Authority to administer WebSphere MQ

Authority to administer WebSphere MQ

Overview

WebSphere MQ administrators need authority to:

Issue commands to administer WebSphere MQ
Use the WebSphere MQ Explorer and the WebSphere MQ Services snap-in on Windows systems

Authority to administer WebSphere MQ on UNIX and Windows systems

To be a WebSphere MQ administrator on UNIX and Windows systems, be a member of the mqm group. This group is created automatically when you install WebSphere MQ. To allow users to perform administration, add them to the mqm group. This includes the root user on UNIX systems.
All members of the mqm group have access to all WebSphere MQ resources on the system, including being able to administer any queue manager running on the system. This access can be revoked only by removing a user from the mqm group. On Windows systems, members of the Administrators group also have access to all WebSphere MQ resources.
Administrators can use control commands to administer WebSphere MQ. One of these control commands is setmqaut, which is used to grant authorities to other users to enable them to access WebSphere MQ resources.
Administrators can use the control command runmqsc to issue WebSphere MQ Script (MQSC) commands.
When runmqsc is used in indirect mode to send MQSC commands to a remote queue manager, each MQSC command is encapsulated within an Escape PCF command. Administrators must have the required authorities for the MQSC commands to be processed by the remote queue manager.
The WebSphere MQ Explorer on Windows systems issues PCF commands to perform administration tasks. Administrators require no additional authorities to use the WebSphere MQ Explorer to administer a queue manager on the local system. When the WebSphere MQ Explorer is used to administer a queue manager on another system, administrators must have the required authorities for the PCF commands to be processed by the remote queue manager.
For more information about authority checks when PCF and MQSC commands are processed, see the following:

For PCF commands that operate on queue managers, queues, processes, namelists, and authentication information objects, see Authority to work with WebSphere MQ objects. Refer to this section for the equivalent MQSC commands encapsulated within Escape PCF commands.
For PCF commands that operate on channels, channel initiators, listeners, and clusters, see Channel security. Refer to this section for the equivalent MQSC commands encapsulated within Escape PCF commands.

Administrators can use the WebSphere MQ Services snap-in to administer local and remote queue managers running on Windows systems. An administrator must be a member of the mqm or Administrators group on each system that hosts a queue manager that is administered in this way. Other users, who are not members of the mqm or Administrators group, can be granted authority to use the WebSphere MQ Services snap-in by using the DCOMCNFG tool supplied with WebSphere MQ for Windows.
For more information about the authority you need to administer WebSphere MQ on UNIX and Windows systems, see the WebSphere MQ System Administration Guide.

Command security and command resource security

Authority checks are carried out when a WebSphere MQ administrator issues an MQSC command. This is called command security.
To implement command security, define certain RACF profiles and give the necessary groups and user IDs access to these profiles at the required levels. The name of a profile for command security contains the name of an MQSC command.
Some MQSC commands perform an operation on a WebSphere MQ resource, such as the DEFINE QLOCAL command to create a local queue.
When an administrator issues an MQSC command, authority checks are carried out to determine whether the requested operation can be performed on the resource specified in the command. This is called command resource security.
To implement command resource security, define certain RACF profiles and give the necessary groups and user IDs access to these profiles at the required levels. The name of a profile for command resource security contains the name of a WebSphere MQ resource and its type (QUEUE, PROCESS, NAMELIST, AUTHINFO, or CHANNEL).
Command security and command resource security are independent. For example, when an administrator issues the command:
DEFINE QLOCAL(MOON.EUROPA)
the following authority checks are performed:

Command security checks that the administrator is authorized to issue the DEFINE QLOCAL command.
Command resource security checks that the administrator is authorized to perform an operation on the local queue called MOON.EUROPA.

Command security and command resource security can be turned on or off by defining switch profiles.

MQSC commands and the system command input queue

Command security and command resource security are also used when the command server retrieves a message containing an MQSC command from the system command input queue.
The user ID that is used for the authority checks is the one found in the UserIdentifier field in the message descriptor of the message containing the MQSC command. This user ID must have the required authorities on the queue manager where the command is processed. For more information about the UserIdentifier field and how it is set, see Message context.
Messages containing MQSC commands are sent to the system command input queue in the following circumstances:

The operations and control panels send MQSC commands to the system command input queue of the target queue manager. The MQSC commands correspond to the actions you choose on the panels. The UserIdentifier field in each message is set to the TSO user ID of the administrator.
The COMMAND function of the WebSphere MQ utility program, CSQUTIL, sends the MQSC commands in the input data set to the system command input queue of the target queue manager. The COPY and EMPTY functions send DISPLAY QUEUE and DISPLAY STGCLASS commands. The UserIdentifier field in each message is set to the job user ID.
The MQSC commands in the CSQINPX data sets are sent to the system command input queue of the queue manager to which the channel initiator is connected. The UserIdentifier field in each message is set to the channel initiator address space user ID.
No authority checks are performed when MQSC commands are issued from the CSQINP1 and CSQINP2 data sets. You can control who is allowed to update these data sets using RACF data set protection.
Within a queue-sharing group, a channel initiator might send START CHANNEL commands to the system command input queue of the queue manager to which it is connected. A command is sent when an outbound channel that uses a shared transmission queue is started by triggering. The UserIdentifier field in each message is set to the channel initiator address space user ID.
An application can send MQSC commands to a system command input queue. By default, the UserIdentifier field in each message is set to the user ID associated with the application.
On UNIX and Windows systems, the runmqsc control command can be used in indirect mode to send MQSC commands to the system command input queue of a queue manager on z/OS. The UserIdentifier field in each message is set to the user ID of the administrator who issued the runmqsc command.

Access to the queue manager data sets

WebSphere MQ administrators need authority to access the queue manager data sets. These data sets include:

The data sets referred to by CSQINP1, CSQINP2, and CSQXLIB in the queue manager's started task procedure
The queue manager's page sets, active log data sets, archive log data sets, and bootstrap data sets (BSDSs)
The data sets referred to by CSQXLIB and CSQINPX in the channel initiator's started task procedure

You must protect the data sets so that no unauthorized user can start a queue manager or gain access to any queue manager data. To do this, use RACF data set protection.

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.