| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ Authority checks - LEVEL |
« View previous topic :: View next topic » |
| Author |
Message
|
| aravindtk |
 Posted: Fri Dec 13, 2024 12:09 pm Post subject: MQ Authority checks - LEVEL |
 |
|
Novice
Joined: 05 Jun 2023
Posts: 17
|
Hi All,
Does the MQ authority check ; in particular the level upto which the checks are carried out, are they different depending on the object?
For example:
With a QALIAS - the check is only done for a user/group for QALIAS and not on the BASE object to which the alias points to.
However with a QREMOTE is it different? I recall reading that with a QMGR alias(which is a QR) the check is actually on the object it resolves to...I cant find that article anymore...
With a QR is that the case in general ?
Thanks |
|
| Back to top |
|
 |
| hughson |
| Posted: Wed Dec 18, 2024 2:20 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
For queues, the NAMED object is what is checked.
For example, a QALIAS being opened by an application, only the QALIAS is checked, not the target of the alias.
If a QREMOTE is being opened, then only the QREMOTE name is checked, not the XMITQ or RNAME.
If a fully qualified remote queue is opened, i.e. the MQOD has both queue name and queue manager name filled in, then the authority checks are different since there is no named QREMOTE object in play as the main object.
However, rather than me duplicating IBM Docs content, here's the page you probably want to read: When authority checks are performed
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Dec 18, 2024 5:09 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Yes, a bit simple to bypass queue security when you can define a QALIAS !!!
We do keep trying to tell our security people that it is pointless to try to restrict MQ administrators.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Dec 18, 2024 5:52 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| zpat wrote: |
Yes, a bit simple to bypass queue security when you can define a QALIAS !!!
We do keep trying to tell our security people that it is pointless to try to restrict MQ administrators. |
Might as well just give them sudo access to the mqm account and be done with it...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Dec 19, 2024 9:26 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
We have the z/OS MQ platform for our sins. RACF is wonderful but there are ways to circumvent it!!
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
