IBM Support

IT20792: AMQ8077 (unauthorised "get" permission) reported for agent authority queues when user authority management is enabled

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.


APAR status

  • Closed as program error.

Error description

  • For MQ Managed File Transfer V9.0.0.0, user authority management
    is enabled based on the information in the "User authorities on
    IBM MQ Managed File Transfer actions"topic in the MQ V9 section
    of IBM Knowledge Center:
    - In the file, set the authorityChecking value
    to true.
    - Set MQ authority following the instruction.
    However, AMQ8077 (unauthorized get permission) error messages
    are reported in the queue manager error log for the agent
    authority queues when the agent starts up.
    The errors look like this:
    ----- amqzfubn.c : 518
                          Host(host1) Installation(Installation1)
                          VRMF( QMgr(<QM_name>)
    AMQ8077: Entity '<user_name>' has insufficient authority to
    object  'SYSTEM.FTE.AUTHMON1.<agent_name>.
    The specified entity is not authorized to access the required
    The following requested permissions are unauthorized: get
    Ensure that the correct level of authority has been set for
    this entity against the required object, or ensure that the
    entity is
    a member of a privileged group.
    ----- amqzfubn.c : 518

Local fix

  • Set get authority on the agent authority queues.

Problem summary

  • ****************************************************************
    This issue affects users of:
    - IBM MQ V8 Managed File Transfer.
    - IBM MQ V9 Managed File Transfer.
    who have enabled user authority management by setting the agent
    property "authortyChecking=true".
    Platforms affected:
    Each agent authority queue is dedicated for different Managed
    File Transfer (MFT) agent actions and requires different
    permissions such as browse, put etc. depending on which MFT
    actions a user is allowed to perform. These permissions are
    documented here:
    The permissions do not include "get". Therefore, users are not
    expected to have "get" permission on any of the agent authority
    queues in order to perform agent actions.
    When the agent property: "authorityChecking=true" was set, the
    agent verified that all its authority related queues exist by
    opening them with a "get" option during startup.  The "get"
    command failed with MQ reason code 2035 (MQRC_NOT_AUTHORISED).
    The agent ignored this failure and carried on with its startup
    processing, because all it wanted to check was that the
    authority queues had already been created.
    However, the agent queue manager detected that the agent tried
    to access these queues without the appropriate permission, and
    reported an error in its log.

Problem conclusion

  • The product code for IBM MQ-MFT has been updated to open agent
    authority queues with more appropriate MQOPEN option when
    verifying their existence. The authority queues are now opened
    with the "inquire" option rather than "get".
    The "User authorities on IBM MQ Managed File Transfer actions"
    topic in the MQ V8 and V9 sections of IBM Knowledge Centre have
    been updated to include "inquire" as a required permission on
    all of the agent authority queues:
    The fix is targeted for delivery in the following PTFs:
    Version    Maintenance Level
    v9.0 CD    9.0.4
    v9.0 LTS
    The latest available MQ maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'

Temporary fix


APAR Information

  • APAR number


  • Reported component name


  • Reported component ID


  • Reported release


  • Status


  • PE




  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date


  • Closed date


  • Last modified date


  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM MQ MFT V9.0

  • Fixed component ID


Applicable component levels

  • R900 PSY


[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
29 September 2017