The Object Authority Manager is IBM MQ's enforcement engine for authorization. Every time an application or channel-associated identity attempts to open a queue, publish to a topic, alter a channel, or browse a process definition, OAM compares the requested operation against stored grants for that principal on that object. A missing +put does not mean “try harder”—it means MQRC_NOT_AUTHORIZED reason code 2035 and no message on the queue. On distributed queue managers OAM data is manipulated with setmqaut and dspmqaut and viewed with DISPLAY AUTHREC in MQSC; on z/OS the same logical checks flow through RACF profiles. Beginners hear “OAM” in audit reports without knowing it is not a separate installable product but part of the queue manager. This tutorial explains OAM placement in the security model, AUTHREC structure, default authority behavior, group expansion, queue manager-level versus object-level records, interaction with MCAUSER, caching and open handle semantics, migration from default-allow estates, and troubleshooting DISPLAY output when 2035 persists after apparent grants.
After TCP, TLS, CONNAUTH, and CHLAUTH, the MQI thread resolves the effective user ID. MQOPEN requests a combination of access options—output, input, browse—and OAM maps those to authority bits. A single open for output requires +put; for input +get. Pass-through operations on alias queues check the base queue authority. OAM failure is immediate; there is no partial open. Channel agents performing puts on behalf of remote partners use MCAUSER as principal unless context overrides apply per IBM rules for your release.
| Scope | Object | Example grant |
|---|---|---|
| Queue manager | @class(qmgr) or qmgr name | +connect for clients |
| Queue | QLOCAL name | +put +get for app |
| Topic | TOPIC name | +pub +sub |
| Channel | CHANNEL name | +ctrl for operations |
| Group | Any above | Grant to mqapps group |
12345DISPLAY AUTHREC PROFILE('PAYMENT.IN') OBJTYPE(QUEUE) PRINCIPAL('mqpay') DISPLAY AUTHREC PROFILE('PAYMENT.IN') OBJTYPE(QUEUE) GROUP('MQAPPS') setmqaut -m QM1 -n PAYMENT.IN -t q -p mqpay +put +get +browse setmqaut -m QM1 -n PAYMENT.IN -t q -g MQAPPS +dsp +inq dspmqaut -m QM1 -n PAYMENT.IN -t q -p mqpay
PROFILE names the object; OBJTYPE matches queue, topic, channel, and other enums. PRINCIPAL is a user; GROUP is a group grant—members inherit when platform group membership is correct. dspmqaut is the operator-friendly view; DISPLAY AUTHREC is authoritative in MQSC scripts. After bulk migrations, export AUTHREC lists to source control for drift detection.
New objects may inherit default authority records—on some releases *PUBLIC or platform-specific defaults allow broad access until revoked. Security projects explicitly ALTER AUTHREC to remove public put/get and grant only service IDs. Queue manager AUTHOREC settings influence objects created without explicit grants. Document your estate baseline: “no +put for *PUBLIC on application queues.” Penetration tests often find one leftover default on a test queue that production traffic shares.
Granting to group MQAPPS and adding application users to that OS or LDAP group scales better than per-user grants on thousands of queues. Separate groups for producers, consumers, and operators. Avoid nesting excessive privilege—operators need +crt on object classes for admin, not +all on payment queues. Review group membership quarterly; orphaned accounts in MQAPPS are a common audit finding.
RACF stores profiles; MQ consults them during authorization. Commands differ from setmqaut but checks feel identical to application developers seeing 2035. Mixed hybrid estates need clear ownership: distributed team owns Linux QMgr setmqaut; mainframe team owns RACF profiles for z/OS QMgr. Never duplicate conflicting grants across migration cutover weekends without a rollback plan.
OAM is the guard holding a clipboard listing which badge numbers may enter which room. No line on the clipboard for your badge means stop—even if you entered the building earlier through a different door.
OAM is the list on the fridge that says which family members may open which snack box. If your name is not next to the cookie box, you cannot open it.
Write DISPLAY AUTHREC commands for one queue and two principals.
Explain difference between group grant and user grant.
2035 after setmqaut—list five reasons grants appear ineffective.
1. OAM enforces:
2. AUTHREC links:
3. 2035 comes from:
4. setmqaut on distributed: