Authority to administer IBM MQ on UNIX and Windows systems
An IBM MQ administrator is a member of the mqm group. This group has access to all IBM MQ resources and can issue IBM MQ control commands. An administrator can grant specific authorities to other users.
To be an IBM MQ administrator on UNIX and Windows systems, a user must be a member of the mqm group. This group is created automatically when you install IBM MQ. To allow users to issue control commands, we must add them to the mqm group. This includes the root user on UNIX.
Users who are not member of the mqm group can be granted administrative privileges, but they are not able to issue IBM MQ control commands, and they are authorized to execute only the commands for which they have been granted access.
Additionally, on Windows systems, the SYSTEM and Administrator accounts have full access to IBM MQ resources.
All members of the mqm group have access to all IBM MQ resources on the system, including being able to administer any queue manager running on the system. This access can be revoked only by removing a user from the mqm group. On Windows systems, members of the Administrators group also have access to all IBM MQ resources.
Administrators can use the control command runmqsc to issue IBM MQ Script (MQSC) commands. When runmqsc is used in indirect mode to send MQSC commands to a remote queue manager, each MQSC command is encapsulated within an Escape PCF command. Administrators must have the required authorities for the MQSC commands to be processed by the remote queue manager.
The IBM MQ Explorer issues PCF commands to perform administration tasks. Administrators require no additional authorities to use the IBM MQ Explorer to administer a queue manager on the local system. When the IBM MQ Explorer is used to administer a queue manager on another system, administrators must have the required authorities for the PCF commands to be processed by the remote queue manager.
For more information about the authority checks carried out when PCF and MQSC commands are processed, see the following topics:- For commands that operate on queue managers, queues, channels, processes, namelists, and authentication information objects, see Authorization for applications to use IBM MQ.
- For commands that operate on channels, channel initiators, listeners, and clusters, see Channel security.
- For MQSC commands that are processed by the command server on IBM MQ for z/OS, see Command security and command resource security on z/OS.
For more information about the authority we need to administer IBM MQ on UNIX and Windows systems, see the related information.
Parent topic: Authority to administer IBM MQ