Set up IBM MQ for z/OS data set security

There are many types of IBM MQ user. Use RACF to control their access to system data sets.

• The queue manager itself.
• The channel initiator
• IBM MQ administrators, who need to create IBM MQ data sets, run utility programs, and similar tasks.
• Application programmers who need to use the IBM MQ-supplied copybooks, include data sets, macros, and similar resources.
• Applications involving one or more of:
  • Batch jobs
  • TSO users
  • CICS regions
  • IMS regions

• Data sets CSQOUTX and CSQSNAP
• Dynamic queues SYSTEM.CSQXCMD.*

For all these potential users, protect the IBM MQ data sets with RACF.

We must also control access to all your 'CSQINP' data sets.

• RACF authorization of started-task procedures
  Some IBM MQ data sets are for the exclusive use of the queue manager. If you protect the IBM MQ data sets using RACF, we must also authorize the queue manager started-task procedure xxxxMSTR, and the distributed queuing started-task procedure xxxxCHIN, using RACF. To do this, use the STARTED class. Alternatively, we can use the started procedures table (ICHRIN03), but then we must perform an IPL of our z/OS system before the changes take effect.
• Authorizing access to data sets
  The IBM MQ data sets should be protected so that no unauthorized user can run a queue manager instance, or gain access to any queue manager data. To do this, use normal z/OS RACF data set protection.
• Encrypting data sets
  The IBM MQ data sets can be encrypted with z/OS data set encryption, so that the data is protected, or for regulatory reasons.

Parent topic: Security installation tasks for z/OS