Queue ownership is about control: who may create, change, delete, put to, or read from a queue. IBM MQ separates the queue object in the repository from messages on the queue, but security applies to both access paths. A queue can list PUT(YES) while your application still receives 2035 because the Object Authority Manager denies your user ID. On z/OS, RACF profiles may protect queues instead of or in addition to OAM. Beginners blame networks when the real issue is authority. This tutorial explains ownership concepts, setmqaut and dspmqaut, the relationship between GET/PUT attributes and OAM, service account patterns, and governance practices enterprises use for queue naming and ownership registers.
On distributed queue managers, OAM reads AUTHREC definitions (or defaults) to decide if a principal may connect, put, get, browse, alter, or delete each object type including queues. CHCKCLNT and CONNAUTH run first at connect; OAM runs on MQOPEN and MQPUT/MQGET. Default deny is common in hardened systems—explicit grants required. DISPLAY AUTHREC or dspmqaut shows effective permissions.
| Authority | Allows |
|---|---|
| connect | MQCONN to the queue manager |
| put | MQPUT to the queue |
| get | MQGET (destructive) |
| browse | Browse without removing |
| inq | Inquire attributes |
| set | SET context or some set operations |
| alt | ALTER the object |
| dl | DELETE the object |
| all | Full control including passing authority |
GET(YES) and PUT(YES) on DEFINE QLOCAL are necessary but not sufficient. Think of them as door signs: In and Out allowed. OAM is the security guard checking badges. PUT(NO) blocks everyone regardless of badge. PUT(YES) with no put authority blocks the application with 2035. Both layers must align for success.
When an administrator runs DEFINE QLOCAL under ID MQADMIN, MQADMIN typically receives all authority unless your site strips creator rights. When an application dynamically creates a permanent dynamic queue, the creating user may own that object—risky in production if developers connect with personal IDs. Standard pattern: only operations DEFINE permanent queues; applications use fixed names; CI/CD promotes MQSC with security files.
1234567# Grant app service account put and get on one queue setmqaut -m QM1 -n ORDERS.IN -t queue -p orders_svc +put +get +browse dspmqaut -m QM1 -n ORDERS.IN -t queue -p orders_svc # Group grant setmqaut -m QM1 -n ORDERS.IN -t queue -g orders_app +put +get # Revoke setmqaut -m QM1 -n ORDERS.IN -t queue -p old_user -put -get
Replace QM1, names, and principals with your standards. Export authority with dmpmqaut for disaster recovery. After bulk imports, run REFRESH SECURITY on the queue manager where supported.
Many z/OS sites use RACF profiles for MQ queues (class MQQUEUE or equivalent per policy). The queue manager consults SAF when AUTHOREC or related QMGR settings point to external security. Mainframe beginners must learn both MQSC and security team RACF commands—or use panels. Mixed distributed and z/OS estates often map the same application name to different security mechanisms.
IBM MQ has no mandatory OwnerTeam attribute. Organizations encode ownership in DESCR, external CMDB, or naming conventions (PAYMENTS.ORDERS.IN owned by payments squad). Change control ties ALTER QLOCAL to ticket and owner approval. Periodic audits DISPLAY QLOCAL(*) and compare to register; remove orphan queues from departed projects.
Remote puts arrive via channels running as MCAUSER. If MCAUSER lacks put authority to the target queue, messages fail or channel errors appear even when the remote application is trusted. Queue ownership planning includes channel identities, not only interactive users.
Authority is checked on the resolved queue. QALIAS to PAYMENTS.IN requires authority on the base queue (or alias per platform rules). Cluster puts may target a queue on another queue manager—authority needed at the destination. Federation does not bypass security.
The mailbox has a label saying who may drop letters in and who may take them out. The label on the box (GET/PUT) and the school ID card checker (OAM) both must say you are allowed.
Write setmqaut commands for read-only audit account (browse + inq only) on AUDIT.QUEUE.
Application gets 2035 after CONNAUTH LDAP success. List three authorization checks after connect.
Design ownership model: ops defines queues, three microservices get put/get—table of queue names and principals.
1. OAM on distributed MQ primarily controls:
2. GET(YES) on the queue plus missing OAM get authority causes:
3. setmqaut -t queue -n NAME -p user +put grants:
4. Production best practice for queue creation is: