MQ Light client identity and authorization

Use the MQ Light client ID, the MQ Light user name, or a common client identity defined on the channel or in a channel authentication rule, for authorization to access IBM MQ objects.

The administrator makes the choice when defining or modifying the AMQP channel, by configuring the queue manager CONNAUTH setting, or by defining channel authentication rules. The identity is used to authorize access to IBM MQ topics. The choice is made based on the following:
  1. The channel USECLNTID attribute.
  2. The ADOPTCTX attribute of the queue manager CONNAUTH rule.
  3. The MCAUSER attribute defined on the channel.
  4. The USERSRC attribute of a matching channel authentication rule.

Avoid trouble: The identity chosen by this process is thereafter referred to, for example by the DISPLAY CHSTATUS (AMQP) command, as the MCAUSER of the client. Be aware that this is not necessarily the same identity as the MCAUSER of the channel that is referred to in choice (2). Use the IBM MQ setmqaut command to select which objects, and which actions, are authorized to be used by the identity associated with the AMQP channel. For example, the following commands authorize a channel identity AMQPClient, provided by the administrator of queue manager QM1: 

setmqaut -m QM1 -t topic -n SYSTEM.BASE.TOPIC -p AMQPClient -all +pub +sub
and 
setmqaut -m QM1 -t qmgr -p AMQPClient -all +connect
Parent topic: MQ Light client identification, authorization, and authentication