The IBM® MQ data sets should be protected so
that no unauthorized user can run a queue manager instance, or gain access to any queue manager
data. To do this, use normal z/OS®
RACF® data set protection.
Table 1 summarizes the RACF access that the queue manager started task procedure
must have to the different data sets.
Table 1. RACF access
to data sets associated with a queue manager
RACF access |
Data sets |
READ |
- thlqual.SCSQAUTH and thlqual.SCSQANLx (where x is the
language letter for your national language).
- The data sets referred to by CSQINP1, CSQINP2 and CSQXLIB in the queue manager's started task
procedure.
- SMDS data sets owned by other queue managers in the group.
- Log, BSDS and archive log data sets for other queue managers in the group.
|
UPDATE |
- All page sets and log and BSDS data sets.
- SMDS data sets owned by a queue manager
- SMDS data sets owned by other queue managers in the group, for the structures that the queue
manager performs the RECOVER CFSTRUCT command.
|
ALTER |
- All archive log data sets.
|
Table 2 summarizes the RACF access that the started task procedure for distributed
queuing must have to the different data sets.
Table 2. RACF access to data sets associated with
distributed queuing
RACF access |
Data sets |
READ |
- thlqual.SCSQAUTH, thlqual.SCSQANLx (where x is the language letter for your national language),
and thlqual.SCSQMVR1.
- LE library data sets.
- The data sets referred to by CSQXLIB and CSQINPX in the channel initiator started task
procedure.
|
UPDATE |
- Data sets CSQOUTX and CSQSNAP
|
For more information, see the
z/OS Security Server RACF Security Administrator's
Guide.