MQ RACF profiles are the individual permission slips inside the mqadmin class—one row per combination of queue manager, object type, object name pattern, and userid or group. When a CICS payment transaction MQPUTs to PAY.IN, SAF searches RACF for a profile that grants PUT on that queue for the CICS region userid. Missing profile means reason 2035 and a midnight call. Profiles are where administrators live day to day: creating generics for `PAY.*`, tightening test regions, revoking alter authority from application ids, and proving auditors that segregation of duties holds. IBM MQ SET AUTHREC and DISPLAY AUTHREC speak the same concepts on the queue manager repository. This tutorial explains profile structure, authority bits, generic versus discrete profiles, aligning AUTHREC with RACF, group versus user grants, common cutover mistakes, and troubleshooting workflows beginners can follow without guessing.
A profile answers: who (principal), on which queue manager, for which object type and name, may do what (authorities). Principals are RACF userids or groups. Objects include qmgr, queue, topic, channel, and others per IBM documentation. Authorities are granular—connect before open, get and put for messaging, alter for MQSC changes, ctrl for control commands on some objects.
| Authority | Allows | Typical grantee |
|---|---|---|
| CONNECT (qmgr) | MQCONN to queue manager | All application regions |
| GET | MQGET, browse | Consumer transactions |
| PUT | MQPUT | Producer jobs and partners |
| INQ | DISPLAY and inquire | Monitoring tools |
| SET/ALTER | Change definitions | MQ admins only |
| CTRL | Control operations | Operations staff |
12345678SET AUTHREC PROFILE('PAY.IN') OBJTYPE(QUEUE) PRINCIPAL('cicsprod') AUTHADD(GET,PUT,INQ) SET AUTHREC PROFILE('**') OBJTYPE(QUEUE) PRINCIPAL('mqmon') AUTHADD(INQ) SET AUTHREC PROFILE('self') OBJTYPE(QMGR) PRINCIPAL('cicsprod') AUTHADD(CONNECT,INQ)
PROFILE names the object or pattern. PRINCIPAL is the RACF userid or group. AUTHADD grants; AUTHRM removes. Use GENERIC when the profile name is a wildcard pattern. After RACF changes, some sites require REFRESH SECURITY TYPE(MQADMIN) or queue manager refresh—follow local runbooks. Typos in PROFILE are silent until 2035 at runtime.
12DISPLAY AUTHREC PROFILE('PAY.IN') OBJTYPE(QUEUE) PRINCIPAL('cicsprod') DISPLAY AUTHREC OBJTYPE(QUEUE) PRINCIPAL('cicsprod')
Before opening a ticket to application teams, administrators DISPLAY AUTHREC for the failing principal and object. Compare with RACF LISTUSER and group memberships. Remember surrogate submission: the userid on the job statement is what matters, not the developer’s personal id.
Generic profiles end with asterisk or use site-defined patterns so one definition covers many queues. `SET AUTHREC PROFILE('PAY.*') OBJTYPE(QUEUE) GENERIC` might grant put to a payment service id for all payment queues. Generics accelerate projects but cause audit pain when someone adds PAY.TEST with production authority. Review generics quarterly; prefer discrete profiles for high-risk queues like wire transfer and key management.
Grant authority to RACF groups such as MQAPPPAY and place application userids in the group. Rotation and auditing become easier than editing dozens of discrete profiles. Avoid nesting groups in ways your security team forbids. Document which group owns which integration pattern in a central register.
| Symptom | Check | Fix direction |
|---|---|---|
| MQCONN fails | qmgr CONNECT for principal | SET AUTHREC on self OBJTYPE(QMGR) |
| MQOPEN PUT fails | PUT on queue profile | AUTHADD PUT for producer id |
| CKTI cannot read INITQ | GET on initiation queue | Grant CKTI region GET |
| Channel puts fail | CHLAUTH then RACF for mapped user | Fix MAPRULE and mqadmin |
| Worked yesterday | Recent RACF remove or rename | Restore or update AUTHREC |
Segregation of duties: developers should not hold alter on production queues; operators should not hold put on wire queues unless dual control approves. Profiles are evidence in audits—export DISPLAY AUTHREC after changes. Pair with CHLAUTH records for channel-facing identities.
Each profile is a key labeled with a door name. Generics are master keys that open many doors—convenient until someone copies the master. Discrete keys are slower to manage but safer for vault doors.
A profile is your name on the list next to a toy box. If your name is not there, you cannot put toys in or take toys out of that box.
Write SET AUTHREC commands for a consumer with GET only and a producer with PUT only on ORDERS.IN.
Argue for and against a generic `APP.*` PUT profile for ten microservices.
Document a 2035 troubleshooting flowchart from application log to DISPLAY AUTHREC.
1. SET AUTHREC updates:
2. Least privilege means:
3. Generic profile risk is:
4. DISPLAY AUTHREC helps: