Privileged users
A privileged user is one that has full administrative authorities for IBM® MQ.
In addition to the users listed in the following table, there are certain objects and authorizations
for which extra care must be taken when granting access, to ensure integrity and security of the queue
manager. Extra scrutiny must be applied when granting any of the following authorizations:
- Any authorizations to
SYSTEM
objects - Administration authorizations such as
+crt
,+chg
and+dlt
- The
+clr
administration authorization to clear queues - The
+ctrl
and+ctrlx
administration authorizations allow applications to stop channels, backout or commit messages - The
+altusr
MQI authorization allows applications to escalate privileges for authorization checks - Context authorizations such as
+setall
and+setid
allow applications to change the security context of messages
As a general principal, messaging applications should only be granted the basic MQI authorizations to the queues or topics that are needed. MCA channels that execute under a non-privileged MCAUSER and certain other special types of applications, such as dead-letter queue handlers may require additional authorizations not normally granted to applications to operate correctly.
Platform | Privileged users |
---|---|
Windows systems |
|
UNIX and Linux systems |
|
IBM i systems |
|
z/OS® | The user ID that the channel initiator, queue manager and advanced message security address spaces are running under. |