According to the MQ agent documentation, using MSGACCESS(DATA), TEP user ID will be used when accessing WebSphere MQ data. The problem is that all TEP users can access MQ messages information even if they are not authorized within WMQ security itself.
All TEP user IDs can access MQ messages information even if they are not authorized within WebSphere MQ security itself.
The problem is caused by the RESLEVEL profile. As per the WebSphere MQ manual (WebSphere MQ System Setup Guide), if the user ID has the CONTROL or higher access level to the RESLEVEL profile, then the resource checking for batch connections will be bypassed.
Resolving the problem
The problem can be solved by assigning a lower RESLEVEL to CANSMQ than its group.
After that is done, you need to refresh the MQ security by issuing REFRESH SECURITY MQSC command and finally restart the MQ Agent started task.