| Author |
Message
|
| mqlover |
 Posted: Mon Feb 17, 2014 8:12 pm Post subject: how to avoid to run few mqsi commands by a particular user |
 |
|
Disciple
Joined: 25 Jul 2010
Posts: 176
|
Hi,
I have a contact admin user id created which ideally should have all the permissions to do mqsilist to the brokers running, but this user id should not have any authority to deploy any of the bar file to any of the execution groups. How do I avoid this?
Is there any way that Ican restrict the user only to do mqsilist and not run mqsideploy?
Kindly help me on this.
Thanks in advance |
|
| Back to top |
|
 |
| Esa |
| Posted: Mon Feb 17, 2014 11:02 pm Post subject: |
|
|
Grand Master
Joined: 22 May 2008
Posts: 1387
Location: Finland
|
If the broker runs on UNIX you could consider moving the user to a group that doesn't have execute permission to the commands. And removing the directory from the users PATH. Then linking to the commands from somewhere else (or in worst case copying) and giving the user permissions to execute them.
Something like that, don't take these as precise instructions. Implementing this will require some trial and error style testing. But I'm sure there are experts who can guide you further or tell you if my suggestion is not feasible. Like Tibor, for example. |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Feb 18, 2014 12:08 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
First of all - tell him to use the toolkit or message broker explorer!
You could create a sudo rule to allow the use of mqsilist under an id which is a member of mqbrkrs group.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| mqlover |
| Posted: Tue Feb 18, 2014 12:20 am Post subject: |
|
|
Disciple
Joined: 25 Jul 2010
Posts: 176
|
| zpat wrote: |
First of all - tell him to use the toolkit or message broker explorer!
You could create a sudo rule to allow the use of mqsilist under an id which is a member of mqbrkrs group. |
Thanks so much for the reply. As it would be in prod environment, we are not supposed to use explorer tool.
This id should just do a health check like the mqsilist to c that brokers and egs and messages flows are running.
How do I use this sudo option?
Thanks much |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Feb 18, 2014 12:43 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
There is nothing wrong with using message broker explorer in production - it is an operations tools.
The access of MBX is controlled by the broker security ACLs - so that view only access is harmless.
MBX will be issuing CMP API calls - just as mqsilist (presumably) does - what's the difference?
Running commands under sudo is a unix feature that you can google.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| Gralgrathor |
| Posted: Tue Feb 18, 2014 1:06 am Post subject: Re: how to avoid to run few mqsi commands by a particular us |
|
|
Master
Joined: 23 Jul 2009
Posts: 297
|
| mqlover wrote: |
| Is there any way that Ican restrict the user only to do mqsilist and not run mqsideploy? |
Does he have a wife and children? Or any relatives or friends he's really close to? |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Feb 18, 2014 5:44 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| zpat wrote: |
| Running commands under sudo is a unix feature that you can google. |
This is how we restrict this - wrap the command in a script, and control who can execute the script.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Feb 18, 2014 9:32 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Guys, guys, guys,
Did you look at broker security?
The platform has not been discussed. Evidently if he has the requisite MQ authorities deployment will be possible...
Just look into all aspects and don't give the user mqm or mqbrokers group membership..., nor membership in the administrators group in windows....
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqlover |
| Posted: Wed Feb 19, 2014 7:43 pm Post subject: how to avoid to run few mqsi commands by a particular user |
|
|
Disciple
Joined: 25 Jul 2010
Posts: 176
|
So the user id created should not be part of mqm or mqbrokers group?
Actually I added the user into mqbrokers group, should I remove it from the group. If I remove it, how will I able to run mqsilist?
Using sudo ?
Thanks for your help, need more advise as well
Thanks |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Feb 20, 2014 5:43 am Post subject: Re: how to avoid to run few mqsi commands by a particular us |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqlover wrote: |
| So the user id created should not be part of mqm or mqbrokers group? |
| mqlover wrote: |
| Actually I added the user into mqbrokers group, should I remove it from the group. |
| mqlover wrote: |
If I remove it, how will I able to run mqsilist?
Using sudo ? |
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
