Set up IBM MQ for z/OS® resource security

There are many types of IBM MQ user. Use RACF® to control their access to IBM MQ resources.

The possible users of IBM MQ resources, such as queues and channels include the following entities:

• The queue manager itself.
• The channel initiator
• IBM MQ administrators, who need to create IBM MQ data sets, run utility programs, and similar tasks
• Application programmers who need to use the IBM MQ-supplied copybooks, include data sets, macros, and similar resources.
• Applications involving one or more of:
  • Batch jobs
  • TSO users
  • CICS® regions
  • IMS regions
• Data sets CSQOUTX and CSQSNAP
• Dynamic queues SYSTEM.CSQXCMD.*

For all these potential users, protect the IBM MQ resources with RACF. In particular, note that the channel initiator needs access to various resources, as described in Security considerations for the channel initiator on z/OS, and so the user ID under which it runs must be authorized to access these resources.

If you are using a queue sharing group, the queue manager might issue various commands internally, so the user ID it uses must be authorized to issue such commands. The commands are:

• DEFINE, ALTER, and DELETE for every object that has QSGDISP(GROUP)
• START and STOP CHANNEL for every channel used with CHLDISP(SHARED)