| Author |
Message
|
| k_anand2585 |
 Posted: Tue Jan 10, 2012 4:57 pm Post subject: |
 |
|
Acolyte
Joined: 03 Nov 2011
Posts: 50
|
Got it,
Let me take permission from IT team to implement changes.
Thanks all guy for your valuable inputs. |
|
| Back to top |
|
 |
| k_anand2585 |
| Posted: Fri Jan 13, 2012 12:53 am Post subject: |
|
|
Acolyte
Joined: 03 Nov 2011
Posts: 50
|
Hi team,
I tried this as specified before.
Client machine
User roy
Group MQM
Roy assigned to MQM
Domain controller
1>tasco group created as local domain group
2>tasco group has members roy
3>created roy as user
Assigned to domain user and tasco
4>Asigned previalges to channel ,qmanager, queues for group tasco(domain local group)
Logged in as roy as a user and sicessfully sent messages.
Note group name should not be used as with spaces.
This time no Domain Admin or anything only plain user roy as a member of tasco group.
This is working !!!!! |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Jan 13, 2012 1:01 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Of course it worked - user Roy is part of mqm on the client machine! NO, NO, and NO again! Take Roy out of mqm and then see what happens.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| k_anand2585 |
| Posted: Fri Jan 13, 2012 1:39 am Post subject: |
|
|
Acolyte
Joined: 03 Nov 2011
Posts: 50
|
YES!!
After removing user roy from mqm it still works.
The user roy is plain simple does not have any previalges.
Still it works |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Jan 13, 2012 1:54 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| k_anand2585 wrote: |
YES!!
After removing user roy from mqm it still works.
The user roy is plain simple does not have any previalges.
Still it works |
Good, then you finally have it correct. By having user Roy in the mqm group you were proving nothing in regard to whether the authorities set for tasco group were correct, because Roy would have admin rights to WMQ. By removing Roy from mqm you have proved the authorities are correct for group tasco. Remember, you set authorities at group level, and therefore any users within a group inherit those authorities.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| k_anand2585 |
| Posted: Fri Jan 13, 2012 2:00 am Post subject: |
|
|
Acolyte
Joined: 03 Nov 2011
Posts: 50
|
Thanks a lot exerk for your valuable suggestions and explanation.
I really liked this blog because there is no sppon feeding here , you have to try try till you suceed ..Good stuff guys who all looked into this matter. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Jan 13, 2012 5:00 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| k_anand2585 wrote: |
| I really liked this blog |
We're a blog? Did I miss a memo? 
| k_anand2585 wrote: |
| there is no spoon feeding here , you have to try try till you suceed |
As one of my worthy associates says in his signature:
Give a man a fish, you feed him for a day.
Teach a man to fish, you feed him for life.
It's also hard, when you've been reading "i am new pls guide me stp by stp" posts as long asome of us have, for something that's properly documented in a better way than we can manage here (with links and everything) to spoon feed.
Which gives me an ideal opertunity to remind all, especially new posters, about the "how to ask questions the smart way" post in the Read First section (yes, there's a Read First section!). It's worth a read because by formulating your question as it suggests you may well gain an insight into your problem and fix it!
You'll certainly do better in here if you've tried and failed than if you just ask for instructions. You'll do even better if you post what happened when it failed (error messages, unexpected results, etc) rather than the popular but cryptic "it didn't work".
Better information, better advice.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Jan 13, 2012 5:27 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| exerk wrote: |
| k_anand2585 wrote: |
YES!!
After removing user roy from mqm it still works.
The user roy is plain simple does not have any previalges.
Still it works |
Good, then you finally have it correct. By having user Roy in the mqm group you were proving nothing in regard to whether the authorities set for tasco group were correct, because Roy would have admin rights to WMQ. By removing Roy from mqm you have proved the authorities are correct for group tasco. Remember, you set authorities at group level, and therefore any users within a group inherit those authorities. |
We are all assuming that the QM was restarted or the REFRESH SECURITY was issued after the ID was removed from the group. Just removing the ID from the group would not change anything.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| k_anand2585 |
| Posted: Sun Jan 15, 2012 8:20 pm Post subject: |
|
|
Acolyte
Joined: 03 Nov 2011
Posts: 50
|
Hi Peter,
I had issued refresh security and than tried to send messages when the user was taken out of mqm group.
However as other teams are testing as of now not feasible to restart the qmanager but i am sure that too will work. |
|
| Back to top |
|
|
|
|
