Securing SYSOP message queue

We recently had a system analyst accidentally delete all the QSYSOPR messages. Is there a way to secure the system operator message queue so that analysts/admins can view and answer messages but cannot delete them? Thanks

Answer Wiki

Thanks. We'll let you know when a new response is added.

It’s been a while, and I forgot how it worked…

step 1) edit the object authority on QSYSOPR so that only the profiles that need to control the queue have authority > *USE

step 2) the *ALLOBJ special authority will override the *USE authority for public. Any login with *ALLOBJ will be able to maintain the message queue. Remove *ALLOBJ authority from any account that doesn’t need it.

step 3) Set QSECURITY to 30 or greater if it isn’t already. At 10, or 20, *ALLOBJ is granted to *SECOFR, *SECADM, *PGMR, *SYSOPR, and *USER by default. at 30 and higher, *ALLOBJ is only granted to *SECOFR by default.

step 4) turn on object auditing for Library QSYS (where the qsysopr msgq is located). Set the auditing value to *CHANGE and you’ll be able to review the audit journal to see who removed messages

Discuss This Question: 2  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Jadima
    There is a simple way to achive this. Create a small CLP program like this : PGM DCL VAR(&MSGQ) TYPE(*CHAR) LEN(10) VALUE(QSYSOPR) DCL VAR(&LIB) TYPE(*CHAR) LEN(10) VALUE(QSYS) DCL VAR(&KEYVAR) TYPE(*CHAR) LEN(4) DCL VAR(&MSGID) TYPE(*CHAR) LEN(7) ... CHGMSGQ MSGQ(&LIB/MSGQ)DLVRY(*NOTIFY)PGM(*N *ALWRPY) RCVLOOP: RCVMSG MSGQ(&LIB/&MSGQ) MSGKEY(*NONE) + WAIT(*MAX) RMV(*NO) KEYVAR(&KEYVAR) + MSGDTA(&MSGDTA) MSGID(&MSGID) SENDER(&SENDER) MONMSG MSGID(CPF2451) EXEC(GOTO EINDE) .... (you can handle specific messages if wanted) GOTO RCVLOOP EINDE: RETURN You can of course let the program end at your convenience and do other things, but I know it works. This program must be submitted to batch and run all the time because it now allocates the messagequeue but allow others to answer the messages. You can test on specific messages and send a reply to it like CPA3138 (file full)and send a reply with SNDRPY MSGKEY(&KEYVAR) MSGQ&LIB/&MSGQ) RPY(I) You can try it out on a different msgq to fullfill your specific needs. Good luck - need more info , just give me an email.
    0 pointsBadges:
  • Wannabinoz
    THank you both for your replies. Good ideas!
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: