System queue security
We must set up RACF access to allow certain user IDs access to particular system queues.
Many of the system queues are accessed by the ancillary parts of IBM MQ :- The CSQUTIL utility
- The message security policy utility (CSQ0UTIL)
- The operations and control panels
- The channel initiator address space (including the Queued Pub/Sub Daemon)
- The mqweb server, used by the MQ Console and REST API.
The user IDs under which these run must be given RACF access to these queues, as shown in Table 1.
| SYSTEM queue | CSQUTIL | CSQ0UTIL | mqweb server | Operations and control panels | Channel initiator for distributed queuing |
|---|---|---|---|---|---|
| SYSTEM.ADMIN.CHANNEL.EVENT | - | - | - | - | UPDATE |
| SYSTEM.ADMIN.COMMAND.QUEUE | - | - | UPDATE | - | - |
| SYSTEM.BROKER.ADMIN.STREAM | - | - | - | - | ALTER |
| SYSTEM.BROKER.CONTROL.QUEUE | - | - | - | - | ALTER |
| SYSTEM.BROKER.DEFAULT.STREAM | - | - | - | - | ALTER |
| SYSTEM.BROKER.INTER.BROKER.COMMUNICATIONS | - | - | - | - | UPDATE |
| SYSTEM.CHANNEL.INITQ | - | - | - | - | UPDATE |
| SYSTEM.CHANNEL.SYNCQ | - | - | - | - | UPDATE |
| SYSTEM.CLUSTER.COMMAND.QUEUE | - | - | - | - | ALTER |
| SYSTEM.CLUSTER.REPOSITORY.QUEUE | - | - | - | - | UPDATE |
| SYSTEM.CLUSTER.TRANSMIT.QUEUE | - | - | - | - | ALTER |
| SYSTEM.COMMAND.INPUT | UPDATE | - | - | UPDATE | UPDATE |
| SYSTEM.COMMAND.REPLY.* | - | - | - | - | UPDATE |
| SYSTEM.COMMAND.REPLY.MODEL | UPDATE | - | - | UPDATE | UPDATE |
| SYSTEM.CSQOREXX.* | - | - | - | UPDATE | - |
| SYSTEM.CSQUTIL.* | UPDATE | - | - | - | - |
| SYSTEM.CSQXCMD.* | - | - | - | - | UPDATE |
| SYSTEM.HIERARCHY.STATE | - | - | - | - | UPDATE |
| SYSTEM.INTER.QMGR.CONTROL | - | - | - | - | UPDATE |
| SYSTEM.INTER.QMGR.PUBS | - | - | - | - | UPDATE |
| SYSTEM.INTER.QMGR.FANREQ | - | - | - | - | UPDATE |
| SYSTEM.PROTECTION.ERROR.QUEUE | - | - | - | - | UPDATE |
| SYSTEM.PROTECTION.POLICY.QUEUE | - | UPDATE 1 | - | - | READ |
| SYSTEM.QSG.CHANNEL.SYNCQ | - | - | - | - | UPDATE |
| SYSTEM.QSG.TRANSMIT | - | - | - | - | UPDATE |
| SYSTEM.REST.REPLY.QUEUE | - | - | UPDATE | - | - |
| SYSTEM.BLUEMIX.REGISTRATION.QUEUE | - | - | - | - | UPDATE |
- The Advanced Message Security address space user also requires READ access to this queue.
Parent topic: Profiles for queue security