provide additional security to the cluster queues when using shared Qmgrs to send msgs to downstream qmgrs

Whats missing??

With existing MQ product version 7 to 9.3 - when comes to Cluster design there is no control over shared applications using the same qmgr(shared qmgr) and sending msgs to downstream applications.

With the MQ Cluster by design we see some limitations as below : 

1) All the MCA USER ID used in SVRCONN CHANNEL requires access to put permission to SYSTEM.CLUSTER.XMITQ when sending msgs to Downstream banckend qmgr 
2)  above step is minimum requirement – with this - this is also enabling the permissions to rest of the applications which are not supposed to have access to other than their own specific queues.  For example : App1 should have access to only App1 REQ queue . not to 2/3/4, in this situation it’s enabling the access.

Why it is useful ?? 

if the MQ allows  Permission to be enabled   on the source qmgr or some validation on the destination qmgr - this will isolate the applications and related  txns separately when sharing the qmgrs, In this way  multiple applications can share the single qmgr and perform the MQ txns securely without impacting each other. 
Currently MQ supports this functionality only for the local queues on the qmgr. we need this to be applied on CLUSTER QUEUES as well . 

Who would it benefit from it ?? 

This functionality  majorly  benefits every organisation who wants or planning to multiple applications sharing the same qmgr and sending msgs to cluster queues via cluster channels  with more secured way , not exposing the queues to other parties though they are part of same cluster. 

How Should it Work?? 

As part of the MQ Cluster design , as a product it should allow Enable additional OAM security for the cluster queues defined in Target qmgr.  This will enable lots of additional security and more safety when using shared qmgrs. 

Please let me know if more details required. Happy to have a call. 

Thanks,
CHinna