Authorizing access to data sets

The IBM MQ data sets should be protected so that no unauthorized user can run a queue manager instance, or gain access to any queue manager data. To do this, use normal z/OS RACF data set protection.

Table 1 summarizes the RACF access that the queue manager started task procedure must have to the different data sets.

RACF access	Data sets
READ	thlqual.SCSQAUTH and thlqual.SCSQANLx (where x is the language letter for the national language). The data sets referred to by CSQINP1 and CSQINP2 in the started task procedure of the queue manager.
UPDATE	All page sets and log and BSDS data sets.
ALTER	All archive log data sets.

RACF access

Data sets

READ

thlqual.SCSQAUTH and thlqual.SCSQANLx (where x is the language letter for the national language).
The data sets referred to by CSQINP1 and CSQINP2 in the started task procedure of the queue manager.

UPDATE

All page sets and log and BSDS data sets.

ALTER

All archive log data sets.

Table 2 summarizes the RACF access that the started task procedure for distributed queuing must have to the different data sets.

RACF access	Data sets
READ	thlqual.SCSQAUTH, thlqual.SCSQANLx (where x is the language letter for the national language), and thlqual.SCSQMVR1. LE library data sets. The data sets referred to by CSQXLIB and CSQINPX in the distributed queuing started task procedure.
UPDATE	Data sets CSQOUTX and CSQSNAP

RACF access

Data sets

READ

thlqual.SCSQAUTH, thlqual.SCSQANLx (where x is the language letter for the national language), and thlqual.SCSQMVR1.
LE library data sets.
The data sets referred to by CSQXLIB and CSQINPX in the distributed queuing started task procedure.

UPDATE

Data sets CSQOUTX and CSQSNAP

For more information, see the z/OS Security Server RACF Security Administrator's Guide.

Parent topic: Set up IBM MQ for z/OS data set security