Software | | Email: [EMAIL PROTECTED] | Mob: +972 522 986404 | Skype: Itschak Mugzach | Web: www.Securiteam.co.il | -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of McKown, John Sent: Tuesday, July 15, 2008 2:53 PM To: [email protected] Subject: Re: MQ security > -----Original Message----- > From: IBM Mainframe Discussion List > [mailto:[EMAIL PROTECTED] On Behalf Of Roger Lowe > Sent: Monday, July 14, 2008 6:07 PM > To: [email protected] > Subject: Re: MQ security > > > > >I did for one user and asked her to try again. No help. > > > When you do a RL MQQUEUE QZP1.** ALL G, are you definitely seeing the > userid and/or group in the access list with UPDATE? > > Roger For whatever reason (I'm not trained in RACF), despite the fact that the MQQUEUE class is not RACLIST'ed, I had to do a SETR RACLIST(MQQUEUE) REFRESH, followed by the MQ REFRESH SECURITY(MQQUEUE) command. There is nothing in the MQ book about doing this. -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology The information contained in this e-mail message may be privileged and/or confidential. It is for intended addressee(s) only. If you are not the intended recipient, you are hereby notified that any disclosure, reproduction, distribution or other use of this communication is strictly prohibited and could, in certain circumstances, be a criminal offense. If you have received this e-mail in error, please notify the sender by reply and delete this message without copying or disclosing it. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html __________ NOD32 3267 (20080714) Information __________ This message was checked by NOD32 antivirus system. http://www.eset.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
