The setmqaut command is how administrators grant and revoke access on distributed IBM MQ queue managers. Every explicit allow for an application to put, get, browse, connect, or administer an object flows through Object Authority Manager records that setmqaut writes. Without it—or without equivalent scripting—applications hit MQRC_NOT_AUTHORIZED (2035) even when CONNAUTH accepts their password. setmqaut is not authentication; it runs after you know who the principal is. This tutorial explains the command syntax, object type (-t) values, principal (-p) versus group (-g), common authority bits and when to use each, queue versus topic versus channel examples, revoke patterns, automation in CI/CD, mistakes that grant +all to service IDs, and how setmqaut relates to DISPLAY AUTHREC on some platforms.
The general form is: setmqaut -m queue_manager_name -n object_name -t object_type -p principal authorities. The queue manager must be running. You need sufficient admin authority to change OAM. Object name -n is the queue name, topic string, channel name, or other profile per type. Principal -p is case-sensitive on Unix. Group grants use -g groupname where supported instead of -p for a user. Multiple authorities append as +put +get +browse in one invocation.
12345setmqaut -m QM1 -n ORDERS.IN -t queue -p order_svc +put +connect setmqaut -m QM1 -n ORDERS.OUT -t queue -p order_svc +get +browse setmqaut -m QM1 -t topic -n 'retail/order/#' -p order_svc +pub setmqaut -m QM1 -n PAYMENT.SVRCONN -t channel -p order_svc +connect setmqaut -m QM1 -n ORDERS.IN -t queue -p order_svc -remove +put
| -t value | Object | Example grant |
|---|---|---|
| queue (q) | QLOCAL, QALIAS | +put +get on APP.QUEUE |
| topic | Topic string tree | +pub +sub on finance/# |
| channel | CHANNEL definition | +connect on SVRCONN |
| qmgr | Queue manager | +connect for clients |
| namelist | Namelist | +dsp for admin tools |
+connect allows attachment to the queue manager where policy requires it. +put allows MQPUT. +get allows destructive read. +browse peeks without removing. +inq and +dsp allow attribute display—needed for monitoring tools with least privilege. +chg, +clr, +dlt, and +alt are administrative—reserve for operators, not applications. +all is full control; auditors flag it on application IDs. Grant the minimum set per operation: a publisher needs +pub on topic and often no +get on unrelated queues.
A producer service needs +put on the inbound queue and +connect. A consumer needs +get and often +browse for poison-message inspection. Bridge IDs on channels need the same rights as the application would on the target queue because MCAUSER performs the put. When multiple applications share a queue, separate principals per app so revocation does not require guessing which ID had access.
setmqaut -t topic -n 'prefix/#' uses the topic tree string, not always the DEFINE TOPIC object name—confirm site standards. +pub allows MQPUT to a topic or publish API. +sub allows subscription creation. Pair +sub with +get on the destination queue when messages land on a queue subscription. Overly broad patterns like prod/# grant publish across entire product lines—use narrow branches.
Grant +connect on the SVRCONN channel definition when clients must use a specific channel name and CHLAUTH requires it. This is separate from queue put authority. CHLAUTH may still block even with +connect if rules deny the IP or certificate. Document setmqaut together with CHLAUTH USERMAP and CONNAUTH in connection specifications.
Authentication proves you are allowed into the building. setmqaut adds your name to the guest list for specific rooms—kitchen yes, server room no. Each +put or +get is another room on the list.
12345* Remove put from departed application: setmqaut -m QM1 -n ORDERS.IN -t queue -p old_app -remove +put * Replace broad grant with narrow (revoke all app rights first in runbook): setmqaut -m QM1 -n SENSITIVE.Q -t queue -p audit_svc -remove +all setmqaut -m QM1 -n SENSITIVE.Q -t queue -p audit_svc +browse +inq
During incidents, revoke before forensic copy if data exfiltration is suspected. After grant changes, ask application teams to restart connection pools. Keep setmqaut scripts in version control with peer review like MQSC.
Many z/OS sites use RACF GRANT instead of or in addition to setmqaut. Concepts match; commands differ. Distributed setmqaut skills help you read audit exports but mainframe security teams own RACF profiles. See RACF integration tutorials when working on IBM MQ for z/OS.
setmqaut is the teacher writing your name next to the activities you may do—slide yes, climbing wall no—on the class chart.
Write setmqaut for producer and consumer on two queues with no +all.
Grant +pub on retail/order/# and +sub on retail/analytics/# for two different principals.
Document revoke steps when an employee leaves using -remove.
1. setmqaut -t q refers to:
2. +put allows:
3. -p on setmqaut is:
4. After setmqaut you should run: