System queue security
You must set up RACF® access to allow certain user IDs access to particular system queues.
Many of the system queues are accessed by the ancillary parts of IBM® MQ:
- The CSQUTIL utility
- The message security policy utility (CSQ0UTIL)
- The operations and control panels
- The channel initiator address space (including the Queued Pub/Sub Daemon)
- The mqweb server, used by the IBM MQ Console and REST API.
The user IDs under which these run must be given RACF access to these queues, as shown in Table 1.
SYSTEM queue | CSQUTIL | CSQ0UTIL | mqweb server | Operations and control panels | Channel initiator for distributed queuing |
---|---|---|---|---|---|
SYSTEM.ADMIN.CHANNEL.EVENT | - | - | - | - | UPDATE |
SYSTEM.ADMIN.COMMAND.QUEUE | - | - | UPDATE | - | - |
SYSTEM.BROKER.ADMIN.STREAM | - | - | - | - | ALTER |
SYSTEM.BROKER.CONTROL.QUEUE | - | - | - | - | ALTER |
SYSTEM.BROKER.DEFAULT.STREAM | - | - | - | - | ALTER |
SYSTEM.BROKER.INTER.BROKER.COMMUNICATIONS | - | - | - | - | UPDATE |
SYSTEM.CHANNEL.INITQ | - | - | - | - | UPDATE |
SYSTEM.CHANNEL.SYNCQ | - | - | - | - | UPDATE |
SYSTEM.CLUSTER.COMMAND.QUEUE | - | - | - | - | ALTER |
SYSTEM.CLUSTER.REPOSITORY.QUEUE | - | - | - | - | UPDATE |
SYSTEM.CLUSTER.TRANSMIT.QUEUE | - | - | - | - | ALTER |
SYSTEM.COMMAND.INPUT | UPDATE | - | - | UPDATE | UPDATE |
SYSTEM.COMMAND.REPLY.* | - | - | - | - | UPDATE |
SYSTEM.COMMAND.REPLY.MODEL | UPDATE | - | - | UPDATE | UPDATE |
SYSTEM.CSQOREXX.* | - | - | - | UPDATE | - |
SYSTEM.CSQUTIL.* | UPDATE | - | - | - | - |
SYSTEM.CSQXCMD.* | - | - | - | - | UPDATE |
SYSTEM.HIERARCHY.STATE | - | - | - | - | UPDATE |
SYSTEM.INTER.QMGR.CONTROL | - | - | - | - | UPDATE |
SYSTEM.INTER.QMGR.PUBS | - | - | - | - | UPDATE |
SYSTEM.INTER.QMGR.FANREQ | - | - | - | - | UPDATE |
SYSTEM.PROTECTION.ERROR.QUEUE | - | - | - | - | UPDATE |
SYSTEM.PROTECTION.POLICY.QUEUE | - | UPDATE 1 | - | - | READ |
SYSTEM.QSG.CHANNEL.SYNCQ | - | - | - | - | UPDATE |
SYSTEM.QSG.TRANSMIT.QUEUE | - | - | - | - | UPDATE |
SYSTEM.REST.REPLY.QUEUE | - | - | UPDATE | - | - |
SYSTEM.BLUEMIX.REGISTRATION.QUEUE | - | - | - | - | UPDATE |
Notes:
- The Advanced Message Security address space user also requires READ access to this queue.