| Author |
Message
|
| pfarrel |
 Posted: Thu Mar 27, 2008 10:36 am Post subject: Admin on AIX without using mqm group |
 |
|
Centurion
Joined: 16 Mar 2004
Posts: 120
Location: Kansas City
|
| Is it possible to define a user as an administrator without putting them into the mqm group ? The reason I am asking is our AIX administrators would like to have one group file across multiple AIX systems. If I create an admin on one lpar ( by putting a user inot the mqm group ) then I don't want that user to become an admin on another lpar ( in a different queue manager ). Both lpars would be using the same group file. |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Thu Mar 27, 2008 10:40 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
You would have to create one group for mq administration on each machine to do what you want.
so machineAmqm, machineBmqm, machineCmqm, etc.
Then use setmqaut to grant needed privileges on each machine to the machine specific group.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| pfarrel |
| Posted: Thu Mar 27, 2008 10:45 am Post subject: |
|
|
Centurion
Joined: 16 Mar 2004
Posts: 120
Location: Kansas City
|
| Can I use setmqaut to grant the administrator privilege in one statement, or am I looking at having to make lots of setmqaut statements for all the different objects ? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Mar 27, 2008 11:08 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
should be +allmqi +allmqadm
or something.
Double-check the permission names with the docs, but yes, you should be able to do this with a small set of statements.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Nigelg |
| Posted: Thu Mar 27, 2008 1:42 pm Post subject: |
|
|
Grand Master
Joined: 02 Aug 2004
Posts: 1046
|
You cannot use a non-mqm user for admin for the simple reason that the runmqsc binary has permissions 550 mqm:mqm, i.e. it is not executable for any user not in the mqm group.
_________________
MQSeries.net helps those who help themselves.. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Fri Mar 28, 2008 4:29 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
No matter what permissions you have or have not set, your QMGR is open to anonymous administration so long as you have not secured your inbound channels. Well, probably only by machines on the same side of the firewall as the QMGR (which includes itself).
You can shutdown all channels. You can implement SSL with Peer filtering and set the MCAUSER (which will just limit those anonymous accesses).
You can write or buy channel exits to help with this task (and that is all I'm going to say about exits). |
|
| Back to top |
|
|
|
|
