I have a qmgr QM1 and local queues Q1 and Q2. There is a SVRCONN channel with MCA set to mqm.
There are multiple application connect to my QMGR for example APP1 and App2.
I want App1 only have PUT authority which means ONLY PUT message to Q1 or Q2 and App2 only have GET authority to ONLY GET message from Q1 or Q2.
Is there any advice.
Each unique set of authorizations needs to be attached to a group. Then when the app connects it needs to do so as a user ID in the appropriate group. (Remember that access requests always resolve to a specific principal, but authorizations are attached to groups.)
In this case, App1 and App2 each need their own group and at least one ID that is in each group. Once you have groups for app1 and app2, then you need to arrange that the MCAUSER of the running channel is a user ID in the appropriate group. You can do this by having different channels with hard-coded MCAUSER in each, or dynamically set the MCAUSER based on CHLAUTH rules. If you have been using channel security exits such as BlockIP2 or MQAUSX then you can configure those to dynamically set the MCAUSER at connect time as well.
Remember that the channels with MCAUSER('mqm') set must be configured to deny access to App1 and App2, or any other non-admin connection. It is much more common and better from a security standpoint to set MCAUSER('*NOACCESS') in all inbound channels and then override that with exits or CHLAUTH rules. That way if the channel configuration fails, it fails to a secure state rather than an insecure state.