Restricted mode

This option applies to UNIX and Linux® systems only. The RestrictedMode stanza is set by the -g option on the crtmqm command. Do not change this stanza after the queue manager has been created. If you do not use the -g option, the stanza is not created in the qm.ini file.

There are some directories under which IBM® WebSphere® MQ applications create files while they are connected to the queue manager within the queue manager data directory. In order for applications to create files in these directories, they are granted world write access:
  • /var/mqm/sockets/QMgrName/@ipcc/ssem/hostname/
  • /var/mqm/sockets/QMgrName/@app/ssem/hostname/
  • /var/mqm/sockets/QMgrName/zsocketapp/hostname/
where <QMGRNAME> is the name of the queue manager, and <hostname> is the host name.

On some systems, it is unacceptable to grant all users write access to these directories. For example, those users who do not need access the queue manager. Restricted mode modifies the permissions of the directories that store queue manager data. The directories can then only be accessed by members of the specified application group. The permissions on the System V IPC shared memory used to communicate with the queue manager are also modified in the same way.

The application group is the name of the group with members that have permission to do the following things:
  • run MQI applications
  • update all IPCC resources
  • change the contents of some queue manager directories
To use restricted mode for a queue manager:
  • The creator of the queue manager must be in the mqm group and in the application group.
  • The mqm user ID must be in the application group.
  • All users who want to administer the queue manager must be in the mqm group and in the application group.
  • all users who want to run IBM WebSphere MQ applications must be in the application group.

Any MQCONN or MQCONNX call issued by a user who is not in the application group failed with reason code MQRC_Q_MGR_NOT_AVAILABLE.

Restricted mode operates with the IBM WebSphere MQ authorization service. Therefore you must also grant users the authority to connect to IBM WebSphere MQ and access the resources they require using the IBM WebSphere MQ authorization service.

WindowsLinuxUNIXFurther information about configuring the IBM WebSphere MQ authorization service can be found in Setting up security on Windows, UNIX and Linux systems.

Only useIBM WebSphere MQ restricted mode when the control provided by the authorization service does not provide sufficient isolation of queue manager resources.