Authorization in IBM MQ is the gatekeeper on every queue handle: even when TLS, CONNAUTH, and CHLAUTH all succeed, the queue manager asks whether this effective user ID may perform this operation on this object right now. Denial surfaces as MQRC_NOT_AUTHORIZED reason code 2035 on MQOPEN, MQPUT, MQGET, MQSUB, or administrative commands. Grants are stored per object and principal—user or group—and interpreted by the Object Authority Manager on distributed platforms or RACF on z/OS. Legacy estates sometimes relied on default-allow; current best practice is default-deny with explicit least-privilege grants. This tutorial explains authorization versus authentication, common authority bits and what each allows, how principals are resolved from clients and channels, setmqaut and dspmqaut at overview level, pub/sub and cluster nuances, inhibit attributes that resemble 2035, audit practices, and troubleshooting order when applications report “access denied” after go-live.
When an application MQOPENs PAYMENT.IN for output, OAM verifies +connect if required and +put on that queue. MQGET needs +get; depth browse needs +browse. Altering definitions needs +alt or +chg depending on operation. Administrative DELETE or CLEAR need higher privileges. Missing any required bit fails the call with 2035. The check uses the effective principal at that moment—if CHLAUTH mapped the connection to mqpay, OAM checks mqpay, not the developer’s laptop ID.
| Authority | Allows | Risk if over-granted |
|---|---|---|
| +connect | Attach to queue manager (clients) | Broader attack surface |
| +put | MQPUT to queue | Inject fraudulent messages |
| +get | MQGET and destructive read | Steal or consume confidential data |
| +browse | Browse without removing | Read sensitive payloads |
| +inq +dsp | Display attributes | Reconnaissance for attackers |
| +alt +chg +clr +dlt | Administrative change | Denial of service or backdoors |
| +all | Full control on object | Never for application IDs |
12345678* Application read queue: setmqaut -m QM1 -n ORDERS.OUT -t q -p orderapp +get +browse * Application write queue: setmqaut -m QM1 -n ORDERS.IN -t q -p orderapp +put * Channel service ID: setmqaut -m QM1 -n ORDERS.IN -t q -p mqbridge +put +get * Verify: dspmqaut -m QM1 -n ORDERS.IN -t q -p orderapp
Object type -t includes q for queue, topic, channel, and others per command reference. Principal -p is case-sensitive on some platforms. Group grants use group name with platform group membership. Revoke by specifying -remove or negative syntax per your release documentation. Changes take effect for new opens; recycling long-lived connection pools may be needed if handles were opened before grant.
SVRCONN clients often present a user ID at connect; adoption may keep or replace it. Inbound RCVR puts usually run under MCAUSER unless message context specifies otherwise—grant that ID on every target queue and reply queue in request/reply designs. Cluster channels do not bypass OAM. Test with the same identity production uses: administrators who test with their admin ID while production uses mqsvc see false “works for me” results.
Publishing requires authority on the topic object—+pub in OAM terms on many platforms. Subscribing needs +sub and destination queue access. Cluster topics add repository visibility but not exemption from checks. See topic permissions and pub authority tutorials when 2035 occurs on MQSUB or MQPUT with topic object.
PUT(INHIBITED) or GET(INHIBITED) on a queue blocks operations even when +put or +get exists on paper—DISPLAY QLOCAL shows inhibit flags. Distinguish inhibit from 2035 in runbooks. Queue manager level inhibited modes during maintenance block categories of access globally. Authorization and inhibit together explain most application “suddenly stopped” incidents after change windows.
On z/OS, RACF profiles in the MQ component express the same ideas with different commands—GRANT and PERMIT in RACF terminology, MQPROFILE definitions linking objects to profiles. Distributed setmqaut skills do not transfer literally; mainframe security teams own RACF. Conceptually authorization remains object plus principal plus operation.
Authentication got you into the building. Authorization is each office door reading whether your badge includes “Payments – Write.” No write permission on the badge means you stand in the hallway even with a valid building pass.
You got into the clubhouse, but you still need a sticker that says you may put toys in the red box—not the blue box.
Design minimum grants for producer, consumer, and monitor on three queues.
Channel RUNNING but 2035 on put—list four principal-related checks.
Why is +all dangerous on an application service ID?
1. Authorization controls:
2. 2035 indicates:
3. Grant put with:
4. MCAUSER needs: