OAM permissions are the vocabulary IBM MQ uses to say what an identity may do to each object. The Object Authority Manager compares the operation your application requests—open for output, get, browse, publish—with the bit mask stored for that principal on that queue, topic, or channel. Missing a single required bit returns MQRC_NOT_AUTHORIZED (2035). Permissions are not roles in the LDAP sense; they are explicit grants you create with setmqaut or RACF on z/OS. Beginners confuse authentication success with having any permission at all. This tutorial lists each common authority bit, which MQI calls require it, how bits combine for typical patterns, pub/sub-specific pub and sub, administrative bits you should rarely grant, +all risk, interaction with object inhibit attributes, and how to design least-privilege matrices for operations teams.
On each security-sensitive call, OAM loads grants for the effective principal and object profile. It checks whether the requested operation is allowed. Group membership may union multiple grants. Default-deny queue managers return failure when no record exists. Default-allow legacy systems may permit until you harden—migrate to explicit grants. OAM runs after connection authentication when CONNAUTH is enabled; the principal is usually the adopted client ID or MCAUSER.
| Permission | Allows | Typical grantee |
|---|---|---|
| connect | MQCONNX to queue manager / channel use | All remote clients |
| put | MQPUT, some publish paths | Producer services |
| get | Destructive MQGET | Consumer services |
| browse | MQGET with browse options | Support, audit read-only |
| inq / dsp | Display attributes, depth | Monitoring tools |
| chg / alt / clr / dlt | ALTER, CLEAR, DELETE object | MQ administrators |
| crt | Create object where applicable | Deploy pipelines, admins |
| pub / sub | Publish / subscribe on topic tree | Pub/sub apps |
| all | Full control | mqm admin only |
connect is required for client applications to attach to the queue manager when your security policy enforces it. Some sites grant connect at queue manager level once per app ID; others per SVRCONN channel. open for input or output implicitly needs get or put on the queue object. Attempting MQOPEN without the matching bit fails before the first put or get. Document whether your estate uses explicit +connect or relies on defaults—dspmqaut proves what is configured.
put alone does not let an application read responses; pair grants across request and reply queues for request/reply patterns. get without browse still allows destructive reads; support teams often want browse without get to inspect poison messages without consuming them. Clearing a queue needs clr, not merely get. Never grant clr to application IDs unless they intentionally purge their own backlog with operational approval.
12345* Producer pattern: setmqaut -m QM1 -n REQ.Q -t queue -p app +put +connect setmqaut -m QM1 -n REP.Q -t queue -p app +get +browse +connect * Monitor pattern (no destructive read): setmqaut -m QM1 -n REQ.Q -t queue -p monitor +browse +inq +dsp
pub authorizes MQPUT to a topic or publish API calls for matching topic strings. sub authorizes subscription creation (MQSUB, DEFINE SUB). Neither replaces queue permissions on destination queues—managed subscriptions still need get on the destination. Grant pub on narrow topic prefixes; granting pub on enterprise/# is equivalent to a broadcast license for that principal.
OAM permissions are separate keys on your keyring—mailbox key, filing cabinet key, manager key. Having the mailbox key does not open the server room.
A queue may show PUT(ENABLED) while OAM denies +put—the application sees 2035. Conversely PUT(DISABLED) blocks puts even when OAM grants +put. DISPLAY QSTATUS and dspmqaut together diagnose conflicts. CHLAUTH is another layer: even with all OAM bits, a blocked channel prevents reachability.
Permissions are stickers on your badge—one sticker for feeding the fish, another for feeding the lion. No lion sticker means you cannot feed the lion even if you got into the zoo.
Build a matrix for a request/reply app listing bits per queue.
Which bits does a read-only Grafana monitor need on 100 queues?
Explain why +pub without +get might still deliver messages via subscription.
1. +browse allows:
2. +pub applies to:
3. +all should be given to:
4. 2035 means OAM: