SAF authorization is the gate IBM MQ walks through on z/OS every time an application tries to connect, open a queue, put a payment, or alter a definition. Authentication might have already proved the channel partner’s certificate, but authorization is the separate question: may this RACF userid perform this operation on this object? The System Authorization Facility receives a structured request—resource class, profile name, access type—and returns allow or deny. Deny becomes MQRC_NOT_AUTHORIZED (2035) in application logs and a ticket to the security team. Beginners confuse authentication failures at the channel with authorization failures on the queue; both block traffic but need different fixes. This tutorial focuses on authorization specifically: how MQ maps MQI operations to SAF access levels, how RACF profiles answer, layered security with CHLAUTH, auditing denials, and troubleshooting workflows that do not require reading assembler.
| Step | Question | MQ example |
|---|---|---|
| Authentication | Who is this? | TLS client cert, password, channel handshake |
| Authorization | What may they do? | SAF check for PUT on PAY.IN |
| Application logic | Is message valid? | Program validates format after MQGET |
A partner can authenticate successfully yet lack PUT authority on the target queue. Conversely, a valid RACF profile does not help if CHLAUTH blocks the channel before the userid is established. Defense in depth uses both layers.
When security checking is active, MQ builds a SAF request from the queue manager name, object type, object name, and the operation implied by the MQI call or command. CONNECT maps to queue manager access. MQOPEN with MQOO_OUTPUT implies put-related authority. Browse and get imply read authority. Administrative commands imply control or alter levels per IBM definitions for your release. SAF returns a return code and reason code; MQ translates denial into 2035 or command failure messages.
RACF and MQ speak in authority bits—connect, inquire, get, put, set, alter, ctrl—not in vague “access the queue.” The table below is conceptual; exact mapping is in IBM MQ for z/OS security documentation for your version.
| Operation | Typically needs | Profile scope |
|---|---|---|
| MQCONN | CONNECT on queue manager | qmgr self |
| MQGET | GET (and often INQ) | queue |
| MQPUT | PUT | queue |
| MQINQ on queue | INQ | queue |
| ALTER QLOCAL | ALTER or CTRL | queue or admin |
| DEFINE CHANNEL | Administrative authority | cmd or special |
SAF always checks a RACF userid or a userid in a group that holds authority. The principal is not necessarily the developer’s TSO id. CICS regions run as the CICS started task userid. Batch jobs use the JOB card userid. Channels map to MCAUSER or a rule in CHLAUTH. Misidentified principals are the top cause of “it works in test from my id but not in CICS.” Document principals per integration in the security register.
SET AUTHREC records on the queue manager align with RACF profiles in mqadmin. DISPLAY AUTHREC shows what MQ expects; RACF LISTUSER and group membership show what the ESM enforces. Both must agree after changes. Some sites refresh with REFRESH SECURITY TYPE(MQADMIN) per runbook. Stale caches can cause brief confusion after grants—retest after refresh windows.
12DISPLAY AUTHREC PROFILE('PAY.IN') OBJTYPE(QUEUE) PRINCIPAL('cicsprod') DISPLAY QMGR AUTHRCMD AUTHRMQS
AUTHRCMD and AUTHRMQS on the queue manager control how strictly MQ invokes SAF for commands and objects—security administrators set these during hardening. Beginners should read DISPLAY QMGR output during incidents rather than guessing.
Remote partners hit CHLAUTH first—allowed partner, user mapping, TLS requirements. Only after the channel runs under an established userid do queue PUT and GET calls invoke SAF authorization for that userid. Fixing 2035 on a channel-initiated put requires checking both CHLAUTH MAPRULE and mqadmin PUT profile for the mapped user.
RACF can log failures and successes to SMF. Security teams run reports for denied access spikes after deployments. Correlate timestamps with MQ error logs and application transaction ids. Never enable verbose audit in production without change control—volume can flood SMF.
Authentication is the library card proving you are a member. SAF authorization is whether your card allows you into the rare books room, the children’s section, or the staff-only office. Different rooms need different stamps on the card.
The teacher knows your name. Authorization is whether you may use the red crayons, the scissors, or only the pencils. SAF asks the list; if your name is not allowed for scissors, MQ says no.
List principals and authorities needed for a CICS program that MQCONN, MQGETs ORDERS.IN, and MQPUTs ORDERS.ACK.
Write a short decision tree: channel works, MQPUT fails—CHLAUTH versus SAF steps.
Compare distributed OAM setmqaut to z/OS SAF authorization in five bullet points.
1. Authorization answers:
2. SAF routes authorization to:
3. 2035 on MQOPEN often means:
4. Least privilege means: