Profiles for command security
To enable security checking for commands, add profiles to the MQCMDS class. The profile names are based on the MQSC commands but control both MQSC and PCF commands. Profiles can apply to a queue manager or a queue sharing group.
If we want security checking for commands (so you have not defined the command security switch profile hlq.NO.CMD.CHECKS) we must add profiles to the MQCMDS class.
The same security profiles control both MQSC and PCF commands. The names of the RACF profiles for command security checking are based on the MQSC command names themselves. These profiles take the form:hlq.verb.pkwWhere hlq can be either qmgr-name (queue manager name) or qsg-name (queue sharing group name), verb is the verb part of the command name, for example ALTER, and pkw is the object type, for example QLOCAL for a local queue.
Thus, the profile name for the ALTER QLOCAL command in subsystem CSQ1 is:CSQ1.ALTER.QLOCALWe can use generic profiles to protect sets of commands so that we have fewer profiles to maintain and, therefore, fewer access lists. Consider creating a generic profile that applies to all commands not protected by a more specific profile. Define this profile with UACC(NONE) and grant ALTER access only to the RACF groups containing administrators. We might then create a generic profile applicable to all DISPLAY commands and grant widespread access to it. Between these extremes, you might identify groups of users needing access to certain sets of commands, in which case we can create profiles for those sets and grant access to RACF groups representing those classes of user. Avoid giving users access to commands they do not require: Apply the principle of least privilege, so that users only have access to the commands that are required for their jobs.
A profile prefixed by the queue manager name controls the use of the command on that queue manager. A profile prefixed by the queue sharing group name controls the use of the command on all queue managers within the queue sharing group. This access can be overridden on an individual queue manager by defining a queue manager level profile for that command on that queue manager.
If your queue manager is a member of a queue sharing group and we are using both queue manager and queue sharing group level security, IBM MQ checks for a profile prefixed by the queue manager name. If it does not find one, it looks for a profile prefixed by the queue sharing group name.
By setting up command profiles at queue manager level, a user can be restricted from issuing commands on a particular queue manager. Alternatively, we can define one profile for a queue sharing group for each command verb, and all security checks take place against that profile instead of individual queue managers.
If both subsystem security and queue sharing group security are active and a local profile is not found, a command security check is performed to see if the user has access to a queue sharing group profile.
If we use the CMDSCOPE attribute to route a command to other queue managers in a queue sharing group, security is checked on each queue manager where the command is run, but not necessarily on the queue manager where the command is entered.
Table 1 shows, for each IBM MQ MQSC command, the profiles required for command security checking to be carried out, and the corresponding access level for each profile in the MQCMDS class.
Table 2 shows, for each IBM MQ PCF command, the profiles required for command security checking to be carried out, and the corresponding access level for each profile in the MQCMDS class.
Notes:
Command Command profile for MQCMDS Access level for MQCMDS Command resource profile for MQADMIN or MXADMIN Access level for MQADMIN or MXADMIN ALTER AUTHINFO hlq.ALTER.AUTHINFO ALTER hlq.AUTHINFO.resourcename ALTER ALTER BUFFPOOL hlq.ALTER.BUFFPOOL ALTER No check - ALTER CFSTRUCT hlq.ALTER.CFSTRUCT ALTER No check - ALTER CHANNEL hlq.ALTER.CHANNEL ALTER hlq.CHANNEL.channel ALTER ALTER NAMELIST hlq.ALTER.NAMELIST ALTER hlq.NAMELIST.namelist ALTER ALTER PROCESS hlq.ALTER.PROCESS ALTER hlq.PROCESS.process ALTER ALTER PSID hlq.ALTER.PSID ALTER No check - ALTER QALIAS hlq.ALTER.QALIAS ALTER hlq.QUEUE.queue ALTER ALTER QLOCAL hlq.ALTER.QLOCAL ALTER hlq.QUEUE.queue ALTER ALTER QMGR hlq.ALTER.QMGR ALTER No check - ALTER QMODEL hlq.ALTER.QMODEL ALTER hlq.QUEUE.queue ALTER ALTER QREMOTE hlq.ALTER.QREMOTE ALTER hlq.QUEUE.queue ALTER ALTER SECURITY hlq.ALTER.SECURITY ALTER No check - ALTER SMDS hlq.ALTER.SMDS ALTER No check - ALTER STGCLASS hlq.ALTER.STGCLASS ALTER No check - ALTER SUB hlq.ALTER.SUB ALTER No check - ALTER TOPIC hlq.ALTER.TOPIC ALTER hlq.TOPIC.topic ALTER ALTER TRACE hlq.ALTER.TRACE ALTER No check - ARCHIVE LOG hlq.ARCHIVE.LOG CONTROL No check - BACKUP CFSTRUCT hlq.BACKUP.CFSTRUCT CONTROL No check - CLEAR QLOCAL hlq.CLEAR.QLOCAL ALTER hlq.QUEUE.queue ALTER CLEAR TOPICSTR 3 hlq.CLEAR.TOPICSTR ALTER hlq.TOPIC.topic ALTER DEFINE AUTHINFO hlq.DEFINE.AUTHINFO ALTER hlq.AUTHINFO.resourcename ALTER DEFINE BUFFPOOL hlq.DEFINE.BUFFPOOL ALTER No check - DEFINE CFSTRUCT hlq.DEFINE.CFSTRUCT ALTER No check - DEFINE CHANNEL hlq.DEFINE.CHANNEL ALTER hlq.CHANNEL.channel ALTER DEFINE LOG hlq.DEFINE.LOG ALTER No check - DEFINE MAXSMSGS hlq.DEFINE.MAXSMSGS ALTER No check - DEFINE NAMELIST hlq.DEFINE.NAMELIST ALTER hlq.NAMELIST.namelist ALTER DEFINE PROCESS hlq.DEFINE.PROCESS ALTER hlq.PROCESS.process ALTER DEFINE PSID hlq.DEFINE.PSID ALTER No check - DEFINE QALIAS hlq.DEFINE.QALIAS ALTER hlq.QUEUE.queue ALTER DEFINE QLOCAL hlq.DEFINE.QLOCAL ALTER hlq.QUEUE.queue ALTER DEFINE QMODEL hlq.DEFINE.QMODEL ALTER hlq.QUEUE.queue ALTER DEFINE QREMOTE hlq.DEFINE.QREMOTE ALTER hlq.QUEUE.queue ALTER DEFINE STGCLASS hlq.DEFINE.STGCLASS ALTER No check - DEFINE SUB hlq.DEFINE.SUB ALTER No check - DEFINE TOPIC hlq.DEFINE.TOPIC ALTER hlq.TOPIC.topic ALTER DELETE AUTHINFO hlq.DELETE.AUTHINFO ALTER hlq.AUTHINFO.resourcename ALTER DELETE BUFFPOOL hlq.DELETE.BUFFPOOL ALTER No check - DELETE CFSTRUCT hlq.DELETE.CFSTRUCT ALTER No check - DELETE CHANNEL hlq.DELETE.CHANNEL ALTER hlq.CHANNEL.channel ALTER DELETE NAMELIST hlq.DELETE.NAMELIST ALTER hlq.NAMELIST.namelist ALTER DELETE PROCESS hlq.DELETE.PROCESS ALTER hlq.PROCESS.process ALTER DELETE PSID hlq.DELETE.PSID ALTER No check - DELETE QALIAS hlq.DELETE.QALIAS ALTER hlq.QUEUE.queue ALTER DELETE QLOCAL hlq.DELETE.QLOCAL ALTER hlq.QUEUE.queue ALTER DELETE QMODEL hlq.DELETE.QMODEL ALTER hlq.QUEUE.queue ALTER DELETE QREMOTE hlq.DELETE.QREMOTE ALTER hlq.QUEUE.queue ALTER DELETE STGCLASS hlq.DELETE.STGCLASS ALTER No check - DELETE SUB hlq.DELETE.SUB ALTER No check - DELETE TOPIC hlq.DELETE.TOPIC ALTER hlq.TOPIC.topic ALTER DISPLAY ARCHIVE 1 hlq.DISPLAY.ARCHIVE READ No check - DISPLAY AUTHINFO hlq.DISPLAY.AUTHINFO READ No check - DISPLAY CFSTATUS hlq.DISPLAY.CFSTATUS READ No check - DISPLAY CFSTRUCT hlq.DISPLAY.CFSTRUCT READ No check - DISPLAY CHANNEL hlq.DISPLAY.CHANNEL READ No check - DISPLAY CHINIT hlq.DISPLAY.CHINIT READ No check - DISPLAY CHLAUTH hlq.DISPLAY.CHLAUTH READ No check - DISPLAY CHSTATUS hlq.DISPLAY.CHSTATUS READ No check - DISPLAY CLUSQMGR hlq.DISPLAY.CLUSQMGR READ No check - DISPLAY CMDSERV hlq.DISPLAY.CMDSERV READ No check - DISPLAY CONN 1 hlq.DISPLAY.CONN READ No check - DISPLAY GROUP hlq.DISPLAY.GROUP READ No check - DISPLAY LOG 1 hlq.DISPLAY.LOG READ No check - DISPLAY MAXSMSGS hlq.DISPLAY.MAXSMSGS READ No check - DISPLAY NAMELIST hlq.DISPLAY.NAMELIST READ No check - DISPLAY PROCESS hlq.DISPLAY.PROCESS READ No check - DISPLAY PUBSUB hlq.DISPLAY.PUBSUB READ No check - DISPLAY QALIAS hlq.DISPLAY.QALIAS READ No check - DISPLAY QCLUSTER hlq.DISPLAY.QCLUSTER READ No check - DISPLAY QLOCAL hlq.DISPLAY.QLOCAL READ No check - DISPLAY QMGR hlq.DISPLAY.QMGR READ No check - DISPLAY QMODEL hlq.DISPLAY.QMODEL READ No check - DISPLAY QREMOTE hlq.DISPLAY.QREMOTE READ No check - DISPLAY QSTATUS hlq.DISPLAY.QSTATUS READ No check - DISPLAY QUEUE hlq.DISPLAY.QUEUE READ No check - DISPLAY SBSTATUS hlq.DISPLAY.SBSTATUS READ No check - DISPLAY SMDS hlq.DISPLAY.SMDS READ No check - DISPLAY SMDSCONN hlq.DISPLAY.SMDSCONN READ No check - DISPLAY SUB hlq.DISPLAY.SUB READ No check - DISPLAY SECURITY hlq.DISPLAY.SECURITY READ No check - DISPLAY STGCLASS hlq.DISPLAY.STGCLASS READ No check - DISPLAY SYSTEM 1 hlq.DISPLAY.SYSTEM READ No check - DISPLAY THREAD hlq.DISPLAY.THREAD READ No check - DISPLAY TPSTATUS hlq.DISPLAY.TPSTATUS READ No check - DISPLAY TOPIC hlq.DISPLAY.TOPIC READ No check - DISPLAY TPSTATUS hlq.DISPLAY.TPSTATUS READ No check - DISPLAY TRACE hlq.DISPLAY.TRACE READ No check - DISPLAY USAGE 1 hlq.DISPLAY.USAGE READ No check - MOVE QLOCAL hlq.MOVE.QLOCAL ALTER hlq.QUEUE.from-queue hlq.QUEUE.to-queue ALTER PING CHANNEL hlq.PING.CHANNEL CONTROL hlq.CHANNEL.channel CONTROL RECOVER BSDS hlq.RECOVER.BSDS CONTROL No check - RECOVER CFSTRUCT hlq.RECOVER.CFSTRUCT CONTROL No check - REFRESH CLUSTER hlq.REFRESH.CLUSTER ALTER No check - REFRESH QMGR hlq.REFRESH.QMGR ALTER No check - REFRESH SECURITY hlq.REFRESH.SECURITY ALTER No check - RESET CFSTRUCT hlq.RESET.CFSTRUCT CONTROL No check - RESET CHANNEL hlq.RESET.CHANNEL CONTROL hlq.CHANNEL.channel CONTROL RESET CLUSTER hlq.RESET.CLUSTER CONTROL No check - RESET QMGR hlq.RESET.QMGR CONTROL No check - RESET QSTATS hlq.RESET.QSTATS CONTROL hlq.QUEUE.queue CONTROL RESET SMDS hlq.RESET.SMDS CONTROL No check - RESET TPIPE hlq.RESET.TPIPE CONTROL No check - RESOLVE CHANNEL hlq.RESOLVE.CHANNEL CONTROL hlq.CHANNEL.channel CONTROL RESOLVE INDOUBT hlq.RESOLVE.INDOUBT CONTROL No check - RESUME QMGR hlq.RESUME.QMGR CONTROL No check - RVERIFY SECURITY hlq.RVERIFY.SECURITY ALTER No check - SET ARCHIVE hlq.SET.ARCHIVE CONTROL No check - SET CHLAUTH hlq.SET.CHLAUTH CONTROL No check - SET LOG hlq.SET.LOG CONTROL No check - SET SYSTEM hlq.SET.SYSTEM CONTROL No check - START CHANNEL hlq.START.CHANNEL CONTROL hlq.CHANNEL.channel CONTROL START CHINIT 4 hlq.START.CHINIT CONTROL No check - START CMDSERV hlq.START.CMDSERV CONTROL No check - START LISTENER hlq.START.LISTENER CONTROL No check - START QMGR None 2 - - - START SMDSCONN hlq.START.SMDSCONN CONTROL No check - START TRACE hlq.START.TRACE CONTROL No check - STOP CHANNEL hlq.STOP.CHANNEL CONTROL hlq.CHANNEL.channel CONTROL STOP CHINIT hlq.STOP.CHINIT CONTROL No check - STOP CMDSERV hlq.STOP.CMDSERV CONTROL No check - STOP LISTENER hlq.STOP.LISTENER CONTROL No check - STOP QMGR hlq.STOP.QMGR CONTROL No check - STOP SMDSCONN hlq.STOP.SMDSCONN CONTROL No check - STOP TRACE hlq.STOP.TRACE CONTROL No check - SUSPEND QMGR hlq.SUSPEND.QMGR CONTROL No check -
- These commands might be issued internally by the queue manager; no authority is checked in these cases.
- IBM MQ does not check the authority of the user who issues the START QMGR command. However, we can use RACF, or your alternative security facilities to control access to the START xxxxMSTR command that is issued as a result of the START QMGR command. This is done by controlling access to the MVS.START.STC.xxxxMSTR profile in the RACF operator commands (OPERCMDS) class. For details of this procedure, see the z/OS SecureWay Security Server RACF Security Administrator's Guide. If we use this technique, and an unauthorized user tries to start the queue manager, it terminates with a reason code of 00F30216.
- The hlq.TOPIC.topic resource refers to the Topic object derived from the TOPICSTR. For more details, see Publish/subscribe security
- At releases prior to IBM MQ for z/OS V6, the security check was for MVS.START.STC.CSQ1CHIN. At IBM MQ for z/OS V6 and later, the resource name has an additional JOBNAME qualifier appended to it. This can cause problems when starting the channel initiator.
To resolve the problem replace MVS.START.STC. ssid CHIN with a profile for a resource named MVS.START.STC. ssid CHIN .* or MVS.START.STC. ssid CHIN. ssid CHIN where ssid is the subsystem ID for the queue manager. This requires RACF UPDATE authority. For more details, see the z/OS product documentation for Operation planning, MVS Commands, RACF Access Authorities, and Resource Names.
The START for ssid MSTR does not include the JOBNAME= parameter. For consistency, you might want to update the profile for MVS.START.STC.ssidMSTR to MVS.START.STC.ssidMSTR.*.
Notes:
Command Command profile for MQCMDS Access level for MQCMDS Command resource profile for MQADMIN or MXADMIN Access level for MQADMIN or MXADMIN Backup CF Structure hlq.BACKUP.CFSTRUCT CONTROL No check - Change Authentication Information Object hlq.ALTER.AUTHINFO ALTER hlq.AUTHINFO.resourcename ALTER Change CF Structure hlq.ALTER.CFSTRUCT ALTER No check - Change Channel hlq.ALTER.CHANNEL ALTER hlq.CHANNEL.channel ALTER Change Namelist hlq.ALTER.NAMELIST ALTER hlq.NAMELIST.namelist ALTER Change Process hlq.ALTER.PROCESS ALTER hlq.PROCESS.process ALTER Change Queue hlq.ALTER.QUEUE ALTER hlq.QUEUE.queue ALTER Change Queue Manager hlq.ALTER.QMGR ALTER No check - Change Security hlq.ALTER.SECURITY ALTER No check - Change SMDS hlq.ALTER.SMDS ALTER No check - Change Storage Class hlq.ALTER.STGCLASS ALTER No check - Change Subscription hlq.ALTER.SUB ALTER No check - Change Topic hlq.ALTER.TOPIC ALTER hlq.TOPIC.topic ALTER Clear Queue hlq.CLEAR.QLOCAL ALTER hlq.QUEUE.queue ALTER Clear Topic String 1 hlq.CLEAR.TOPICSTR ALTER hlq.TOPIC.topic ALTER Copy Authentication Information Object hlq.DEFINE.AUTHINFO ALTER hlq.AUTHINFO.resourcename ALTER Copy CF Structure hlq.DEFINE.CFSTRUCT ALTER No check - Copy Channel hlq.DEFINE.CHANNEL ALTER hlq.CHANNEL.channel ALTER Copy Namelist hlq.DEFINE.NAMELIST ALTER hlq.NAMELIST.namelist ALTER Copy Process hlq.DEFINE.PROCESS ALTER hlq.PROCESS.process ALTER Copy Queue hlq.DEFINE.QUEUE ALTER hlq.QUEUE.queue ALTER Copy Subscription hlq.DEFINE.SUB ALTER No check - Copy Storage Class hlq.DEFINE.STGCLASS ALTER No check - Copy Topic hlq.DEFINE.TOPIC ALTER hlq.TOPIC.topic ALTER Create Authentication Information Object hlq.DEFINE.AUTHINFO ALTER hlq.AUTHINFO.resourcename ALTER Create CF Structure hlq.DEFINE.CFSTRUCT ALTER No check - Create Channel hlq.DEFINE.CHANNEL ALTER hlq.CHANNEL.channel ALTER Create Namelist hlq.DEFINE.NAMELIST ALTER hlq.NAMELIST.namelist ALTER Create Process hlq.DEFINE.PROCESS ALTER hlq.PROCESS.process ALTER Create Queue hlq.DEFINE.QUEUE ALTER hlq.QUEUE.queue ALTER Create Storage Class hlq.DEFINE.STGCLASS ALTER No check - Create Subscription hlq.DEFINE.SUB ALTER No check - Create Topic hlq.DEFINE.TOPIC ALTER hlq.TOPIC.topic ALTER Delete Authentication Information Object hlq.DELETE.AUTHINFO ALTER hlq.AUTHINFO.resourcename ALTER Delete CF Structure hlq.DELETE.CFSTRUCT ALTER No check - Delete Channel hlq.DELETE.CHANNEL ALTER hlq.CHANNEL.channel ALTER Delete Namelist hlq.DELETE.NAMELIST ALTER hlq.NAMELIST.namelist ALTER Delete Process hlq.DELETE.PROCESS ALTER hlq.PROCESS.process ALTER Delete Queue hlq.DELETE.QUEUE ALTER hlq.QUEUE.queue ALTER Delete Storage Class hlq.DELETE.STGCLASS ALTER No check - Delete Subscription hlq.DELETE.SUB ALTER No check - Delete Topic hlq.DELETE.TOPIC ALTER hlq.TOPIC.topic ALTER Inquire Archive hlq.DISPLAY.ARCHIVE READ No check - Inquire Authentication Information Object hlq.DISPLAY.AUTHINFO READ No check - Inquire Authentication Information Object Names hlq.DISPLAY.AUTHINFO READ No check - Inquire CF Structure hlq.DISPLAY.CFSTRUCT READ No check - Inquire CF Structure Names hlq.DISPLAY.CFSTRUCT READ No check - Inquire CF Structure Status hlq.DISPLAY.CFSTATUS READ No check - Inquire Channel hlq.DISPLAY.CHANNEL READ No check - Inquire Channel Authentication Records hlq.DISPLAY.CHLAUTH READ No check - Inquire Channel Initiator hlq.DISPLAY.CHINIT READ No check - Inquire Channel Names hlq.DISPLAY.CHANNEL READ No check - Inquire Channel Status hlq.DISPLAY.CHSTATUS READ No check - Inquire Cluster Queue Manager hlq.DISPLAY.CLUSQMGR READ No check - Inquire Connection hlq.DISPLAY.CONNPCF READ No check - Inquire Group hlq.DISPLAY.GROUP READ No check - Inquire Log hlq.DISPLAY.LOG READ No check - Inquire Namelist hlq.DISPLAY.NAMELIST READ No check - Inquire Namelist Names hlq.DISPLAY.NAMELIST READ No check - Inquire Process hlq.DISPLAY.PROCESS READ No check - Inquire Process Names hlq.DISPLAY.PROCESS READ No check - Inquire Pub/Sub Status hlq.DISPLAY.PUBSUB READ No check - Inquire Queue hlq.DISPLAY.QUEUE READ No check - Inquire Queue Manager hlq.DISPLAY.QMGR READ No check - Inquire Queue Names hlq.DISPLAY.QUEUE READ No check - Inquire Queue Status hlq.DISPLAY.QSTATUS READ No check - Inquire Security hlq.DISPLAY.SECURITY READ No check - Inquire SMDS hlq.DISPLAY.SMDS READ No check - Inquire SMDSCONN hlq.DISPLAY.SMDSCONN READ No check - Inquire Storage Class hlq.DISPLAY.STGCLASS READ No check - Inquire Storage Class Names hlq.DISPLAY.STGCLASS READ No check - Inquire Subscription hlq.INQUIRE.SUB READ No check - Inquire Subscription Status hlq.INQUIRE.SBSTATUS READ No check - Inquire System hlq.DISPLAY.SYSTEM READ No check - Inquire Topic hlq.DISPLAY.TOPIC READ No check - Inquire Topic Names hlq.DISPLAY.TOPIC READ No check - Inquire Topic Status hlq.DISPLAY.TPSTATUS READ No check - Inquire Usage hlq.DISPLAY.USAGE READ No check - Move Queue hlq.MOVE.QLOCAL ALTER hlq.QUEUE.from-queue hlq.QUEUE.to-queue ALTER Ping Channel hlq.PING.CHANNEL CONTROL hlq.CHANNEL.channel CONTROL Recover CF Structure hlq.RECOVER.CFSTRUCT CONTROL No check - Refresh Cluster hlq.REFRESH.CLUSTER ALTER No check - Refresh Queue Manager hlq.REFRESH.QMGR ALTER No check - Refresh Security hlq.REFRESH.SECURITY ALTER No check - Reset CF Structure hlq.RESET.CFSTRUCT CONTROL No check - Reset Channel hlq.RESET.CHANNEL CONTROL hlq.CHANNEL.channel CONTROL Reset Cluster hlq.RESET.CLUSTER CONTROL No check - Reset Queue Manager hlq.RESET.QMGR CONTROL No check - Reset Queue Statistics hlq.RESET.QSTATS CONTROL hlq.QUEUE.queue CONTROL Reset SMDS hlq.RESET.SMDS CONTROL No check - Resolve Channel hlq.RESOLVE.CHANNEL CONTROL hlq.CHANNEL.channel CONTROL Resume Queue Manager hlq.RESUME.QMGR CONTROL No check - Resume Queue Manager Cluster hlq.RESUME.QMGR CONTROL No check - Reverify Security hlq.RVERIFY.SECURITY ALTER No check - Set Archive hlq.SET.ARCHIVE CONTROL No check - Set Channel Authentication Record hlq.SET.CHLAUTH CONTROL No check - Set Log hlq.SET.LOG CONTROL No check - Set System hlq.SET.SYSTEM CONTROL No check - Start Channel hlq.START.CHANNEL CONTROL hlq.CHANNEL.channel CONTROL Start Channel Initiator hlq.START.CHINIT CONTROL No check - Start Channel Listener hlq.START.LISTENER CONTROL No check - Start SMDS Connection hlq.START.SMDSCONN CONTROL No check - Stop Channel hlq.STOP.CHANNEL CONTROL hlq.CHANNEL.channel CONTROL Stop Channel Initiator hlq.STOP.CHINIT CONTROL No check - Stop Channel Listener hlq.STOP.LISTENER CONTROL No check - Stop SMDS Connection hlq.STOP.SMDSCONN CONTROL No check - Suspend Queue Manager hlq.SUSPEND.QMGR CONTROL No check - Suspend Queue Manager Cluster hlq.SUSPEND.QMGR CONTROL No check -
- The hlq.TOPIC.topic resource refers to the Topic object derived from the TOPICSTR. For more details, see Publish/subscribe security
See IBM MQ Console - required command security profiles for details of the IBM MQ PCF profiles required, when using the IBM MQ Console.
- IBM MQ Console - required command security profiles
Operations performed in the IBM MQ Console by a user in the MQWebAdmin, or MQWebAdminRO, role take place under the security context of the mqweb server started task user ID. To use the IBM MQ Console, the mqweb server started task user ID needs authorization to issue certain PCF commands.Parent topic: Profiles used to control access to IBM MQ resources