Privileged users

A privileged user is one that has full administrative authorities for IBM® MQ.

In addition to the users listed in the following table, there are certain objects and authorizations for which extra care must be taken when granting access, to ensure integrity and security of the queue manager. Extra scrutiny must be applied when granting any of the following authorizations:
  • Any authorizations to SYSTEM objects
  • Administration authorizations to create, alter and delete objects.

    [z/OS]On z/OS®, this authorization is command security and command resource security authority to issue DEFINE, ALTER and DELETE commands.

    [UNIX, Linux, Windows, IBM i]On all other platforms, these authorizations are administration authorizations such as +crt, +chg and +dlt.

  • Administration authorization to clear queues.

    [z/OS]On z/OS, this authorization is command security and command resource security authority to issue CLEAR commands.

    [UNIX, Linux, Windows, IBM i]On all other platforms, this authorization is +clr.

  • Administration authorizations to stop channels, backout or commit messages.

    [z/OS]On z/OS, this authorization is command security and command resource security authority to issue commands such as RESET CHANNEL, START CHANNEL and STOP CHANNEL.

    [UNIX, Linux, Windows, IBM i]On all other platforms, these authorizations are +ctrl and +ctrlx.

  • Alternate user MQI authorization that allows applications to escalate privileges for authorization checks.

    [z/OS]On z/OS, this authorization is any authority granted to the alternate user security profiles.

    [UNIX, Linux, Windows, IBM i]On all other platforms, this authorization is +altusr.

  • Context authorizations that allow applications to change the security context of messages.

    [z/OS]On z/OS, this authorization is any authority granted to the context security profiles.

    [UNIX, Linux, Windows, IBM i]On all other platforms, these authorizations are +setall and +setid.

As a general principal, messaging applications should only be granted the basic MQI authorizations to the queues or topics that are needed. MCA channels that execute under a non-privileged MCAUSER and certain other special types of applications, such as dead-letter queue handlers may require additional authorizations not normally granted to applications to operate correctly.

Table 1. Privileged users by platform
Platform Privileged users
Windows systems
  • SYSTEM
  • Members of the mqm group
  • Members of the Administrators group
AIX and Linux systems
  • Members of the mqm group
[IBM i]IBM i systems [IBM i]
  • The profiles qmqm and qmqmadm
  • All members of the qmqmadm group
  • Any user defined with the *ALLOBJ setting
z/OS The user ID that the channel initiator, queue manager and advanced message security address spaces are running under. These user IDs do not automatically have full administrative authorities for IBM MQ, but are considered privileged due to the level of access that is typically granted to these user IDs.