RestrictedMode stanza of the qm.ini file

This option applies to UNIX and Linux systems only. The RestrictedMode stanza is set by the -g option on the crtmqm command. Do not change this stanza after the queue manager has been created. If we do not use the -g option, the stanza is not created in the qm.ini file.

There are some directories under which IBM MQ applications create files while they are connected to the queue manager within the queue manager data directory. In order for applications to create files in these directories, they are granted world write access:

  • /var/mqm/sockets/QMgrName/@ipcc/ssem/hostname/
  • /var/mqm/sockets/QMgrName/@app/ssem/hostname/
  • /var/mqm/sockets/QMgrName/zsocketapp/hostname/

where QMGRNAME is the name of the queue manager, and hostname is the host name.

On some systems, it is unacceptable to grant all users write access to these directories. For example, those users who do not need access the queue manager. Restricted mode modifies the permissions of the directories that store queue manager data. The directories can then only be accessed by members of the specified application group. The permissions on the System V IPC shared memory used to communicate with the queue manager are also modified in the same way.

The application group is the name of the group with members that have permission to do the following things:

  • Run MQI applications
  • Update all IPCC resources
  • Change the contents of some queue manager directories

To use restricted mode for a queue manager:

  • The creator of the queue manager must be in the mqm group and in the application group.
  • The mqm user ID must be in the application group.
  • All users who want to administer the queue manager must be in the mqm group and in the application group.
  • All users who want to run IBM MQ applications must be in the application group.

Any MQCONN or MQCONNX call issued by a user who is not in the application group fails with reason code MQRC_Q_MGR_NOT_AVAILABLE.

Important: On many operating systems, in order for the addition of a user to a group to be be recognized, the user in question must log off and log back on.

Restricted mode operates with the IBM MQ authorization service. Therefore we must also grant users the authority to connect to IBM MQ and access the resources they require using the IBM MQ authorization service.

Further information about configuring the IBM MQ authorization service can be found in Set up security on Windows, UNIX and Linux systems.

Only use IBM MQ restricted mode when the control provided by the authorization service does not provide sufficient isolation of queue manager resources.

Parent topic: Attributes for changing queue manager configuration information


Related information