| Author |
Message
|
| pfarrel |
 Posted: Thu Mar 12, 2009 6:56 am Post subject: Authority to Create a local queue |
 |
|
Centurion
Joined: 16 Mar 2004
Posts: 120
Location: Kansas City
|
I am running WMQ 6.0.2.3 on AIX.
I am trying to grant authority to a group to create a local queue. I have tried the following:
setmqaut -m QM1 -t q -n \*\* -g group1 +all
but users in the group get a 2035 when trying to create a new queue.
I also tried:
setmqaut -m QM1 -t q -n \*\* -g group1 +all +alladm
but they still get a 2035.
Can I set up authority to allow the creation of a local queue, without having to put the user into the mqm group ? |
|
| Back to top |
|
 |
| vandi |
| Posted: Thu Mar 12, 2009 7:52 am Post subject: |
|
|
Acolyte
Joined: 13 Dec 2008
Posts: 67
|
Hi,
I think the user should be mqm user for creation of MQ oobjects.
Thanks
Vandi |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Mar 12, 2009 7:56 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I think the user is missing permissions on the queue manager. |
|
| Back to top |
|
|
| Sam Uppu |
| Posted: Thu Mar 12, 2009 8:09 am Post subject: Re: Authority to Create a local queue |
|
|
Yatiri
Joined: 11 Nov 2008
Posts: 610
|
| pfarrel wrote: |
I am running WMQ 6.0.2.3 on AIX.
I am trying to grant authority to a group to create a local queue. I have tried the following:
setmqaut -m QM1 -t q -n \*\* -g group1 +all
but users in the group get a 2035 when trying to create a new queue.
I also tried:
setmqaut -m QM1 -t q -n \*\* -g group1 +all +alladm
but they still get a 2035.
Can I set up authority to allow the creation of a local queue, without having to put the user into the mqm group ? |
I think its not a good idea to provide all the permissions for the developers. Not sure why do you want to do that?. For an admin creation of a queue will take couple of seconds... |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Mar 12, 2009 8:12 am Post subject: Re: Authority to Create a local queue |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Sam Uppu wrote: |
| I think its not a good idea to provide all the permissions for the developers. Not sure why do you want to do that?. For an admin creation of a queue will take couple of seconds... |
It's surprisingly easy to lose control of your topology like this. It's also somewhat unreasonable to expect developers to know how to get the best from WMQ, or leverage all the features.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| pfarrel |
| Posted: Thu Mar 12, 2009 9:32 am Post subject: |
|
|
Centurion
Joined: 16 Mar 2004
Posts: 120
Location: Kansas City
|
I agree that it is probably not a good idea to provide authority to add a queue to a developer, however, that is not my question. In this case, the user is my console operator, who would only create a queue when directed to do so by an administrator.
Regarding the comment on authority for the queue manager, I have also entered the following:
setmqaut -m QM1 -t qmgr -g group1 +all
However my console operator ( who is the only user in group1 ) still cannot create a queue.
So, it is starting to look like MQ requires a user to be in the mqm group in order to create a queue. My question is directed at finding out if this is true. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Mar 12, 2009 10:10 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
What mechanism is being used to attempt to create the queue?
RUNMQSC? PCF? MQExplorer? something else? |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Mar 12, 2009 11:37 am Post subject: Re: Authority to Create a local queue |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Vitor wrote: |
| Sam Uppu wrote: |
| I think its not a good idea to provide all the permissions for the developers. Not sure why do you want to do that?. For an admin creation of a queue will take couple of seconds... |
It's surprisingly easy to lose control of your topology like this. It's also somewhat unreasonable to expect developers to know how to get the best from WMQ, or leverage all the features. |
Absolutely! Give them god rights in the development environment and they'll propagate it into subsequent environments because there will be management pressure to make it work.
If there is a requirement for them to have the ability to create temp dyn or perm dyn queues give them that ability, if not then ensure you have control. A little pain now is going to save you so much more constant pain in the future.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| sumit |
| Posted: Mon Mar 16, 2009 5:48 am Post subject: |
|
|
Partisan
Joined: 19 Jan 2006
Posts: 398
|
| pfarrel wrote: |
In this case, the user is my console operator, who would only create a queue when directed to do so by an administrator.
Regarding the comment on authority for the queue manager, I have also entered the following:
setmqaut -m QM1 -t qmgr -g group1 +all
|
IF the requirement is to allow them to create queue only, then don't give them '+all' access on queue manager. 
Execute REFRESH SECURITY' command on your queue manager.
_________________
Regards
Sumit |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Mar 16, 2009 5:55 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Sumit - REFRESH SECURITY is unnecessary after issuing setmqaut. REFRESH SECURITY is only needed when you change the OS level security.
Again, it's entirely possible to have setmqaut correct for creating a queue, but still get authorization errors trying to either use RUNMQSC or PCF messages - because you aren't authorized to use *those*tools. |
|
| Back to top |
|
|
| sumit |
| Posted: Mon Mar 16, 2009 8:21 am Post subject: |
|
|
Partisan
Joined: 19 Jan 2006
Posts: 398
|
| mqjeff wrote: |
| Sumit - REFRESH SECURITY is unnecessary after issuing setmqaut. REFRESH SECURITY is only needed when you change the OS level security. |
There were some instances where I was not able to work on a queue after issuing setmqaut command. MQ allowed to access the queue object only after giving REFRESH SECURITY.
Later I found this quote
| Quote: |
After making changes using setmqaut for a running queue manager, it is important to issue a REFRESH SECURITY MQSC command against that queue manager to refresh the authority information cache.
|
And the link is:
https://www6.software.ibm.com/developerworks/education/wes-cert9963/section8.html
_________________
Regards
Sumit |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Mar 16, 2009 9:22 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
You do not need to run REFRESH SECURITY after issuing a setmqaut command.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| sumit |
| Posted: Tue Mar 17, 2009 1:35 am Post subject: |
|
|
Partisan
Joined: 19 Jan 2006
Posts: 398
|
Then why does the given link talk about issuing REFRESH SECURITY after setmqaut?
_________________
Regards
Sumit |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Mar 17, 2009 3:32 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Who knows? Its not a link to an official IBM manual, so I'm not sure I would trust it 100%. Maybe its old, or just inaccurate. I can't access it anyway to see what context its presented in.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
