Settings for controlling access to IBM MQ messages

Because of their potential for serious damage, there are special security considerations for message manipulation. You can specify authorization level of access to MQ messages for all user IDs or for a specific ID.

Control the level of user access to queue manager messages with the following settings:

The MSGACCESS parameter (at the QMGR and GROUP levels) and SET QACCESS monitoring settings in the configuration file of the IBM MQ Monitoring Agent.
These elements set restrictions on the monitoring agent. The MSGACCESS parameter of the SET GROUP, SET MANAGER, and SET QACCESS monitoring options specify the level of message access that a Tivoli Enterprise Portal user ID has to messages on queues in the specified queue managers. Use the SET QACCESS options to specify which user account is used for message manipulation. When the IBM MQ Monitoring Agent performs the message manipulate operation, it uses the message manipulation account as the user account to communicate with MQ.
Security settings made for your queue managers, such as with RACF.
You can set restrictions on the message manipulation account that is passed to MQ when the monitoring agent manipulates messages. For this level of security, you must do the following operations:
- Set up IBM MQ security on each system where IBM MQ is running.
- Enable and customize the MQ API resource security feature.

Note: By default, the monitoring agent will use the user ID from the user interface to set the alternate user ID for opening the queue for any message manipulation feature. In this way, any security you have specified for your queue manager is used to determine if the specific user ID is able to access the queue involved. By default, only access to browse message descriptors will be tried for the user ID. For any other behavior, you must change from the monitoring option defaults.