Privileged users

A privileged user is one that has full administrative authorities for IBM® MQ.

In addition to the users listed in the following table, there are certain objects and authorizations for which extra care must be taken when granting access, to ensure integrity and security of the queue manager. Extra scrutiny must be applied when granting any of the following authorizations:
  • Any authorizations to SYSTEM objects
  • Administration authorizations such as +crt, +chg and +dlt
  • The +clr administration authorization to clear queues
  • The +ctrl and +ctrlx administration authorizations allow applications to stop channels, backout or commit messages
  • The +altusr MQI authorization allows applications to escalate privileges for authorization checks
  • Context authorizations such as +setall and +setid allow applications to change the security context of messages

As a general principal, messaging applications should only be granted the basic MQI authorizations to the queues or topics that are needed. MCA channels that execute under a non-privileged MCAUSER and certain other special types of applications, such as dead-letter queue handlers may require additional authorizations not normally granted to applications to operate correctly.

Table 1. Privileged users by platform
Platform Privileged users
Windows systems
  • SYSTEM
  • Members of the mqm group
  • Members of the Administrators group
UNIX and Linux systems
  • Members of the mqm group
[IBM i]IBM i systems [IBM i]
  • The profiles qmqm and qmqmadm
  • All members of the qmqmadm group
  • Any user defined with the *ALLOBJ setting
z/OS® The user ID that the channel initiator, queue manager and advanced message security address spaces are running under.