| Author |
Message
|
| philip.baker |
 Posted: Thu Dec 02, 2010 11:36 am Post subject: Maintaining the Original MQMD.UserIdentifier through flows |
 |
|
Voyager
Joined: 21 Mar 2002
Posts: 77
Location: Baker Systems Consulting, Inc. - Tampa
|
Using WBIMB v6.1.0.8 on Windows and/or zLinux, I have a requirement to maintain the MQMD.UserIdentifier from the original sent message through a series of 5 message flows that process the transaction.
The last flow output node uses a Destination list to send messages to Mainframe queues that the Message Broker id does not have permission to put to. All message flow Output nodes have the Message context set to Pass All.
I could set the Set Identity on the final Output Node, but the id will have to be set dynamically based on the Input Messages Id.
The messages are attempting to be put to the q with the Broker's id.
_________________
Regards,
Phil |
|
| Back to top |
|
 |
| vmcgloin |
| Posted: Thu Dec 02, 2010 11:56 am Post subject: |
|
|
Knight
Joined: 04 Apr 2002
Posts: 560
Location: Scotland
|
|
| Back to top |
|
|
| philip.baker |
| Posted: Thu Dec 02, 2010 12:10 pm Post subject: |
|
|
Voyager
Joined: 21 Mar 2002
Posts: 77
Location: Baker Systems Consulting, Inc. - Tampa
|
Thanks for responding vmcgloin.
I don't think setting a security profile is going to help me here. I need to satisy the MQ authorization issue and I won't know the id that I need to use to make MQ happy in advance.
_________________
Regards,
Phil |
|
| Back to top |
|
|
| mgk |
| Posted: Thu Dec 02, 2010 2:09 pm Post subject: |
|
|
Padawan
Joined: 31 Jul 2003
Posts: 1642
|
Try ticking the "Alternate user authority" checkbox on th MQOutput node...
_________________
MGK
The postings I make on this site are my own and don't necessarily represent IBM's positions, strategies or opinions. |
|
| Back to top |
|
|
| philip.baker |
| Posted: Thu Dec 02, 2010 2:32 pm Post subject: |
|
|
Voyager
Joined: 21 Mar 2002
Posts: 77
Location: Baker Systems Consulting, Inc. - Tampa
|
Thanks for the reply mgk.
The problem is getting hold of the proper id to use for the output message.
I will not know this in advance.
_________________
Regards,
Phil |
|
| Back to top |
|
|
| mgk |
| Posted: Thu Dec 02, 2010 2:37 pm Post subject: |
|
|
Padawan
Joined: 31 Jul 2003
Posts: 1642
|
| Quote: |
| The problem is getting hold of the proper id to use for the output message. |
But that is the point. Set MQMD.UserIdentifier in the message to the desired user id (assuming it is a valid ID) and if "Alternate user authority" is enabled it will be used to do the PUT. The Brokers user id will always be used to do the OPEN however...
Kind regards,
_________________
MGK
The postings I make on this site are my own and don't necessarily represent IBM's positions, strategies or opinions. |
|
| Back to top |
|
|
| philip.baker |
| Posted: Thu Dec 02, 2010 3:23 pm Post subject: |
|
|
Voyager
Joined: 21 Mar 2002
Posts: 77
Location: Baker Systems Consulting, Inc. - Tampa
|
Thanks again mgk. I will need more info about who can do what with MQ on the MF side.
More details for those that are interested: (extracted from http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg1IZ68324)
When using the Alternate User Authority on the MQOutput node, it
should be noted that MQ always performs security checking for
the Context and Identity permissions using the UserID of the
application opening the handle to the queue, which in this case
is the Broker. Therefore, as the MQOutput node needs the ability
to set the identity and the context of the message it is PUTting
to the queue, the Broker UserID must have permission to set the
Identity (setid) and set the Context (setall) to the queue to
which it is putting the message. However, the Broker's UserID
does not need any other permissions (such as permission to PUT
or GET a message) as the authority to PUT is checked by MQ
against the supplied Alternate User Authority.
_________________
Regards,
Phil |
|
| Back to top |
|
|
| vmcgloin |
| Posted: Fri Dec 03, 2010 5:55 am Post subject: |
|
|
Knight
Joined: 04 Apr 2002
Posts: 560
Location: Scotland
|
| It seems like you have a simpler solution from mgk, but I just wanted to say that my point was that you can extract the identity on a message by message basis and propagate the transport default. |
|
| Back to top |
|
|
|
|
