Blank user IDs and UACC levels
If a blank user ID occurs, a RACF® undefined user is signed on. Do not grant wide-ranging access to the undefined user.
Blank user IDs can exist when a user is manipulating messages using context or alternate-user security, or when IBM® MQ is passed a blank user ID. For example, a blank user ID is used when a message is written to the system-command input queue without context.
IBM MQ passes the blank user ID to RACF and a RACF undefined user is signed on. All security checks then use the universal access (UACC) for the relevant profile. Depending on how you have set your access levels, the UACC might give the undefined user a wide-ranging access.
RDEFINE MQQUEUE Q.AVAILABLE.TO.EVERYONE UACC(UPDATE)
you define a profile that enables both z/OS®-defined user IDs (that have not been put in the access list) and the RACF undefined user ID to put messages on, and get messages from, that queue.
RDEFINE MQQUEUE Q.AVAILABLE.TO.RACF.DEFINED.USERS.ONLY UACC(NONE)
PERMIT Q.AVAILABLE.TO.RACF.DEFINED.USERS.ONLY CLASS(MQQUEUE) ACCESS(UPDATE) ID(*)