The dspmqaut command answers the question every operations team asks during a 2035 incident: does this user actually have +put on this queue? It displays Object Authority Manager grants without changing them—the mirror of setmqaut. Auditors use dspmqaut exports to prove least privilege. Developers misuse admin IDs that mask missing grants for application service accounts. This tutorial explains dspmqaut syntax, how to read output authority lists, testing with the effective principal versus your login, group inheritance visibility, object-centric versus principal-centric reviews, pairing with AMQERR01 and client traces, bulk audit scripting, and differences from DISPLAY AUTHREC for compliance packs.
1234dspmqaut -m QM1 -n ORDERS.IN -t queue -p order_svc dspmqaut -m QM1 -n ORDERS.OUT -t queue -p order_svc dspmqaut -m QM1 -t topic -n 'retail/order/#' -p order_svc dspmqaut -m QM1 -n APP.SVRCONN -t channel -p order_svc
Output lists authorities such as connect, put, get, browse, inq, dsp, chg, clr, dlt, alt, and all as granted for that principal on that object. Absence of an authority means OAM will deny that operation. Compare before and after setmqaut in change tickets by saving dspmqaut output to files.
| Symptom | Check | Likely fix |
|---|---|---|
| 2035 on MQPUT | +put on queue for app principal | setmqaut +put |
| 2035 on MQGET | +get or +browse | setmqaut +get |
| 2035 on MQCONNX | +connect on qmgr or channel | setmqaut +connect |
| 2035 on publish | +pub on topic string | setmqaut -t topic +pub |
| Admin OK, app fails | Principal mismatch | Fix ADOPTCTX / CHLAUTH map |
OAM does not check your Windows login if the application connects as mqpay through MCAUSER mapping. Determine effective ID: enable client trace, read CHLAUTH USERMAP rules, check ADOPTCTX, inspect SVRCONN MCAUSER default. Run dspmqaut -p mqpay. Group grants require dspmqaut on the group or membership testing—if order_svc is in MQ.ORDERS.GRP, display group authorities with -g where your platform supports it.
Each authority name maps to MQI operations. put covers MQPUT and some publish paths. get covers destructive MQGET. browse allows non-destructive peek. inq and dsp support metadata reads for monitors. chg, clr, dlt, alt are administrative. all implies every operation—flag in audits. Some displays show inherited or default text depending on AUTHRCMD and AUTHOREC settings on the queue manager—consult IBM reference when output mentions defaults.
Always dspmqaut immediately after setmqaut in the same change window. Pipelines can grep for +put in output before marking deploy complete. If dspmqaut shows the grant but 2035 persists, suspect inhibit attributes (PUT(DISABLED)), wrong queue name, or handle opened before grant—restart the application. If dspmqaut shows no grant but app works, you are displaying the wrong principal or a broader group grant exists.
setmqaut writes names on the chart. dspmqaut is reading the chart aloud to see if your name is listed for snack time before you walk to the kitchen.
Subscription failures need dspmqaut on the topic string for +sub and on the destination queue for +get. Channel connect failures need dspmqaut on SVRCONN for +connect plus CHLAUTH rule review—dspmqaut alone does not show CHLAUTH blocks. Cluster receivers may need checks on multiple queue managers for the same principal name.
dspmqaut is per principal-object pair in typical usage; listing every principal on one object may require platform-specific options or exports. MQ Explorer visualizes authority for interactive review. On z/OS, RACF LISTUSER and MQ profile listings supplement dspmqaut. For large estates, enterprise configuration management databases ingest dspmqaut batch output nightly.
dspmqaut is looking at the list on the door that says who may come in—you check if your name is there before you push the door.
Given 2035 on MQGET for PAY.Q, write dspmqaut commands to run and what you expect to see.
Design a weekly script that dspmqauts ten critical queues for five service IDs.
Explain why admin dspmqaut success does not prove the app is authorized.
1. dspmqaut is used to:
2. Test 2035 with dspmqaut using:
3. Pair dspmqaut with:
4. Missing +get in dspmqaut means: