On distributed IBM MQ you might manage users in LDAP or OS groups. On z/OS, RACF is the gatekeeper for who may connect to a queue manager, put payment messages, or alter definitions. IBM MQ stores authorization decisions in RACF profiles, traditionally in the mqadmin class unless your site customized the security interface. Beginners see reason code 2035 NOT_AUTHORIZED and blame the application; veterans DISPLAY AUTHREC and SEARCH RACF first. Understanding RACF classes—not individual profiles yet—is the map: which class, which object types, how queue manager names appear, and how SAF asks RACF before MQ allows the call. This tutorial introduces mqadmin, relates RACF to MQ object types, contrasts RACF with CHLAUTH and TLS, explains generic versus discrete profiles at class level, and prepares you for the profiles tutorial where naming rules live.
z/OS applications run as RACF-identified users: CICS regions, IMS control regions, batch jobs, and started tasks. When they call MQCONN or MQOPEN, the queue manager asks the System Authorization Facility (SAF) whether that userid may perform the operation on that object. SAF routes the question to RACF (or another product if configured). RACF looks up profiles in the mqadmin class. Deny is fail-closed—no message flow until security administrators grant authority deliberately.
The mqadmin class is the default RACF class name for IBM MQ profiles on many installations. Profiles in this class encode object type, queue manager context, object name, and authority bits. Security administrators use RACF commands such as ADD GROUP, PERMIT, and RDEFINE tailored to MQ—exact command syntax varies by site standards. MQ administrators use SET AUTHREC and DISPLAY AUTHREC to mirror intent on the queue manager object repository; RACF remains the source of truth on classic z/OS setups.
| Element | Role | Example |
|---|---|---|
| RACF class mqadmin | Container for MQ profiles | Profiles for QLOCAL PAY.IN |
| SAF | Asks security product | On MQOPEN PUT authority |
| Queue manager | Scopes profiles | QSG member QM1 |
| Object type | Queue, process, namelist, etc. | queue vs qmgr |
| Principal | User or group | CICS region userid |
Profiles can govern queues, topics, channels (in some configurations), the queue manager itself, and administrative commands. Authority bits include connect, inquire, get, put, set, alter, and ctrl depending on object. A batch userid might have put-only on an inbound queue and get-only on a reply queue—least privilege reduces fraud and operator error blast radius.
At class level, RACF supports generic profiles where trailing asterisks match many object names—`PAY.*` for all payment queues. Discrete profiles target one fully qualified name. Generics ease administration; overly broad generics cause audit findings. MQ SET AUTHREC GENERIC and PROFILE options align queue manager repository entries with RACF. Beginners should read profile naming rules in the next tutorial before creating wildcards.
| Layer | What it checks | When |
|---|---|---|
| TLS / SSLPEER | Certificate and cipher on channel | Channel handshake |
| CHLAUTH | Allowed partner, user mapping | Channel connect |
| RACF mqadmin | MQ object authority for userid | MQCONN, MQOPEN, MQPUT, MQGET |
| Application auth | Business rules in program | After message read |
Passing TLS does not imply put authority on a queue. Passing CHLAUTH does not replace mqadmin for the mapped userid. Defense in depth means all layers configured consistently.
The userid under which CICS or IMS runs is what RACF sees for MQI calls from those regions unless switching techniques apply. Grant mqadmin profiles to that userid or to groups it joins. Separate profiles per environment: never share production queue authority with test regions on shared LPARs without hard naming boundaries.
RACF logging records failures and sometimes successes. Correlate SMF and RACF reports with MQ error logs for 2035 spikes after changes. Change control for mqadmin should list queue patterns, principals, and authority bits—not vague “access to MQ.”
The mqadmin class is the badge printer. Profiles are individual badges saying which doors you may open—connect to the building, enter the mail room, drop letters in slot 3. Without the right badge color, SAF stops you at the door even if you know the queue name.
RACF is the list of kids allowed in each room. mqadmin is the notebook where IBM MQ keeps those lists for its rooms.
List five object types mqadmin might protect and one authority bit each needs for a simple producer.
Explain to a Java developer why their Windows MQ auth differs from z/OS RACF.
Sketch layers: TLS, CHLAUTH, RACF for a remote partner putting to a local queue.
1. IBM MQ object authority on z/OS is commonly stored in:
2. RACF mqadmin profiles control:
3. CHLAUTH differs from RACF because:
4. CICS region userid needs: