IBM Support

On z/OS there is no concept of a "privileged user"

Technote (troubleshooting)


On z/OS there is no concept of a "privileged user".


You are on z/OS WebSphere MQ V7.1 and trying to activate CHLAUTH. You run into a problem with the *MQADMIN test which does not appear to work the same on z/OS as it does on AIX.


On z/OS there is no concept of a "privileged user". In the WebSphere MQ product documentation z/OS isn't listed in the platforms for privileged users.

Resolving the problem

You might consider using the USERLIST attribute in the SET CHLAUTH command and *MQADMIN on the different platforms.

Channel authentication

Inquire Channel Authentication Records (Response)


    A list of up to 100 user IDs which are banned from use of this channel or set of channels. Use the special value *MQADMIN to mean privileged or administrative users. The definition of this value depends on the operating system, as follows:
    • On Windows, all members of the mqm group, the Administrators group and SYSTEM.
    • On UNIX and Linux, all members of the mqm group.
    • On IBM i, the profiles (users) qmqm and qmqmadm and all members of the qmqmadm group, and any user defined with the *ALLOBJ special setting.
    • On z/OS, the user ID that the channel initiator and queue manager address spaces are running under.
    For more information about privileged users, see Privileged users

    This parameter is only valid with TYPE(BLOCKUSER).

Essentially, on z/OS the *MQADMIN value will ONLY block the user ids that the MSTR and CHIN address spaces are started under.

When securing channels, you might consider using a "back-stop" rule to control access as described in the following developerWorks article: CHLAUTH - the back-stop rule.

Product Alias/Synonym


Document information

More support for: WebSphere MQ

Software version: 7.1

Operating system(s): Platform Independent, z/OS

Reference #: 1643861

Modified date: 02 July 2015

Translate this page: