SUB authority controls who may register interest in IBM MQ topics—creating DEFINE SUB objects, calling MQI MQSUB, or opening JMS durable subscribers. It is the subscribe side of the topic tree security model, distinct from PUB (who may announce) and from +get on destination queues (who may read copies). A team with SUB on healthcare/claim/# can ask the queue manager to copy every matching publication to a destination queue; combined with a writable DEST and GET rights, that becomes a data pipeline—legitimate for analytics, catastrophic in wrong hands. Beginners often grant SUB at the same breadth as PUB for “convenience,” doubling compromise impact. This tutorial explains +sub grants, setmqaut examples, dynamic subscription identity, pairing SUB with DEST OAM, reviewing DISPLAY SUB for shadow consumers, cluster SUBSCOPE visibility, denying SUB on sensitive branches, and troubleshooting when subscription create fails while channel connect succeeds.
SUB is checked when administrative DEFINE SUB is issued under the issuing identity, when applications register dynamic subscriptions, and when resumed durable subscribers reconnect—exact timing varies by API. Passing SUB does not deliver messages; the pub/sub engine delivers only after successful subscription registration and matching publish. SUB without GET yields a queue filling with messages the application cannot read—operators see depth; app sees 2035 on MQGET.
| Topic pattern | Use case | Caution |
|---|---|---|
| prod/retail/order/# | Order analytics service | High volume—size DEST |
| prod/hr/employee/created | HR onboarding consumer | PII—narrow DEST access |
| prod/# | Central audit (rare) | Requires executive approval |
| test/retail/# | Lab consumers | Never copy to prod DEST |
| finance/+/posted | Wildcard entity match | Verify + level depth |
12345setmqaut -m QM1 -t topic -n 'prod/retail/order/#' -p ANALYT +sub setmqaut -m QM1 -n ANALYTICS.ORDERS.Q -p ANALYT +get +dsp DEFINE SUB('ANALYTICS.ORDERS') TOPICSTR('prod/retail/order/#') + DESTQL('ANALYTICS.ORDERS.Q') DESTTYPE(UNMANAGED) DURSUB(YES) * ANALYT has SUB on topic and GET on DEST - not PUB
Separate principals: producers PUB only, consumers SUB plus GET. Administrative DEFINE SUB run by MQADMIN does not bypass topic SUB for application-run defines—applications still need SUB when they create their own subs unless using elevated IDs against policy.
Attack model: principal gains SUB on wide pattern, DEFINE SUB with DESTQL pointing to queue attacker controls, +get on that queue. Publications copy automatically. Defenses: narrow SUB, restrict who may DEFINE SUB on production queue managers, audit DISPLAY SUB weekly, block unexpected DEST queue names, separate sensitive topics to queue managers with stricter SUB profiles. Durable subs persist after disconnect—shadow copies continue overnight.
JMS and MQI dynamic subs evaluate SUB for the connection MCAUSER or authenticated user. CHLAUTH and certificate mapping therefore are part of SUB design—mapping many certs to one powerful MCAUSER with prod/# SUB is equivalent to sharing a root password. Prefer per-application MCAUSER with minimal SUB patterns.
SUBSCOPE(ALL) advertises subscription cluster-wide; SUB authority on QM1 does not automatically grant SUB on QM2 for manual defines—each queue manager has its own OAM repository. Standardize setmqaut scripts across cluster members for consumer roles. Mismatch causes “subscription exists but no remote messages” confusion—see subscription scopes tutorial.
Analytics, audit read copies, and microservice consumers should have SUB and GET, not PUB on the same production branches. Exception: request/reply patterns may need narrow PUB on reply topics—document separately. Developers in lab receive SUB and PUB only on test/# prefixes.
SUB is permission to sign up for newsletters about a subject. Signing up does not let you write the newsletter (PUB). Copies arrive in your mailbox (DEST) only if you have the key to open it (+get).
SUB means you may raise your hand and say “I want messages about dinosaurs.” It does not mean you may speak on the loudspeaker about dinosaurs, and you still need a mailbox to read the copies.
Write setmqaut for ANALYT +sub and +get without +pub on prod/retail/#.
Describe shadow subscription exfiltration in three steps.
DISPLAY SUB shows unexpected DEST—list investigation steps.
1. SUB authority allows:
2. After SUB grant consumer still needs:
3. SUB on hr/salary/# risk is:
4. setmqaut +sub uses: