| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Problem granting privileges to users |
« View previous topic :: View next topic » |
| Author |
Message
|
| sturin |
 Posted: Wed Feb 22, 2006 1:10 pm Post subject: Problem granting privileges to users |
 |
|
Newbie
Joined: 22 Feb 2006
Posts: 3
Location: Moscow
|
Hi,
I've written a program which transfers information between 2 QMs - from HP-UX 11i to Windows 2003 server. MQ techniques used are channels, triggering and local definitions of remote queues.
Everything runs fine if program is being started under account which belongs to mqm group on UNIX. Ordinary user gets error 2035.
I've granted "+connect to QM" permission to UNIX group the user belongs to and checked user rights on remote queue (i.e. local alias of the remote queue) and sender channel's transmission queue - everything seems to permit anyhitng, at least +allmqi. However, the app stills fails with 2035 and 2105 (no resources) errors.
I've read something about channel secuity in "Security" book but there are explanations applicable to my situation. Could somebody point out what I should do to allow the program to work ? Should I grant some permissions to sending user on a destination computer ?
HP-UX QM (source)
MQ 5.3 CSD 07
started under mqm user authority
Windows 2003 (destination)
MQ 5.3 CSD 12
started under domain user who is an admin on the computer. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed Feb 22, 2006 2:55 pm Post subject: Re: Problem granting privileges to users |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| sturin wrote: |
Hi,
I've written a program which transfers information between 2 QMs - from HP-UX 11i to Windows 2003 server. MQ techniques used are channels, triggering and local definitions of remote queues.
Everything runs fine if program is being started under account which belongs to mqm group on UNIX. Ordinary user gets error 2035.
I've granted "+connect to QM" permission to UNIX group the user belongs to and checked user rights on remote queue (i.e. local alias of the remote queue) and sender channel's transmission queue - everything seems to permit anyhitng, at least +allmqi. However, the app stills fails with 2035 and 2105 (no resources) errors.
I've read something about channel secuity in "Security" book but there are explanations applicable to my situation. Could somebody point out what I should do to allow the program to work ? Should I grant some permissions to sending user on a destination computer ?
HP-UX QM (source)
MQ 5.3 CSD 07
started under mqm user authority
Windows 2003 (destination)
MQ 5.3 CSD 12
started under domain user who is an admin on the computer. |
But is the domain user part of the mqm group on Windows?
Admin is not enough. The Domain user MQ runs under needs as well the right to query group membership or domain membership if MQ is declared in the domain...
Read security and quick beginnings for Windows...
(This is why none of my Win qmgrs are domain aware...)
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| sturin |
| Posted: Wed Feb 22, 2006 3:08 pm Post subject: |
|
|
Newbie
Joined: 22 Feb 2006
Posts: 3
Location: Moscow
|
Yes, the Windows user is part of mqm group on Windows (destination server).
Let me rephrase my question and divide the problem into 2 small ones
1) The sequence is as follows
- The program (HP-UX part) puts message into local alias of the remote queue (pointing to local queue on Windows QM)
- It get transferred to transmission queue and (via a pair of channels)
- finally get into local queue on Windows
If the above works for admin accounts, should I grant some rights to the ordinary user on destination QM ?
2) Connect to QM + put on the queue - is it enough for ptogram to put message to alias queue pointing to another server ? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Feb 22, 2006 3:32 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| sturin wrote: |
Yes, the Windows user is part of mqm group on Windows (destination server).
Let me rephrase my question and divide the problem into 2 small ones
1) The sequence is as follows
- The program (HP-UX part) puts message into local alias of the remote queue (pointing to local queue on Windows QM)
- It get transferred to transmission queue and (via a pair of channels)
- finally get into local queue on Windows
If the above works for admin accounts, should I grant some rights to the ordinary user on destination QM ? |
Yes, start with a group that receives +allmqi (on qmgr and queues) then experiment from there. (at a min you need connect to the qmgr and conn + get for the queue)
Do not grant rights to individuals but grant rights to groups. Then just add the individuals to the groups.
| sturin wrote: |
2) Connect to QM + put on the queue - is it enough for ptogram to put message to alias queue pointing to another server ? |
Yes that should be sufficient. It worked didn't it? You did get the messages to show up on the target queue in the target qmgr...
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| sturin |
| Posted: Wed Feb 22, 2006 5:22 pm Post subject: |
|
|
Newbie
Joined: 22 Feb 2006
Posts: 3
Location: Moscow
|
The problem was in permissions required to open remote queue definition (alias) on sending side and has been resolved by granting +all rights to the user on QM level. Windows destination QM was not touched.
I gonna experiment with the rights and restrict them to really required level.
Thanks and regards,
Sergei |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
