Authorization to use the IBM MQ Explorer

Any user can use the IBM® MQ Explorer, but certain authorities are required to connect, access, and manage queue managers.

To perform local administrative tasks using the IBM MQ Explorer, a user is required to have the necessary authority to perform the administrative tasks. If the user is a member of the mqm group, the user has authority to perform all local administrative tasks.

To connect to a remote queue manager and perform remote administrative tasks using the IBM MQ Explorer, the user executing the IBM MQ Explorer is required to have the following authorities:
  • CONNECT authority on the target queue manager object
  • INQUIRE authority on the target queue manager object
  • DISPLAY authority to the target queue manager object
  • INQUIRE authority to the queue, SYSTEM.MQEXPLORER.REPLY.MODEL
  • DISPLAY authority to the queue, SYSTEM.MQEXPLORER.REPLY.MODEL
  • INPUT (get) authority to the queue, SYSTEM.MQEXPLORER.REPLY.MODEL
  • OUTPUT (put) authority to the queue, SYSTEM.ADMIN.COMMAND.QUEUE
  • INQUIRE authority on the queue, SYSTEM.ADMIN.COMMAND.QUEUE
  • Authority to perform the action selected
Note: INPUT authority relates to input to the user from a queue (a get operation). OUTPUT authority relates to output from the user to a queue (a put operation).
To connect to a remote queue manager on IBM MQ for z/OS® and perform remote administrative tasks using the IBM MQ Explorer, the following must be provided:
  • A RACF® profile for the system queue, SYSTEM.MQEXPLORER.REPLY.MODEL
  • A RACF profile for the queues, AMQ.MQEXPLORER.*
In addition, the user executing the IBM MQ Explorer is required to have the following authorities:
  • RACF UPDATE authority to the system queue, SYSTEM.MQEXPLORER.REPLY.MODEL
  • RACF UPDATE authority to the queues, AMQ.MQEXPLORER.*
  • CONNECT authority on the target queue manager object
  • Authority to perform the action selected
  • READ authority to all the hlq.DISPLAY.object profiles in the MQCMDS class

For information about how to grant authority to IBM MQ objects, see Giving access to an IBM MQ object on UNIX or Linux® systems and Windows .

If a user attempts to perform an operation that they are not authorized to perform, the target queue manager invokes authorization failure procedures and the operation fails.

The default filter in the IBM MQ Explorer is to display all IBM MQ objects. If there are any IBM MQ objects that a user does not have DISPLAY authority to, authorization failures are generated. If authority events are being recorded, restrict the range of objects that are displayed to those objects that the user has DISPLAY authority to.