Group permissions are how mature IBM MQ estates scale authorization without running setmqaut for every developer who joins a team. Instead of attaching +put on PAYMENT.IN to fifty individual user IDs, you grant +put once to the group MQ.APP.PAYMENTS and manage membership in Active Directory, LDAP, or Unix groups. When someone transfers departments, security removes them from the directory group and MQ access disappears on the next connection—no queue manager change ticket required. OAM still evaluates the effective user ID at runtime, but that user inherits every authority bit granted to any group they belong to, plus any direct user grants. This tutorial explains setmqaut and dspmqaut with -g, how group membership is resolved on distributed and z/OS systems, nesting and naming conventions, combining group and user grants, audit workflows, anti-patterns like over-broad enterprise groups, and troubleshooting when dspmqaut shows the group has +put but the application still receives 2035.
Per-user setmqaut lines multiply with headcount and drift out of sync with HR systems. A developer promoted to a team with production access might retain old user grants unless someone audits dspmqaut output quarterly. Groups encode roles: MQ.ORDERS.PRODUCER, MQ.ORDERS.CONSUMER, MQ.OPERATORS.READONLY. Change management attaches new queues to role templates. Compliance reviewers export group grants once per role instead of thousands of user rows. Break-glass individual accounts remain possible but should be rare and time-limited.
| Aspect | Group (-g) | User (-p) |
|---|---|---|
| setmqaut flag | -g MQ.APP.ROLE | -p app_svc01 |
| Membership managed in | LDAP / AD / OS | N/A (single account) |
| Offboarding | Remove from directory group | setmqaut -remove per object |
| Best for | Teams and roles | Service accounts, break-glass |
| Audit focus | Group catalog + membership | Named account inventory |
1234setmqaut -m QM1 -n ORDERS.IN -t queue -g MQ.ORDERS.PRODUCERS +put +connect setmqaut -m QM1 -n ORDERS.OUT -t queue -g MQ.ORDERS.CONSUMERS +get +browse +connect setmqaut -m QM1 -t topic -n 'retail/order/#' -g MQ.ORDERS.PRODUCERS +pub dspmqaut -m QM1 -n ORDERS.IN -t queue -g MQ.ORDERS.PRODUCERS
The group name string must match what the queue manager resolves when it asks the operating system or security subsystem for group membership. On Windows MQ, that is often the domain group SAM account name. On Linux, it may be a Unix group from /etc/group or sssd. Mismatch between LDAP cn and the string in setmqaut is a top cause of “group grant looks correct but user fails.” Document the exact group string in your connection specification next to the application ID.
When application app01 connects and ADOPTCTX adopts app01, OAM loads grants for principal app01 and for every group containing app01. If MQ.ORDERS.PRODUCERS has +put on ORDERS.IN and app01 is a member, the put succeeds. Nested groups depend on platform: some LDAP layouts use groupOfGroups; verify whether MQ expands nested membership on your OS. Service accounts used only as MCAUSER may never be in LDAP groups—grant those IDs directly with -p instead of expecting group inheritance through a human user.
A user might inherit +put from MQ.PRODUCERS and receive an exceptional +clr on one queue from a break-glass user grant. OAM unions allowed operations. Revoking a dangerous +all requires checking both dspmqaut -p and dspmqaut -g for that object. Incident response: remove user from group first for fastest containment, then clean stray user-level setmqaut lines during root cause review.
Group permissions are like everyone with a red team badge being allowed in the cafeteria. You do not write each person name on the door—you write “red team.” New hires get a red badge in HR; they automatically get cafeteria access.
LDAP authentication validates passwords; group membership for OAM usually comes from the same directory via OS integration. When CONNAUTH uses IDPWLDAP, the userid presented must be the same account that directory lists in MQ.ORDERS.PRODUCERS. Group names in setmqaut do not need to match LDAP organizational units—they are arbitrary role labels stored in MQ OAM, but membership must be real on the host evaluating security calls.
On IBM MQ for z/OS, RACF groups connect users to MQ profiles. Commands differ from setmqaut -g but the role-based idea is identical: grant to MQGRD.PRODUCER group profile, connect users with RACF CONNECT. Distributed administrators collaborating with mainframe teams should use the same role names in architecture documents even when implementation commands differ.
The teacher has a list that says “kids in the red group may use the swings.” You do not need your own separate list if you are in the red group.
Design three groups for an order system and list setmqaut -g commands for two queues and one topic.
A user has 2035 but dspmqaut -g shows +put—write five membership checks.
Document offboarding steps for a developer in MQ.ORDERS.PRODUCERS.
1. Group grants use setmqaut:
2. Removing a user from LDAP group:
3. dspmqaut for groups uses:
4. Best practice for roles: