RestrictedMode stanza of the qm.ini file
The RestrictedMode stanza specifies the name of the group that contains members that are allowed to run MQI applications, update all IPCC resources and change the contents of some queue manager directories. This stanza applies to UNIX and Linux® systems only.
The RestrictedMode stanza is set by the -g option on the crtmqm command. If you do not use the -g option, the stanza is not created in the qm.ini file.
- /var/mqm/sockets/QMgrName/@ipcc/ssem/hostname/
- /var/mqm/sockets/QMgrName/@app/ssem/hostname/
- /var/mqm/sockets/QMgrName/zsocketapp/hostname/
On some systems, it is unacceptable to grant all users write access to these directories. For example, those users who do not need access the queue manager. Restricted mode modifies the permissions of the directories that store queue manager data. The directories can then only be accessed by members of the specified application group. The permissions on the System V IPC shared memory used to communicate with the queue manager are also modified in the same way.
- Run MQI applications
- Update all IPCC resources
- Change the contents of some queue manager directories
- The creator of the queue manager must be in the
mqm
group and in the application group. - The
mqm
user ID must be in the application group. - All users who want to administer the queue manager must be in the
mqm
group and in the application group. - All users who want to run IBM MQ applications must be in the application group.
Any MQCONN or MQCONNX call issued by a user who is not in the application group fails with reason code MQRC_Q_MGR_NOT_AVAILABLE.
Restricted mode operates with the IBM MQ authorization service. Therefore you must also grant users the authority to connect to IBM MQ and access the resources they require using the IBM MQ authorization service.
Further information about configuring the IBM MQ authorization service can be found in Setting up security on UNIX, Linux, and Windows systems.
Only use IBM MQ restricted mode when the control provided by the authorization service does not provide sufficient isolation of queue manager resources.