MCAUSER is one of the most important channel attributes in IBM MQ security, yet it is often left at the installing user default until the first production audit. The Message Channel Agent user ID tells the queue manager which security principal to use when a channel does work on your behalf—putting a message that arrived from a partner queue manager, executing MQPUT from a remote client over SVRCONN, or running protocol exchanges under a known identity. Getting MCAUSER wrong produces 2035 not authorized errors, poison-message loops to the dead-letter queue, or worse, over-privileged remote access. This tutorial explains MCAUSER on message channels versus MQI channels, how CHLAUTH maps override it, platform differences on z/OS and distributed systems, and practical steps to design service accounts for channels.
Queue managers enforce authority with the Object Authority Manager (OAM) on distributed platforms and with RACF profiles on z/OS. Applications and channels do not bypass OAM. When a receiver channel instance accepts a message and issues an internal put to a local queue, the put runs as MCAUSER from the channel definition unless message context or user exits specify otherwise. When a client connects to SVRCONN, the server may map the connection to an MCAUSER via TLS or password rules before handling MQOPEN and MQPUT. The channel attribute is therefore the bridge between network trust (who connected) and data trust (who may touch which queues).
| CHLTYPE | MCAUSER role |
|---|---|
| RCVR / CLUSRCVR | Identity for putting inbound messages locally |
| SDR / CLUSSDR / RQSTR | Identity during outbound protocol on source QM |
| SVR | Identity for inbound session work on hub |
| SVRCONN | Default identity for client MQI unless CHLAUTH maps |
12345678DEFINE CHANNEL('PARTNER.IN') CHLTYPE(RCVR) TRPTYPE(TCP) MCAUSER('mqin') DEFINE CHANNEL('APP.CLIENT') CHLTYPE(SVRCONN) TRPTYPE(TCP) MCAUSER('mqapp') SET AUTHREC OBJTYPE(QUEUE) PRINCIPAL('mqin') AUTHADD(GET,PUT,BROWSE,INQ) SET AUTHREC OBJTYPE(QUEUE) PRINCIPAL('mqapp') AUTHADD(GET,PUT,BROWSE) ALTER CHANNEL('APP.CLIENT') CHLTYPE(SVRCONN) MCAUSER('mqapp') * CHLAUTH example: map certificate to different MCAUSER SET CHLAUTH('APP.CLIENT') TYPE(SSLPEERMAP) SSLPEER('CN=payments') + MCAUSER('payprod') ACTION(REPLACE)
After DEFINE, grant the principal only required AUTHREC rights on named queues and namelists—avoid +all on QMGR unless the ID is a true admin service account. On z/OS, RACF profiles for the MCAUSER must permit access to queue profiles in the queue manager subsystem. Changing MCAUSER without updating security profiles causes immediate authorization failures visible in error logs and AMQ messages.
MCAUSER is the employee badge the queue manager wears when doing tasks for a channel. Even if a visitor (remote client or partner QM) claims to be someone important, the receptionist checks the badge rules: either map the visitor to an approved badge (CHLAUTH) or use the default badge on the door (channel MCAUSER).
CHLAUTH rules can REPLACE or BLOCK channel access based on address, SSL peer name, or asserted username. SSLPEERMAP is common for microservices with mutual TLS: certificate CN=payments maps to MCAUSER payprod with only put to PAY.REQ. USERMAP supports password authentication flows. ADDRESSMAP blocks ranges before identity is considered. Order of evaluation matters; use DISPLAY CHLAUTH and test tools to verify effective identity. A common mistake is setting MCAUSER on SVRCONN to an admin ID while also mapping clients—auditors see excessive privilege.
Leaving MCAUSER blank is not “disable security.” Behavior depends on channel type, platform, and whether adoption exits run. On some SVRCONN configurations, the queue manager may adopt the client-supplied user when allowed. On message channels, blank may default to the channel initiator service account—often highly privileged. Explicit service IDs make audits and access reviews tractable. Document every MCAUSER in a channel register with owner application and granted queues.
On Linux and Windows, MCAUSER is typically an operating system user known to the queue manager installation. LDAP-linked IDs are common in enterprises. On z/OS, MCAUSER maps to RACF users; queue profiles use naming conventions tied to the queue manager. Cross-platform clusters must harmonize identities or accept that the same MCAUSER string means different security objects on each OS. Never copy MQSC from distributed to z/OS without RACF planning.
When a channel runs but messages hit DLQ with not authorized, DISPLAY AUTHREC or RACF lists for the effective MCAUSER on the target queue. For SVRCONN, trace whether CHLAUTH applied SSLPEERMAP or USERMAP—DISPLAY CHAUTH or relevant diagnostics per release. Temporarily elevating MCAUSER to mqm or admin to “fix” production masks the correct grant and fails the next audit—add explicit AUTHREC instead.
Client applications may pass a user ID in MQCONNX. The server decides whether to honor it via adoption or mapping. Message channels from partner queue managers carry metadata; do not assume partner usernames exist on your OS. Design MCAUSER as the integration service account representing the partner system, not individual humans, unless context passing is explicitly implemented and trusted.
MCAUSER is the name tag the queue manager wears when it does jobs for someone who connected from far away, so it only touches the toy boxes it is allowed to touch.
Design MCAUSER IDs and AUTHREC grants for RCVR PARTNER.IN putting to QLOCAL ORDERS.IN.
Write an SSLPEERMAP rule mapping CN=testclient to MCAUSER testapp on SVRCONN TEST.APP.
Explain why setting all channels to MCAUSER(mqm) is a bad production practice.
1. MCAUSER on a channel specifies:
2. Inbound messages on RCVR typically use:
3. CHLAUTH SSLPEERMAP maps:
4. Least privilege means MCAUSER should: