It’s been a while, and I forgot how it worked…
step 1) edit the object authority on QSYSOPR so that only the profiles that need to control the queue have authority > *USE
step 2) the *ALLOBJ special authority will override the *USE authority for public. Any login with *ALLOBJ will be able to maintain the message queue. Remove *ALLOBJ authority from any account that doesn’t need it.
step 3) Set QSECURITY to 30 or greater if it isn’t already. At 10, or 20, *ALLOBJ is granted to *SECOFR, *SECADM, *PGMR, *SYSOPR, and *USER by default. at 30 and higher, *ALLOBJ is only granted to *SECOFR by default.
step 4) turn on object auditing for Library QSYS (where the qsysopr msgq is located). Set the auditing value to *CHANGE and you’ll be able to review the audit journal to see who removed messages