| Author |
Message
|
| pcelari |
 Posted: Tue Sep 17, 2019 11:11 am Post subject: dspmqaut for a single group or principal possible? |
 |
|
Chevalier
Joined: 31 Mar 2006
Posts: 411
Location: New York
|
Greetings. I need to query all authorization settings for a single principal or group in a qmgr, using dspmqaut or dmpmqaut.
But 'dmpmqaut -m QMName -t queue -n ** -g mygroup' wouldn't work. nor does it work with dspmqaut.
Can an expert please share some insight? thanks much!
_________________
pcelari
-----------------------------------------
- a master of always being a newbie |
|
| Back to top |
|
 |
| hughson |
| Posted: Tue Sep 17, 2019 1:47 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
It is a shame that the MQSC equivalent command (DISPLAY AUTHREC) does not allow the WHERE clause because that would solve your problem.
<vendor-plug>
The MQGem tool MQSCX supports the MQ WHERE clause but also provides it's own WHERE clause using the =WHERE keyword. The =WHERE clause removes a number of the restrictions in the IBM MQ supplied WHERE clause and this is one example of that. Using MQSCX, you can issue the following command:-
| Code: |
| DISPLAY AUTHREC OBJTYPE(QUEUE) =WHERE(ENTITY EQ "mqgemusr@GEMWIN1") |
If this interests you, please read further at http://www.mqgem.com/mqscx.html and/or contact us off-list (email on the website).
</vendor-plug>
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Wed Sep 18, 2019 3:04 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
The command
| Code: |
dmpmqaut -m QMName -t queue -n ** -g mygroup
profile: **
object type: queue
entity: mygroup
entity type: group
authority: allmqi dlt chg dsp clr
|
lists exactly the profile named '**'. It does not mean "any queue profile".
To list all queue profles for a specific user, just omit the '-n' parameter like this:
| Code: |
dmpmqaut -m QMName -t queue -g mygroup
profile: @class
object type: queue
entity: mygroup
entity type: group
authority: none
- - - - - - - -
profile: **
object type: queue
entity: mygroup
entity type: group
authority: allmqi dlt chg dsp clr
|
And omit the object type to list all profiles for a user:
| Code: |
dmpmqaut -m QMName -t queue -g mygroup
profile: self
object type: qmgr
entity: mygroup
entity type: group
authority: allmqi dlt chg dsp ctrl system
- - - - - - - -
profile: @class
object type: queue
entity: mygroup
entity type: group
authority: none
- - - - - - - -
profile: @class
object type: qmgr
entity: mygroup
entity type: group
authority: none
- - - - - - - -
profile: **
object type: queue
entity: mygroup
entity type: group
authority: allmqi dlt chg dsp clr |
So "generic" in "dmpmqaut" means "omit" these parameters.
Unfortunately "dspmqaut" does not have such a pseudo-generic feature. But you could use "amqoamd" instead in combination with a shell function (Unix sample, use FINDSTR on Windows):
| Code: |
amqoamd -m QMName -s | grep mygroup
setmqaut -m QMName -t qmgr -g mygroup +altusr +connect +inq +set +setall +setid +chg +dlt +dsp +system
setmqaut -m QMName -n '**' -t queue -g mygroup +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
|
_________________
Regards
Hubert |
|
| Back to top |
|
|
| pcelari |
| Posted: Thu Sep 26, 2019 10:50 am Post subject: |
|
|
Chevalier
Joined: 31 Mar 2006
Posts: 411
Location: New York
|
| Quote: |
| So "generic" in "dmpmqaut" means "omit" these parameters |
thanks for clarifying this! I had always consider "**" a wild card meaning "any name"
I ended up doing a "dmpmqaut -m QMgrName -g mygroup" which generates a list of thousands of lines. I then use a shell script to format the result into a records of comma delimited lines of records for all profiles, filter out those records containing the specific groupid, which turns out to be of a manageable number of records for me to duplicate.
thanks for all your input!
_________________
pcelari
-----------------------------------------
- a master of always being a newbie |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Thu Sep 26, 2019 10:25 pm Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
| pcelari wrote: |
| thanks for clarifying this! I had always consider "**" a wild card meaning "any name" |
No, this means "use this permissions on any object without a more specific rule".
For example you have these profiles
| Code: |
setmqaut -m QMName -t queue -n '**' -g mygroup +put +get
setmqaut -m QMName -t queue -n 'TEST.**' -g mygroup +inq +browse |
and these objects
| Code: |
DEFINE QLOCAL(TESTIT.ONE)
DEFINE QLOCAL(TEST.TWO) |
then a member of group mygroup would be allowed to PUT messages to and GET message from queue TESTIT.ONE (because this queue fits to profile '**', but not to profile 'TEST.**').
On queue TEST.TWO this user would only be able to INQuire and BROWSE messages (no PUT and no GET). This queue fits to both profiles above, but the profile 'TEST.**' is more specific and so only this profile is used.
_________________
Regards
Hubert |
|
| Back to top |
|
|
|
|
