IBM MQ authorities on IBM i

To access IBM MQ objects, we need authority to issue the command and to access the object referenced. Administrators have access to all IBM MQ resources.

Access to IBM MQ objects is controlled by authorities to:
  1. Issue the IBM MQ command
  2. Access the IBM MQ objects referenced by the command

All IBM MQ for IBM i CL commands are shipped with an owner of QMQM, and the administration profile (QMQMADM) has *USE rights with the *PUBLIC access set to *EXCLUDE.

Note: The QSRDUPER program is used by the IBM MQ for IBM i licensed program installer to duplicate Command (*CMD) objects in QSYS. In IBM i V5R4 and later, the QSRDUPER program was changed so that the default behavior is to create a proxy command rather than a duplicate of the original command. A proxy command redirects command execution to another command and has an attribute of PRX. If a proxy command by the same name as the command being copied exists in library QSYS, private authorities to the proxy command are not granted to the command in the product library. Attempts to prompt or run the proxy command in QSYS check the authority of the target command in the product library. Any changes in authority to *CMD objects therefore need to be done in the product library (QMQM) and those in QSYS do not need to be modified. For example:
GRTOBJAUT OBJ(QMQM/DSPMQMQ) OBJTYPE(*CMD) USER(MQUSER) AUT(*USE)

Changes to the authority structure of some of the product's CL commands allows public use of these commands, if you have the required OAM authority to the IBM MQ objects to make these changes.

To be an IBM MQ administrator on IBM i, we must be a member of the QMQMADM group. This group has properties like the properties of the mqm group on UNIX, Linux and Windows systems. In particular, the QMQMADM group is created when you install IBM MQ for IBM i, and members of the QMQMADM group have access to all IBM MQ resources on the system. You also have access to all IBM MQ resources if you have *ALLOBJ authority.

Administrators can use CL commands to administer IBM MQ. One of these commands is GRTMQMAUT, which is used to grant authorities to other users. Another command, STRMQMMQSC, enables an administrator to issue MQSC commands to a local queue manager.

Parent topic: Set up security on IBM i


Related concepts