Authorizing access to data sets

The IBM MQ data sets should be protected so that no unauthorized user can run a queue manager instance, or gain access to any queue manager data. To do this, use normal z/OS® RACF® data set protection.

Table 1 summarizes the RACF access that the queue manager started task procedure must have to the different data sets.

Table 1. RACF access to data sets associated with a queue manager
RACF access Data sets
READ

  • thlqual.SCSQAUTH and thlqual.SCSQANLx (where x is the language letter for your national language).
  • The data sets referred to by CSQINP1, CSQINP2 and CSQXLIB in the queue manager's started task procedure.
UPDATE

  • All page sets and log and BSDS data sets.
ALTER

  • All archive log data sets.

Table 2 summarizes the RACF access that the started task procedure for distributed queuing must have to the different data sets.

Table 2. RACF access to data sets associated with distributed queuing
RACF access Data sets
READ

  • thlqual.SCSQAUTH, thlqual.SCSQANLx (where x is the language letter for your national language), and thlqual.SCSQMVR1.
  • LE library data sets.
  • The data sets referred to by CSQXLIB and CSQINPX in the distributed queuing started task procedure.
UPDATE

  • Data sets CSQOUTX and CSQSNAP

For more information, see the z/OS Security Server RACF Security Administrator's Guide.