| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQSeries Service user priviledges |
« View previous topic :: View next topic » |
| Author |
Message
|
| afra |
 Posted: Tue Aug 13, 2002 4:20 am Post subject: MQSeries Service user priviledges |
 |
|
Novice
Joined: 11 Apr 2002
Posts: 12
|
I run MQSeries 5.2.1 on Win2000 servers being part of a Win2000 domain.
I need to know the exact priviledges for the user which runs the MQSeries Service COM server, since the user priviledges are handled very tightly in our environment.
MQS V5.1 manual lists the following priviledges to be implemented:
SE_BATCHLOGON_RIGHT "Logon as a batch job"
SE_SHUTDOWN_NAME "Shut down the system"
SE_TCB_NAME "Act as part of the operating system"
SE_CHANGE_NOTIFY_NAME "Bypass traverse checking"
SE_ASSIGNPRIMARYTOKEN_NAME "Replace a process level token"
SE_INCREASE_QUOTA_NAME "Increase quotas"
QMS V5.2.1 manual do not show any specific priviledges, but the above mentioned priviledges are implemented automatically.
Q: which priviledges are really required? and why?
Appreciate any help. |
|
| Back to top |
|
 |
| jc_squire |
| Posted: Wed Aug 14, 2002 5:12 pm Post subject: |
|
|
Centurion
Joined: 14 Apr 2002
Posts: 105
Location: New Zealand
|
Suggest you add the domain user to the mqm group (standard practice).
Be very carefull with what specific permissions you assign a user because this can cause a critical MQ service to be stopped if the user logs off.
Regards
_________________
J C Squire
IBM Certified Specialist - MQSeries |
|
| Back to top |
|
|
| afra |
| Posted: Wed Aug 14, 2002 10:20 pm Post subject: MQSeries Service user priviledges |
|
|
Novice
Joined: 11 Apr 2002
Posts: 12
|
We know the standard practice to set this up. And it works.
Now we want to do some fine tuning because our W2K environment is very restrictive with what priviledges a user has.
That's why we need to understand what exact priviledges the user must have. The priviledges below (for MQS V5.1) are suggested, but we doupt that all of them need to be there! |
|
| Back to top |
|
|
| jc_squire |
| Posted: Thu Aug 15, 2002 3:01 pm Post subject: |
|
|
Centurion
Joined: 14 Apr 2002
Posts: 105
Location: New Zealand
|
These are the rights assigned to the MQM admin account on W2k with 5.2:
1.) Act as part of the operating system - act as a trusted part of the operating system.
2.) Bypass traverse checking - traverse a directory tree even if the user has no other rights to access the directory.
3.) Increase quotas - increase object quotas.
4.) Log on as a batch job - log on to the system as a batch queue facility.
5.) Log on as a service - perform security services.
6.) Replace a process level token - modify a process access token.
7.) Shutdown the system - shutdown Windows 2000.
And obviously belong to "Users" group
In saying "I need to know the exact priviledges for the user which runs the MQSeries ...."
Do you mean the MQ Admin account? In which case, I doubt whether mq can functioning normally without any of these privileges. The results will be unpredictable and it might make your system unstable.
By denying some of these privileges you will be denying MQ certain functionality e.g. 6 will deny setmqaut in some cases. Also some changes you make will require a qmgr restart instead of the changes taking effect on the fly. A process gets its access token when it starts up, MQ needs to change that access token on the fly, if it can't the process has to be killed and restarted. You might get away with denying 7 but what is that worth?
This effects every admin account that you define, not just the MQ admin user.
To be honest, changing any of these privileges is very risky. Especially in a production environment where restarting qmgrs when ever a minor change is required is going to effect the business.
Regards
_________________
J C Squire
IBM Certified Specialist - MQSeries |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
