MQRC_NOT_AUTHORIZED (2035) can result from a number of different causes (CHLAUTH rules, CONNAUTH settings, and missing Authorities). This post is going to provide a worked example of solving your MQRC_NOT_AUTHORIZED failure when missing authorities are the reason.
You might guess that it’s missing authorities because you have disabled CHLAUTH and CONNAUTH (please don’t – read this for another worked example for leaving those security features on), or because you have looked in the AMQERR01.LOG and seen a message like the following. If the latter, well done, you are already well on your way to solving the issue.
AMQ8077W: Entity 'mqgusr1' has insufficient authority to access object MQG2 [qmgr]. EXPLANATION: The specified entity is not authorized to access the required object. The following requested permissions are unauthorized: connect ACTION: Ensure that the correct level of authority has been set for this entity against the required object, or ensure that the entity is a member of a privileged group.
To fix this issue you are going to grant the missing authority. However, it is more appropriate to grant it using the group than the user id. So first, we should find out what group this user ID is in.
Discover group (Linux/Unix)
Issue a command like the following.
id -Gn mqgusr1
The output will be a list of the groups this user is a member of.
Discover group (Windows)
Issue a command like the following.
net user mqgusr1
You will see output like this.
Local Group Memberships *mqgemadm *Users
While the user may be a member of a number of groups, there should be one that is clearly the MQ related group name where these authorities should be granted. For the purposes of my example, this is a group called mqgemadm because I am trying to use this user id to connect to MQ and display some queues.
Now that we know the group name to use – all the other information we need to build up our authority granting command is available in the error message. Here is a table of the information we found and where we found it.
| Required Info | Value | Source of Value |
| Entity Type | Group | Best practice decision |
| Entity | mqgemadm | Looking up reported users group membership |
| Object Type | Queue Manager | Error message title line “[qmgr]” |
| Object Name | MQG2 | Error message title line “… object MQG2 …” |
| Authority required | connect | Error message EXPLANATION section |
From this table we can build up an MQSC command to grant the missing authority. We either issue this command from a privileged user Id, or add it to our queue manager start-up script. I suggest doing the former as there are going to several of these commands needed. Once you’ve completed the exercise it might be appropriate to gather up the commands that were needed for future use to put into such a script.
You’ll notice that there is no need to mention the object name in the following command because it’s the queue manager object and there is only one. Some people add it in and some use OBJNAME(SELF) but it can simply be omitted.
SET AUTHREC OBJTYPE(QMGR) GROUP('mqgemadm') AUTHADD(CONNECT)
So now, we run the application again, and it fails again, with the same reason code. Nothing has changed!
Well actually something has changed. If you look in the AMQERR01.LOG file for the latest error it looks like this.
AMQ8245W: Entity 'mqgusr1' has insufficient authority to display object MQG2 [qmgr]. EXPLANATION: The specified entity is not authorized to display the required object. The following requested permissions are unauthorized: dsp
So, something has changed. Rather than reporting that we don’t have connect authority it is now reporting that we don’t have display (dsp) authority. As before we can build up an MQSC command to grant the missing authority.
SET AUTHREC OBJTYPE(QMGR) GROUP('mqgemadm') AUTHADD(DSP)
So now, once more, we run the application again, and it fails again, with the same reason code again. However, we’re familiar with this now. It’s not the same issue, just the same reason code. So, again, we look in the AMQERR01.LOG file for the latest error. In my example, the next error looks like this.
AMQ8077W: Entity 'mqgusr1' has insufficient authority to access object SYSTEM.ADMIN.COMMAND.QUEUE [queue]. EXPLANATION: The specified entity is not authorized to access the required object. The following requested permissions are unauthorized: put
Let’s build up a table of our pieces of information like we did earlier.
| Required Info | Value | Source of Value |
| Entity Type | Group | Best practice decision |
| Entity | mqgemadm | Looking up reported users group membership |
| Object Type | Queue | Error message title line “[queue]” |
| Object Name | SYSTEM.ADMIN.COMMAND.QUEUE | Error message title line just before “[queue]” |
| Authority required | put | Error message EXPLANATION section |
As before, we can use this information to build up an MQSC command to grant the missing authority. Now we also have an object name, so this command will look slightly longer than the previous ones you saw.
SET AUTHREC PROFILE(SYSTEM.ADMIN.COMMAND.QUEUE) OBJTYPE(QUEUE) GROUP('mqgemadm') AUTHADD(PUT)
I hope that is enough of an example to illustrate the technique. Just keep viewing the AMQERR01.LOG and finding the reported missing authority and fixing it with the appropriate MQSC AUTHREC command (or the equivalent setmqaut command if you prefer). Look at the error messages closely as all the information you need is in there.
MQGem Software 