I am sure every one knows all of the possible options for MQ Security on z/OS, but someone asked if they can control which object people can administer, so here is a little reminder.
The business problem: I want to allow people to defined queues beginning with MYAPPL.
I had authority to DEFINE QLOCAL from
I defined a profile
rdef MQADMIN MQPA.QUEUE.MYAPPL* uacc(none) SETROPTS RACLIST(MQADMIN) REFRESH
Once I had refreshed queue manager security I tried to define a QL and got
MQPA DEF QL(MYAPPL.REPLY)
ICH408I USER(PAICE ) GROUP(TSOUSER ) NAME(COLIN C. PAICE )
INSUFFICIENT ACCESS AUTHORITY
FROM MQPA.QUEUE.MYAPPL.** (G)
Which shows it in action.
I can then permit groups to use this definition.
The bigger picture
Of course you should start with
rdef MQADMIN MQPA.QUEUE.* uacc(none)
and then define other profiles such as MQPA.QUEUE.SYSTEM.* and MQPA.QUEUE.MYAPPL1.* and give groups access to these profiles.
You also need to do the same for other objects such as channels etc