Authorization for applications to use IBM MQ

When applications access objects, the user IDs associated with the applications need appropriate authority.

Applications can access the following IBM® MQ objects by issuing MQI calls:
  • Queue managers
  • Queues
  • Processes
  • Namelists
  • Topics
Applications can also use PCF commands to administer IBM MQ objects. When the PCF command is processed, it uses the authority context of the user ID that put the PCF message.
Applications, in this context, include those written by users and vendors, and those supplied with IBM MQ for z/OS®. The applications supplied with IBM MQ for z/OS include:
  • The operations and control panels
  • The IBM MQ utility program, CSQUTIL
  • The dead letter queue handler utility, CSQUDLQH

Applications that use IBM MQ classes for Java, IBM MQ classes for JMS, IBM MQ classes for .NET, or the Message Service Clients for C/C++ and .NET use the MQI indirectly.

MCAs also issue MQI calls and the user IDs associated with the MCAs need authority to access these IBM MQ objects. For more information about these user IDs and the authorities they require, see Channel authorization.

On z/OS, applications can also use MQSC commands to access these IBM MQ objects but command security and command resource security provide the authority checks in these circumstances. [z/OS]For more information, see Command security and command resource security on z/OS and MQSC commands and the system command input queue on z/OS.

On IBM i, a user that issues a CL command in Group 2 might require authority to access an IBM MQ object associated with the command. For more information, see When authority checks are performed.