Profiles for command security
To enable security checking for commands, add profiles to the MQCMDS class. The profile names are based on the MQSC commands but control both MQSC and PCF commands. Profiles can apply to a queue manager or a queue sharing group.
If you want security checking for commands (so you have not defined the command security switch profile hlq.NO.CMD.CHECKS) you must add profiles to the MQCMDS class.
hlq.verb.pkw
Where hlq
can be either qmgr-name
(queue manager name) or
qsg-name
(queue sharing group name), verb
is the verb part of the
command name, for example ALTER, and pkw
is the object type, for example QLOCAL for
a local queue.
CSQ1.ALTER.QLOCAL
You can use generic profiles to protect sets of commands so that you have fewer profiles to maintain and, therefore, fewer access lists. Consider creating a generic profile that applies to all commands not protected by a more specific profile. Define this profile with UACC(NONE) and grant ALTER access only to the RACF groups containing administrators. You might then create a generic profile applicable to all DISPLAY commands and grant widespread access to it. Between these extremes, you might identify groups of users needing access to certain sets of commands, in which case you can create profiles for those sets and grant access to RACF groups representing those classes of user. Avoid giving users access to commands they do not require: Apply the principle of least privilege, so that users only have access to the commands that are required for their jobs.
A profile prefixed by the queue manager name controls the use of the command on that queue manager. A profile prefixed by the queue sharing group name controls the use of the command on all queue managers within the queue sharing group. This access can be overridden on an individual queue manager by defining a queue manager level profile for that command on that queue manager.
If your queue manager is a member of a queue sharing group and you are using both queue manager and queue sharing group level security, IBM® MQ checks for a profile prefixed by the queue manager name. If it does not find one, it looks for a profile prefixed by the queue sharing group name.
By setting up command profiles at queue manager level, a user can be restricted from issuing commands on a particular queue manager. Alternatively, you can define one profile for a queue sharing group for each command verb, and all security checks take place against that profile instead of individual queue managers.
If both subsystem security and queue sharing group security are active and a local profile is not found, a command security check is performed to see if the user has access to a queue sharing group profile.
If you use the CMDSCOPE attribute to route a command to other queue managers in a queue sharing group, security is checked on each queue manager where the command is run, but not necessarily on the queue manager where the command is entered.
Table 1 shows, for each IBM MQ MQSC command, the profiles required for command security checking to be carried out, and the corresponding access level for each profile in the MQCMDS class.
Table 2 shows, for each IBM MQ PCF command, the profiles required for command security checking to be carried out, and the corresponding access level for each profile in the MQCMDS class.
Command | Command profile for MQCMDS | Access level for MQCMDS | Command resource profile for MQADMIN or MXADMIN | Access level for MQADMIN or MXADMIN |
---|---|---|---|---|
ALTER AUTHINFO | hlq.ALTER.AUTHINFO | ALTER | hlq.AUTHINFO.resourcename | ALTER |
ALTER BUFFPOOL | hlq.ALTER.BUFFPOOL | ALTER | No check | - |
ALTER CFSTRUCT | hlq.ALTER.CFSTRUCT | ALTER | No check | - |
ALTER CHANNEL | hlq.ALTER.CHANNEL | ALTER | hlq.CHANNEL.channel | ALTER |
ALTER NAMELIST | hlq.ALTER.NAMELIST | ALTER | hlq.NAMELIST.namelist | ALTER |
ALTER PROCESS | hlq.ALTER.PROCESS | ALTER | hlq.PROCESS.process | ALTER |
ALTER PSID | hlq.ALTER.PSID | ALTER | No check | - |
ALTER QALIAS | hlq.ALTER.QALIAS | ALTER | hlq.QUEUE.queue | ALTER |
ALTER QLOCAL | hlq.ALTER.QLOCAL | ALTER | hlq.QUEUE.queue | ALTER |
ALTER QMGR | hlq.ALTER.QMGR | ALTER | No check | - |
ALTER QMODEL | hlq.ALTER.QMODEL | ALTER | hlq.QUEUE.queue | ALTER |
ALTER QREMOTE | hlq.ALTER.QREMOTE | ALTER | hlq.QUEUE.queue | ALTER |
ALTER SECURITY | hlq.ALTER.SECURITY | ALTER | No check | - |
ALTER SMDS | hlq.ALTER.SMDS | ALTER | No check | - |
ALTER STGCLASS | hlq.ALTER.STGCLASS | ALTER | No check | - |
ALTER SUB | hlq.ALTER.SUB | ALTER | No check | - |
ALTER TOPIC | hlq.ALTER.TOPIC | ALTER | hlq.TOPIC.topic | ALTER |
ALTER TRACE | hlq.ALTER.TRACE | ALTER | No check | - |
ARCHIVE LOG | hlq.ARCHIVE.LOG | CONTROL | No check | - |
BACKUP CFSTRUCT | hlq.BACKUP.CFSTRUCT | CONTROL | No check | - |
CLEAR QLOCAL | hlq.CLEAR.QLOCAL | ALTER | hlq.QUEUE.queue | ALTER |
CLEAR TOPICSTR 3 | hlq.CLEAR.TOPICSTR | ALTER | hlq.TOPIC.topic | ALTER |
DEFINE AUTHINFO | hlq.DEFINE.AUTHINFO | ALTER | hlq.AUTHINFO.resourcename | ALTER |
DEFINE BUFFPOOL | hlq.DEFINE.BUFFPOOL | ALTER | No check | - |
DEFINE CFSTRUCT | hlq.DEFINE.CFSTRUCT | ALTER | No check | - |
DEFINE CHANNEL | hlq.DEFINE.CHANNEL | ALTER | hlq.CHANNEL.channel | ALTER |
DEFINE LOG | hlq.DEFINE.LOG | ALTER | No check | - |
DEFINE MAXSMSGS | hlq.DEFINE.MAXSMSGS | ALTER | No check | - |
DEFINE NAMELIST | hlq.DEFINE.NAMELIST | ALTER | hlq.NAMELIST.namelist | ALTER |
DEFINE PROCESS | hlq.DEFINE.PROCESS | ALTER | hlq.PROCESS.process | ALTER |
DEFINE PSID | hlq.DEFINE.PSID | ALTER | No check | - |
DEFINE QALIAS | hlq.DEFINE.QALIAS | ALTER | hlq.QUEUE.queue | ALTER |
DEFINE QLOCAL | hlq.DEFINE.QLOCAL | ALTER | hlq.QUEUE.queue | ALTER |
DEFINE QMODEL | hlq.DEFINE.QMODEL | ALTER | hlq.QUEUE.queue | ALTER |
DEFINE QREMOTE | hlq.DEFINE.QREMOTE | ALTER | hlq.QUEUE.queue | ALTER |
DEFINE STGCLASS | hlq.DEFINE.STGCLASS | ALTER | No check | - |
DEFINE SUB | hlq.DEFINE.SUB | ALTER | No check | - |
DEFINE TOPIC | hlq.DEFINE.TOPIC | ALTER | hlq.TOPIC.topic | ALTER |
DELETE AUTHINFO | hlq.DELETE.AUTHINFO | ALTER | hlq.AUTHINFO.resourcename | ALTER |
DELETE BUFFPOOL | hlq.DELETE.BUFFPOOL | ALTER | No check | - |
DELETE CFSTRUCT | hlq.DELETE.CFSTRUCT | ALTER | No check | - |
DELETE CHANNEL | hlq.DELETE.CHANNEL | ALTER | hlq.CHANNEL.channel | ALTER |
DELETE NAMELIST | hlq.DELETE.NAMELIST | ALTER | hlq.NAMELIST.namelist | ALTER |
DELETE PROCESS | hlq.DELETE.PROCESS | ALTER | hlq.PROCESS.process | ALTER |
DELETE PSID | hlq.DELETE.PSID | ALTER | No check | - |
DELETE QALIAS | hlq.DELETE.QALIAS | ALTER | hlq.QUEUE.queue | ALTER |
DELETE QLOCAL | hlq.DELETE.QLOCAL | ALTER | hlq.QUEUE.queue | ALTER |
DELETE QMODEL | hlq.DELETE.QMODEL | ALTER | hlq.QUEUE.queue | ALTER |
DELETE QREMOTE | hlq.DELETE.QREMOTE | ALTER | hlq.QUEUE.queue | ALTER |
DELETE STGCLASS | hlq.DELETE.STGCLASS | ALTER | No check | - |
DELETE SUB | hlq.DELETE.SUB | ALTER | No check | - |
DELETE TOPIC | hlq.DELETE.TOPIC | ALTER | hlq.TOPIC.topic | ALTER |
DISPLAY ARCHIVE 1 | hlq.DISPLAY.ARCHIVE | READ | No check | - |
DISPLAY AUTHINFO | hlq.DISPLAY.AUTHINFO | READ | No check | - |
DISPLAY CFSTATUS | hlq.DISPLAY.CFSTATUS | READ | No check | - |
DISPLAY CFSTRUCT | hlq.DISPLAY.CFSTRUCT | READ | No check | - |
DISPLAY CHANNEL | hlq.DISPLAY.CHANNEL | READ | No check | - |
DISPLAY CHINIT | hlq.DISPLAY.CHINIT | READ | No check | - |
DISPLAY CHLAUTH | hlq.DISPLAY.CHLAUTH | READ | No check | - |
DISPLAY CHSTATUS | hlq.DISPLAY.CHSTATUS | READ | No check | - |
DISPLAY CLUSQMGR | hlq.DISPLAY.CLUSQMGR | READ | No check | - |
DISPLAY CMDSERV | hlq.DISPLAY.CMDSERV | READ | No check | - |
DISPLAY CONN 1 | hlq.DISPLAY.CONN | READ | No check | - |
DISPLAY GROUP | hlq.DISPLAY.GROUP | READ | No check | - |
DISPLAY LOG 1 | hlq.DISPLAY.LOG | READ | No check | - |
DISPLAY MAXSMSGS | hlq.DISPLAY.MAXSMSGS | READ | No check | - |
DISPLAY NAMELIST | hlq.DISPLAY.NAMELIST | READ | No check | - |
DISPLAY PROCESS | hlq.DISPLAY.PROCESS | READ | No check | - |
DISPLAY PUBSUB | hlq.DISPLAY.PUBSUB | READ | No check | - |
DISPLAY QALIAS | hlq.DISPLAY.QALIAS | READ | No check | - |
DISPLAY QCLUSTER | hlq.DISPLAY.QCLUSTER | READ | No check | - |
DISPLAY QLOCAL | hlq.DISPLAY.QLOCAL | READ | No check | - |
DISPLAY QMGR | hlq.DISPLAY.QMGR | READ | No check | - |
DISPLAY QMODEL | hlq.DISPLAY.QMODEL | READ | No check | - |
DISPLAY QREMOTE | hlq.DISPLAY.QREMOTE | READ | No check | - |
DISPLAY QSTATUS | hlq.DISPLAY.QSTATUS | READ | No check | - |
DISPLAY QUEUE | hlq.DISPLAY.QUEUE | READ | No check | - |
DISPLAY SBSTATUS | hlq.DISPLAY.SBSTATUS | READ | No check | - |
DISPLAY SMDS | hlq.DISPLAY.SMDS | READ | No check | - |
DISPLAY SMDSCONN | hlq.DISPLAY.SMDSCONN | READ | No check | - |
DISPLAY SUB | hlq.DISPLAY.SUB | READ | No check | - |
DISPLAY SECURITY | hlq.DISPLAY.SECURITY | READ | No check | - |
DISPLAY STGCLASS | hlq.DISPLAY.STGCLASS | READ | No check | - |
DISPLAY SYSTEM 1 | hlq.DISPLAY.SYSTEM | READ | No check | - |
DISPLAY THREAD | hlq.DISPLAY.THREAD | READ | No check | - |
DISPLAY TPSTATUS | hlq.DISPLAY.TPSTATUS | READ | No check | - |
DISPLAY TOPIC | hlq.DISPLAY.TOPIC | READ | No check | - |
DISPLAY TPSTATUS | hlq.DISPLAY.TPSTATUS | READ | No check | - |
DISPLAY TRACE | hlq.DISPLAY.TRACE | READ | No check | - |
DISPLAY USAGE 1 | hlq.DISPLAY.USAGE | READ | No check | - |
MOVE QLOCAL | hlq.MOVE.QLOCAL | ALTER | hlq.QUEUE.from-queue hlq.QUEUE.to-queue | ALTER |
PING CHANNEL | hlq.PING.CHANNEL | CONTROL | hlq.CHANNEL.channel | CONTROL |
RECOVER BSDS | hlq.RECOVER.BSDS | CONTROL | No check | - |
RECOVER CFSTRUCT | hlq.RECOVER.CFSTRUCT | CONTROL | No check | - |
REFRESH CLUSTER | hlq.REFRESH.CLUSTER | ALTER | No check | - |
REFRESH QMGR | hlq.REFRESH.QMGR | ALTER | No check | - |
REFRESH SECURITY | hlq.REFRESH.SECURITY | ALTER | No check | - |
RESET CFSTRUCT | hlq.RESET.CFSTRUCT | CONTROL | No check | - |
RESET CHANNEL | hlq.RESET.CHANNEL | CONTROL | hlq.CHANNEL.channel | CONTROL |
RESET CLUSTER | hlq.RESET.CLUSTER | CONTROL | No check | - |
RESET QMGR | hlq.RESET.QMGR | CONTROL | No check | - |
RESET QSTATS | hlq.RESET.QSTATS | CONTROL | hlq.QUEUE.queue | CONTROL |
RESET SMDS | hlq.RESET.SMDS | CONTROL | No check | - |
RESET TPIPE | hlq.RESET.TPIPE | CONTROL | No check | - |
RESOLVE CHANNEL | hlq.RESOLVE.CHANNEL | CONTROL | hlq.CHANNEL.channel | CONTROL |
RESOLVE INDOUBT | hlq.RESOLVE.INDOUBT | CONTROL | No check | - |
RESUME QMGR | hlq.RESUME.QMGR | CONTROL | No check | - |
RVERIFY SECURITY | hlq.RVERIFY.SECURITY | ALTER | No check | - |
SET ARCHIVE | hlq.SET.ARCHIVE | CONTROL | No check | - |
SET CHLAUTH | hlq.SET.CHLAUTH | CONTROL | No check | - |
SET LOG | hlq.SET.LOG | CONTROL | No check | - |
SET SYSTEM | hlq.SET.SYSTEM | CONTROL | No check | - |
START CHANNEL | hlq.START.CHANNEL | CONTROL | hlq.CHANNEL.channel | CONTROL |
START CHINIT 4 | hlq.START.CHINIT | CONTROL | No check | - |
START CMDSERV | hlq.START.CMDSERV | CONTROL | No check | - |
START LISTENER | hlq.START.LISTENER | CONTROL | No check | - |
START QMGR | None 2 | - | - | - |
START SMDSCONN | hlq.START.SMDSCONN | CONTROL | No check | - |
START TRACE | hlq.START.TRACE | CONTROL | No check | - |
STOP CHANNEL | hlq.STOP.CHANNEL | CONTROL | hlq.CHANNEL.channel | CONTROL |
STOP CHINIT | hlq.STOP.CHINIT | CONTROL | No check | - |
STOP CMDSERV | hlq.STOP.CMDSERV | CONTROL | No check | - |
STOP LISTENER | hlq.STOP.LISTENER | CONTROL | No check | - |
STOP QMGR | hlq.STOP.QMGR | CONTROL | No check | - |
STOP SMDSCONN | hlq.STOP.SMDSCONN | CONTROL | No check | - |
STOP TRACE | hlq.STOP.TRACE | CONTROL | No check | - |
SUSPEND QMGR | hlq.SUSPEND.QMGR | CONTROL | No check | - |
- These commands might be issued internally by the queue manager; no authority is checked in these cases.
- IBM MQ does not check the authority of the user who issues the START QMGR command. However, you can use RACF, or your alternative security facilities to control access to the START xxxxMSTR command that is issued as a result of the START QMGR command. This is done by controlling access to the MVS.START.STC.xxxxMSTR profile in the RACF operator commands (OPERCMDS) class. For details of this procedure, see the z/OS SecureWay Security Server RACF Security Administrator's Guide. If you use this technique, and an unauthorized user tries to start the queue manager, it terminates with a reason code of 00F30216.
- The hlq.TOPIC.topic resource refers to the Topic object derived from the TOPICSTR. For more details, see Publish/subscribe security
- At releases prior to IBM MQ for z/OS® V6, the
security check was for MVS.START.STC.CSQ1CHIN. At IBM MQ for z/OS V6 and later, the resource name has an additional
JOBNAME qualifier appended to it. This can cause problems when starting the channel initiator.
To resolve the problem replace MVS.START.STC. ssid CHIN with a profile for a resource named MVS.START.STC. ssid CHIN .* or MVS.START.STC. ssid CHIN. ssid CHIN where ssid is the subsystem ID for the queue manager. This requires RACF UPDATE authority. For more details, see the z/OS product documentation for Operation planning, MVS Commands, RACF Access Authorities, and Resource Names.
The START for ssid MSTR does not include the JOBNAME= parameter. For consistency, you might want to update the profile for MVS.START.STC.ssidMSTR to MVS.START.STC.ssidMSTR.*.
Command | Command profile for MQCMDS | Access level for MQCMDS | Command resource profile for MQADMIN or MXADMIN | Access level for MQADMIN or MXADMIN |
---|---|---|---|---|
Backup CF Structure | hlq.BACKUP.CFSTRUCT | CONTROL | No check | - |
Change Authentication Information Object | hlq.ALTER.AUTHINFO | ALTER | hlq.AUTHINFO.resourcename | ALTER |
Change CF Structure | hlq.ALTER.CFSTRUCT | ALTER | No check | - |
Change Channel | hlq.ALTER.CHANNEL | ALTER | hlq.CHANNEL.channel | ALTER |
Change Namelist | hlq.ALTER.NAMELIST | ALTER | hlq.NAMELIST.namelist | ALTER |
Change Process | hlq.ALTER.PROCESS | ALTER | hlq.PROCESS.process | ALTER |
Change Queue | hlq.ALTER.QUEUE | ALTER | hlq.QUEUE.queue | ALTER |
Change Queue Manager | hlq.ALTER.QMGR | ALTER | No check | - |
Change Security | hlq.ALTER.SECURITY | ALTER | No check | - |
Change SMDS | hlq.ALTER.SMDS | ALTER | No check | - |
Change Storage Class | hlq.ALTER.STGCLASS | ALTER | No check | - |
Change Subscription | hlq.ALTER.SUB | ALTER | No check | - |
Change Topic | hlq.ALTER.TOPIC | ALTER | hlq.TOPIC.topic | ALTER |
Clear Queue | hlq.CLEAR.QLOCAL | ALTER | hlq.QUEUE.queue | ALTER |
Clear Topic String 1 | hlq.CLEAR.TOPICSTR | ALTER | hlq.TOPIC.topic | ALTER |
Copy Authentication Information Object | hlq.DEFINE.AUTHINFO | ALTER | hlq.AUTHINFO.resourcename | ALTER |
Copy CF Structure | hlq.DEFINE.CFSTRUCT | ALTER | No check | - |
Copy Channel | hlq.DEFINE.CHANNEL | ALTER | hlq.CHANNEL.channel | ALTER |
Copy Namelist | hlq.DEFINE.NAMELIST | ALTER | hlq.NAMELIST.namelist | ALTER |
Copy Process | hlq.DEFINE.PROCESS | ALTER | hlq.PROCESS.process | ALTER |
Copy Queue | hlq.DEFINE.QUEUE | ALTER | hlq.QUEUE.queue | ALTER |
Copy Subscription | hlq.DEFINE.SUB | ALTER | No check | - |
Copy Storage Class | hlq.DEFINE.STGCLASS | ALTER | No check | - |
Copy Topic | hlq.DEFINE.TOPIC | ALTER | hlq.TOPIC.topic | ALTER |
Create Authentication Information Object | hlq.DEFINE.AUTHINFO | ALTER | hlq.AUTHINFO.resourcename | ALTER |
Create CF Structure | hlq.DEFINE.CFSTRUCT | ALTER | No check | - |
Create Channel | hlq.DEFINE.CHANNEL | ALTER | hlq.CHANNEL.channel | ALTER |
Create Namelist | hlq.DEFINE.NAMELIST | ALTER | hlq.NAMELIST.namelist | ALTER |
Create Process | hlq.DEFINE.PROCESS | ALTER | hlq.PROCESS.process | ALTER |
Create Queue | hlq.DEFINE.QUEUE | ALTER | hlq.QUEUE.queue | ALTER |
Create Storage Class | hlq.DEFINE.STGCLASS | ALTER | No check | - |
Create Subscription | hlq.DEFINE.SUB | ALTER | No check | - |
Create Topic | hlq.DEFINE.TOPIC | ALTER | hlq.TOPIC.topic | ALTER |
Delete Authentication Information Object | hlq.DELETE.AUTHINFO | ALTER | hlq.AUTHINFO.resourcename | ALTER |
Delete CF Structure | hlq.DELETE.CFSTRUCT | ALTER | No check | - |
Delete Channel | hlq.DELETE.CHANNEL | ALTER | hlq.CHANNEL.channel | ALTER |
Delete Namelist | hlq.DELETE.NAMELIST | ALTER | hlq.NAMELIST.namelist | ALTER |
Delete Process | hlq.DELETE.PROCESS | ALTER | hlq.PROCESS.process | ALTER |
Delete Queue | hlq.DELETE.QUEUE | ALTER | hlq.QUEUE.queue | ALTER |
Delete Storage Class | hlq.DELETE.STGCLASS | ALTER | No check | - |
Delete Subscription | hlq.DELETE.SUB | ALTER | No check | - |
Delete Topic | hlq.DELETE.TOPIC | ALTER | hlq.TOPIC.topic | ALTER |
Inquire Archive | hlq.DISPLAY.ARCHIVE | READ | No check | - |
Inquire Authentication Information Object | hlq.DISPLAY.AUTHINFO | READ | No check | - |
Inquire Authentication Information Object Names | hlq.DISPLAY.AUTHINFO | READ | No check | - |
Inquire CF Structure | hlq.DISPLAY.CFSTRUCT | READ | No check | - |
Inquire CF Structure Names | hlq.DISPLAY.CFSTRUCT | READ | No check | - |
Inquire CF Structure Status | hlq.DISPLAY.CFSTATUS | READ | No check | - |
Inquire Channel | hlq.DISPLAY.CHANNEL | READ | No check | - |
Inquire Channel Authentication Records | hlq.DISPLAY.CHLAUTH | READ | No check | - |
Inquire Channel Initiator | hlq.DISPLAY.CHINIT | READ | No check | - |
Inquire Channel Names | hlq.DISPLAY.CHANNEL | READ | No check | - |
Inquire Channel Status | hlq.DISPLAY.CHSTATUS | READ | No check | - |
Inquire Cluster Queue Manager | hlq.DISPLAY.CLUSQMGR | READ | No check | - |
Inquire Connection | hlq.DISPLAY.CONNPCF | READ | No check | - |
Inquire Group | hlq.DISPLAY.GROUP | READ | No check | - |
Inquire Log | hlq.DISPLAY.LOG | READ | No check | - |
Inquire Namelist | hlq.DISPLAY.NAMELIST | READ | No check | - |
Inquire Namelist Names | hlq.DISPLAY.NAMELIST | READ | No check | - |
Inquire Process | hlq.DISPLAY.PROCESS | READ | No check | - |
Inquire Process Names | hlq.DISPLAY.PROCESS | READ | No check | - |
Inquire Pub/Sub Status | hlq.DISPLAY.PUBSUB | READ | No check | - |
Inquire Queue | hlq.DISPLAY.QUEUE | READ | No check | - |
Inquire Queue Manager | hlq.DISPLAY.QMGR | READ | No check | - |
Inquire Queue Names | hlq.DISPLAY.QUEUE | READ | No check | - |
Inquire Queue Status | hlq.DISPLAY.QSTATUS | READ | No check | - |
Inquire Security | hlq.DISPLAY.SECURITY | READ | No check | - |
Inquire SMDS | hlq.DISPLAY.SMDS | READ | No check | - |
Inquire SMDSCONN | hlq.DISPLAY.SMDSCONN | READ | No check | - |
Inquire Storage Class | hlq.DISPLAY.STGCLASS | READ | No check | - |
Inquire Storage Class Names | hlq.DISPLAY.STGCLASS | READ | No check | - |
Inquire Subscription | hlq.INQUIRE.SUB | READ | No check | - |
Inquire Subscription Status | hlq.INQUIRE.SBSTATUS | READ | No check | - |
Inquire System | hlq.DISPLAY.SYSTEM | READ | No check | - |
Inquire Topic | hlq.DISPLAY.TOPIC | READ | No check | - |
Inquire Topic Names | hlq.DISPLAY.TOPIC | READ | No check | - |
Inquire Topic Status | hlq.DISPLAY.TPSTATUS | READ | No check | - |
Inquire Usage | hlq.DISPLAY.USAGE | READ | No check | - |
Move Queue | hlq.MOVE.QLOCAL | ALTER | hlq.QUEUE.from-queue hlq.QUEUE.to-queue | ALTER |
Ping Channel | hlq.PING.CHANNEL | CONTROL | hlq.CHANNEL.channel | CONTROL |
Recover CF Structure | hlq.RECOVER.CFSTRUCT | CONTROL | No check | - |
Refresh Cluster | hlq.REFRESH.CLUSTER | ALTER | No check | - |
Refresh Queue Manager | hlq.REFRESH.QMGR | ALTER | No check | - |
Refresh Security | hlq.REFRESH.SECURITY | ALTER | No check | - |
Reset CF Structure | hlq.RESET.CFSTRUCT | CONTROL | No check | - |
Reset Channel | hlq.RESET.CHANNEL | CONTROL | hlq.CHANNEL.channel | CONTROL |
Reset Cluster | hlq.RESET.CLUSTER | CONTROL | No check | - |
Reset Queue Manager | hlq.RESET.QMGR | CONTROL | No check | - |
Reset Queue Statistics | hlq.RESET.QSTATS | CONTROL | hlq.QUEUE.queue | CONTROL |
Reset SMDS | hlq.RESET.SMDS | CONTROL | No check | - |
Resolve Channel | hlq.RESOLVE.CHANNEL | CONTROL | hlq.CHANNEL.channel | CONTROL |
Resume Queue Manager | hlq.RESUME.QMGR | CONTROL | No check | - |
Resume Queue Manager Cluster | hlq.RESUME.QMGR | CONTROL | No check | - |
Reverify Security | hlq.RVERIFY.SECURITY | ALTER | No check | - |
Set Archive | hlq.SET.ARCHIVE | CONTROL | No check | - |
Set Channel Authentication Record | hlq.SET.CHLAUTH | CONTROL | No check | - |
Set Log | hlq.SET.LOG | CONTROL | No check | - |
Set System | hlq.SET.SYSTEM | CONTROL | No check | - |
Start Channel | hlq.START.CHANNEL | CONTROL | hlq.CHANNEL.channel | CONTROL |
Start Channel Initiator | hlq.START.CHINIT | CONTROL | No check | - |
Start Channel Listener | hlq.START.LISTENER | CONTROL | No check | - |
Start SMDS Connection | hlq.START.SMDSCONN | CONTROL | No check | - |
Stop Channel | hlq.STOP.CHANNEL | CONTROL | hlq.CHANNEL.channel | CONTROL |
Stop Channel Initiator | hlq.STOP.CHINIT | CONTROL | No check | - |
Stop Channel Listener | hlq.STOP.LISTENER | CONTROL | No check | - |
Stop SMDS Connection | hlq.STOP.SMDSCONN | CONTROL | No check | - |
Suspend Queue Manager | hlq.SUSPEND.QMGR | CONTROL | No check | - |
Suspend Queue Manager Cluster | hlq.SUSPEND.QMGR | CONTROL | No check | - |
- The hlq.TOPIC.topic resource refers to the Topic object derived from the TOPICSTR. For more details, see Publish/subscribe security
See IBM MQ Console - required command security profiles for details of the IBM MQ PCF profiles required, when using the IBM MQ Console.