Privileged users
A privileged user is one that has full administrative authorities for IBM® MQ.
- Any authorizations to
SYSTEM
objects - Administration authorizations to create, alter and delete objects.
On z/OS®, this authorization is command security and command resource security authority to issue DEFINE, ALTER and DELETE commands.
On all other platforms, these authorizations are administration authorizations such as
+crt
,+chg
and+dlt
. - Administration authorization to clear queues.
On z/OS, this authorization is command security and command resource security authority to issue CLEAR commands.
On all other platforms, this authorization is
+clr
. - Administration authorizations to stop channels, backout or commit messages.
On z/OS, this authorization is command security and command resource security authority to issue commands such as RESET CHANNEL, START CHANNEL and STOP CHANNEL.
On all other platforms, these authorizations are
+ctrl
and+ctrlx
. - Alternate user MQI authorization that allows applications to escalate privileges for authorization checks.
On z/OS, this authorization is any authority granted to the alternate user security profiles.
On all other platforms, this authorization is
+altusr
. - Context authorizations that allow applications to change the security context of messages.
On z/OS, this authorization is any authority granted to the context security profiles.
On all other platforms, these authorizations are
+setall
and+setid
.
As a general principal, messaging applications should only be granted the basic MQI authorizations to the queues or topics that are needed. MCA channels that execute under a non-privileged MCAUSER and certain other special types of applications, such as dead-letter queue handlers may require additional authorizations not normally granted to applications to operate correctly.
Platform | Privileged users |
---|---|
Windows systems |
|
UNIX and Linux systems |
|
IBM i systems |
|
z/OS | The user ID that the channel initiator, queue manager and advanced message security address spaces are running under. These user IDs do not automatically have full administrative authorities for IBM MQ, but are considered privileged due to the level of access that is typically granted to these user IDs. |