This is part of the larger task of setting up security on z/OS.
The user ID of the person running the create component (BIPCBRK, BIPCRCM, and BIPCRUN) jobs needs UPDATE access to the component PDSE, READ/EXECUTE access to the installation directory, and READ/WRITE/EXECUTE access to the component directory. If you do not use queue manager security, you do not need to read the rest of this topic. Topic Creating the broker component provides detailed statements on how to protect your queues.
The broker , Configuration Manager, and the User Name Server need to be able to connect to the queue manager.
SYSTEM.BROKER.*should be protected. These names cannot be changed. Restrict access to the broker, Configuration Manager, and User Name Server started task user IDs, and to WebSphere Message Broker administrators.
If you are running a Configuration Manager on z/OS, remote users connecting from either the Message Broker Toolkit or from a Configuration Manager Proxy application need to be authorized to connect to the queue manager through the channel initiator and require PUT and GET access to SYSTEM.BROKER.CONFIG.QUEUE and SYSTEM.BROKER.CONFIG.REPLY
If you are using Publish/Subscribe, subscribers need to PUT to SYSTEM.BROKER.CONTOL.QUEUE.
You can control which applications can use queues used by message flows. Applications need to be able to PUT and GET to queues defined in any nodes.