Translate from setmqaut to SET AUTHREC

IBM MQ on the distributed platforms have commands to grant authorities to groups and users, in order to allow them access to use resources on a queue manager. There are actually three exactly equivalent command interfaces to do this.

  • setmqaut
    This was historically the first command interface. It is a control command, issued from the command line by a user who is a member of the mqm group.
  • Set Authority Record
    Next the PCF flavour of the command was implemented allowing the MQ Explorer (and other remotely connected tools such as MO71) to be able to issue these commands.
    Finally, and most recently, the MQSC flavour of the command was implemented, allowing authority commands to co-exist in scripts along with object definitions.

When using a queue manager on the MQ Appliance, there is no setmqaut command. You are expected to either use a GUI with the PCF commands, or the MQSC scripting language and a SET AUTHREC command. In general the queue manager on the MQ Appliance is just like any other queue manager, and you may well be following some instructions to set up something on your appliance queue manager, but those instructions only provide examples with the setmqaut command.

This post is going to help you translate from an example setmqaut command to a SET AUTHREC command.

Here’s a couple of example commands that cover all the main switches you might see on a setmqaut command (although not all the values).

setmqaut -m QM1 -t qmgr -g mqgadm +connect

setmqaut -m QM1 -t queue -n WORK.Q -p mqgusr -all +put +get

Sometimes it’s easier to see this sort of thing diagrammatically. So first I show a picture and then below is a table to step through each switch.

setmqaut mapped to SET AUTHREC

setmqaut mapped to SET AUTHREC

Here’s a table to map from setmqaut to an MQSC SET AUTHREC.

setmqaut SET AUTHREC Notes
setmqaut SET AUTHREC Instead of using the setmqaut command, you’re going to use the SET AUTHREC command.
-m QM1 runmqsc QM1 MQSC commands are directed to the queue manager your MQSC issuing tool, such as runmqsc is connected to, so it’s not part of the SET AUTHREC command, instead it’s the direction to runmqsc to tell it which queue manager to connect to.
-t queue OBJTYPE(QUEUE) The -t switch becomes the OBJTYPE parameter and it’s value could be exactly the same, except for cases when setmqaut uses shortened forms. For example -t q is the same as -t queue. If you know your IBM MQ object names from other MQSC commands, then you’ll have no trouble figuring out which one is which.
-n WORK.Q PROFILE(WORK.Q) The -n switch becomes the PROFILE parameter. It’s called a profile rather than an object name since it could have wildcards in it. The value that went with the -n goes inside the brackets. One thing to remember though, MQSC will upper case anything that you don’t put inside quotes, so if your profile name is not upper case, add quotes around it. In the case of -t qmgr, there will be no -n switch, and you can omit the PROFILE parameter.
-g mqgadm GROUP(‘mqgadm’) The -g switch becomes the GROUP parameter and the value goes inside the brackets. Remember to use quotes.
-p mqgusr PRINCIPAL(‘mqgusr’) The -p switch becomes the PRINCIPAL parameter and the value goes inside the brackets. Remember to use quotes.
-all AUTHRMV(ALL) Any authority switches with a ‘-‘ sign are being removed. These should go in the comma-separated list in the AUTHRMV parameter. It is often seen that -all is used because adding a few authorities, in order to remove everything before adding new ones so you know where you are. Normally you wouldn’t combine AUTHRMV and AUTHADD parameters, but the use of ALL is one of the cases where it is allowed.
+put +get AUTHADD(PUT,GET) Any authority switches with a ‘+’ sign are being added. These should go in the comma-separated list in the AUTHADD parameter. The authority switches are spelled the same in both setmqaut and SET AUTHREC, just remove the ‘+’ (or ‘-‘) prefix.

If you come across a setmqaut command that you can’t translate into a SET AUTHREC with the above instructions, add it in the comments, and I’ll help you out. It’ll also improve this blog post for others.

IBM Certified SpecialistIBM Champion 2016 Middleware

Morag Hughson
IBM Champion 2016 – Middleware
IBM Certified System Administrator – MQ V8.0
Find her on: LinkedIn: Twitter: SlideShare: developerWorks:


3 thoughts on “Translate from setmqaut to SET AUTHREC

  1. Hi,

    Thanks for the article, was an interesting read although I was just missing one thing.
    What command takes precedence?
    For example, I have a queue where I used setmqauth to add ‘put’ authority, now we are migrating our setmqauth definitions to SET AUTHREC definitions. But the ‘put’ authority for this queue is removed, what command take precedence or has the highest authority? Does the SET AUTHREC alter the permissions set by setmqauth or not?

    The reason why I’m asking is because we are migrating al of our setmqauth definitions in our configuration management to SET AUTHREC definitions and we would like to know if we will need to “undo” the setmqauth commands before applying the SET AUTHREC rules.

    Kind Regards


    • setmqaut and SET AUTHREC are exactly equivalent commands. There is no precedence. The problem you describe could happen when just using only one of the command styles. If you have examples of the commands you issued I could help you understand where the ‘put’ authority disappeared to.


      • Hi Morag
        thank you for your answer, it was just the confirmation I needed.

        The problem I described was just an example, not an actual issue I’m experiencing. I just needed confirmation on the ‘authority’ question, which you have provided me.
        The fact that these commands are exactly equivalent is enough for me to know how to continue my work.

        Thanks again for replying, you’re the best!

        Kind Regards from Belgium,

        Liked by 1 person

The team at MQGem would love to hear what you think. Leave your comments here.

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.