What is MCAUSER security in IBM MQ?

MCAUSER security is the practice of controlling which operating system or security-system user ID a channel connection runs as, and granting that ID only the MQ object authority required. MCAUSER on the channel definition sets the default; CHLAUTH rules can map connections to different IDs. Put and get authority checks use this effective user.

Why is MCAUSER(mqm) dangerous?

mqm or other administrative IDs often have broad authority to alter queue managers and queues. Remote partners connecting with channel MCAUSER mqm can put poison messages or administer objects. Use dedicated low-privilege MCAUSER values per application or partner.

How does CHLAUTH change MCAUSER?

SSLPEERMAP, USERMAP, and some ADDRESSMAP rules specify MCAUSER with USERSRC(MAP) so the connection adopts that ID instead of the channel default. The mapped ID must have correct OAM grants on queues and topics.

What is 2035 in relation to MCAUSER?

MQRC 2035 (MQRC_NOT_AUTHORIZED) often means the effective MCAUSER lacks authority for the MQOPEN or MQPUT operation—even when the channel connected successfully. Fix by granting +put, +get, or +connect as needed on the object, or correcting CHLAUTH map to the right user.

Is MCAUSER the same on z/OS and Linux?

The attribute name is the same; the underlying security product differs (RACF on z/OS, OS users or LDAP on distributed). Platform teams must define IDs in the correct registry and grant MQ authority through the appropriate interface.

MainframeMaster

MCAUSER Security

Every remote message that arrives on a receiver channel and every client call over SVRCONN executes under an effective user ID—the MCAUSER context unless changed by channel authentication or exits. MCAUSER security is the discipline of choosing that ID deliberately and granting only the object authority the partner or application needs. Legacy estates littered with MCAUSER(mqm) on RCVR channels created decades ago remain a top audit finding: any compromised sender could administer the queue manager. Modern designs assign per-partner or per-application IDs, map TLS certificates with CHLAUTH, and separate read-only from write paths. Beginners see channels in RUNNING state yet messages on DLQ or 2035 in client logs—that is often MCAUSER or OAM mismatch, not network failure. This tutorial explains MCAUSER on each CHLTYPE, mapping with CHLAUTH, granting authority on distributed and z/OS, adoption and CONNAUTH interaction, common anti-patterns, and verification commands before production cutover.

MCAUSER on Message Channels

On CHLTYPE(SDR), MCAUSER is the user under which the sender channel agent runs when reading the transmission queue and coordinating protocol—often a technical ID with get on XMITQ and minimal other rights. On CHLTYPE(RCVR), MCAUSER is the user under which inbound messages are put to target queues unless context or mapping overrides apply per IBM rules for your release. If RCVR MCAUSER can put to PAYMENTS.Q but also ADMIN.Q, a malicious partner could target both unless routing and authority are tight. Define separate RCVR channels and MCAUSER values per trust zone when partners have different risk levels.

MCAUSER focus by channel type
CHLTYPE	MCAUSER role	Hardening tip
SDR	Read XMITQ, run channel agent	No admin authority
RCVR	Put to target local queues	Put only on agreed queues
SVRCONN	Client MQPUT/MQGET identity	Map cert to app ID
CLUSRCVR	Cluster inbound puts	Cluster-wide ID per policy

CHLAUTH Mapping Versus Channel Default

shell

1
2
3
4
5
DEFINE CHANNEL('PARTNER.IN') CHLTYPE(RCVR) TRPTYPE(TCP) MCAUSER('mqdefault')
SET CHLAUTH('MAP.PARTNER.CERT') TYPE(SSLPEERMAP) +
  SSLPEER('CN=partner,O=Bank') MCAUSER('mqpartner') USERSRC(MAP) ACTION(ALLOW)
* mqpartner needs +put on agreed queues only
SET AUTHREC PROFILE('PAY.IN') OBJTYPE(QUEUE) PRINCIPAL('mqpartner') AUTHADD(PUT)

mqdefault should lack put to sensitive queues so connections without a valid cert map fail closed. mqpartner receives only PUT on PAY.IN. On z/OS use RACF profiles; on Linux use setmqaut or equivalent. Document every grant in your access matrix.

Least Privilege Patterns

One MCAUSER per business application for SVRCONN—not one shared ID for fifty microservices.
Separate MCAUSER for batch file transfer versus online payments on different RCVR channels.
Deny +alter, +crt, +dl on queue manager to channel IDs unless automation requires it.
Use read-only MCAUSER for inquiry-only partners; block put with OAM not just application discipline.
Review DISPLAY QMGR AUTHREC and platform security exports quarterly.

CONNAUTH and User Adoption

CONNAUTH with AUTHINFO can authenticate a password or certificate at connect time and optionally adopt the presented user ID for MQI clients. Channel MCAUSER still matters for message channels where CONNAUTH is less prominent. Conflicts arise when developers expect their LDAP user to flow through but SVRCONN MCAUSER overrides—understand USERSRC on CHLAUTH and ADOPTCTX settings on the queue manager per IBM documentation. Message channels from remote queue managers present the remote MCAUSER in protocol context in some scenarios—specialists consult IBM docs; beginners should not mix test and prod IDs.

z/OS RACF Considerations

On z/OS, MCAUSER is typically a RACF user ID. Channel initiator address spaces need authority to switch identity. Queue profiles and CHLAUTH interact with RACF. Testing on LPAR requires security team involvement. Do not copy distributed Linux user names to z/OS without translation. Audit SMF records may supplement MQ logs for access denials.

Anti-Patterns to Eliminate

MCAUSER(mqm) on all RCVR channels for convenience.
Single shared SVRCONN MCAUSER for unrelated departments.
CHLAUTH ALLOW without MAP while channel MCAUSER remains admin.
Granting +all on queues to fix 2035 instead of specific +put or +get.
Never reviewing effective user after certificate renewal changed DN mapping.

Verification Before Go-Live

From partner test system, connect channel or client, then attempt put to authorized and unauthorized queues. Expect success and 2035 respectively. DISPLAY CHSTATUS and application logs should show the expected MCAUSER. Archive SET AUTHREC or setmqaut scripts in version control. Pair with TLS and CHLAUTH negative tests.

Explain Like I'm Five: MCAUSER Security

MCAUSER security means each visitor to MQ wears only the badge that opens the doors they need—not a master key that opens every room.

Practice Exercises

Exercise 1

Design three MCAUSER IDs for payments, reporting, and admin inquiry—list allowed operations each.

Exercise 2

Given RUNNING RCVR and 2035 on put, list five checks in order.

Exercise 3

Write rollback MQSC if a CHLAUTH map pointed to wrong MCAUSER.

Frequently Asked Questions

Test Your Knowledge

1. MCAUSER on a channel sets:

Default OS user for channel ops
TCP port
Cipher only
DLQ only

2. Least privilege means:

Minimum authority needed
Maximum authority
No TLS
No listener

3. 2035 after connect often means:

OAM authority missing
Wrong TRPTYPE
No DISCINT
No topic

4. CHLAUTH SSLPEERMAP can:

Map cert to MCAUSER
Set MAXDEPTH
Replace listener
Compile COBOL

MCAUSER Security

MCAUSER on Message Channels

CHLAUTH Mapping Versus Channel Default

Least Privilege Patterns

CONNAUTH and User Adoption

z/OS RACF Considerations

Anti-Patterns to Eliminate

Verification Before Go-Live

Explain Like I'm Five: MCAUSER Security

Practice Exercises

Exercise 1

Exercise 2

Exercise 3

Frequently Asked Questions

Frequently Asked Questions

Test Your Knowledge

Test Your Knowledge

MCAUSER

CHLAUTH

Queue Ownership

2035 Errors