Authority required by the mqweb server started task user ID
On z/OS®, the mqweb server started task user ID requires certain authorities to issue PCF commands and access system resources.
- A z/OS UNIX user identifier (UID) to be able to use z/OS UNIX System Services.
- Access to the hlq.SCSQAUTH and hlq.SCSQANL* data sets in the IBM® MQ installation.
- Read access to the IBM MQ installation files in z/OS UNIX System Services.
- Read and write access to the Liberty user directory created by the crtmqweb script.
- Authority to connect to the queue manager. Grant the mqweb server started task user ID READ access to the hlq.BATCH profile in the MQCONN class.
- Authority to issue IBM MQ commands and access certain queues. These details are described in IBM MQ Console - required command security profiles, System queue security, and Profiles for context security.
- Authority to subscribe to the
SYSTEM.FTE
topic, in order to use the REST API for MFT. Grant the mqweb server started task user ID ALTER access to the hlq.SUBSCRIBE.SYSTEM.FTE profile in the MXTOPIC class. - If you are are configuring a SAF registry, access to various security profiles. See Configuring a SAF registry for the IBM MQ Console and REST API for more information.
Connection authentication
If your queue manager has been configured to require that all batch applications provide a valid user ID and password, by setting CHKLOCL(REQUIRED), you must give the mqweb server started task user ID UPDATE access to the hlq.BATCH profile in the MQCONN class.
This authority causes connection authentication to operate in CHKLOCL(OPTIONAL) mode for the mqweb server started task user ID.
If you have not configured the queue manager to require that all batch applications provide a valid user ID and password, it is sufficient to give the user ID that starts the mqweb server task READ access to the hlq.BATCH profile in the MQCONN class.
For more information about CHCKLOCL, see Using CHCKLOCL on locally bound applications.