The IBM® MQ data sets should be protected so
that no unauthorized user can run a queue manager instance, or gain access to any queue manager
data. To do this, use normal z/OS®
RACF® data set protection.
Table 1 summarizes the RACF access that the queue manager started task procedure
must have to the different data sets.
Table 1. RACF access
to data sets associated with a queue manager
|
RACF access |
Data sets |
| READ |
- thlqual.SCSQAUTH and thlqual.SCSQANLx (where x is the
language letter for your national language).
- The data sets referred to by CSQINP1, CSQINP2 and CSQXLIB in the queue manager's started task
procedure.
- SMDS data sets owned by other queue managers in the group.
- Log, BSDS and archive log data sets for other queue managers in the group.
|
| UPDATE |
- All page sets and log and BSDS data sets.
- SMDS data sets owned by a queue manager
- SMDS data sets owned by other queue managers in the group, for the structures that the queue
manager performs the RECOVER CFSTRUCT command.
|
| ALTER |
- All archive log data sets.
|
Table 2 summarizes the RACF access that the started task procedure for distributed
queuing must have to the different data sets.
Table 2. RACF access to data sets associated with
distributed queuing
|
RACF access |
Data sets |
| READ |
- thlqual.SCSQAUTH, thlqual.SCSQANLx (where x is the language letter for your national language),
and thlqual.SCSQMVR1.
- LE library data sets.
- The data sets referred to by CSQXLIB and CSQINPX in the channel initiator started task
procedure.
|
| UPDATE |
- Data sets CSQOUTX and CSQSNAP
|
For more information, see the
z/OS Security Server RACF Security Administrator's
Guide.
![[z/OS]](ngzos.gif)