| Author |
Message
|
| sorn73 |
 Posted: Wed Mar 24, 2004 5:24 am Post subject: Rights problem |
 |
|
Novice
Joined: 24 Mar 2004
Posts: 24
Location: Sweden
|
| I have a problem with ACL rights in WBIMB 5.0.2 in a Domain aware environment on Windows 2000. I have given myself all the rights I can think of, using mqsicreateaclgroup, but I don't seem to be able to do "Cancel Deployment". What access do I need to give myself to be able to cancel a deployment? |
|
| Back to top |
|
 |
| kirani |
| Posted: Wed Mar 24, 2004 10:58 am Post subject: |
|
|
Jedi Knight
Joined: 05 Sep 2001
Posts: 3779
Location: Torrance, CA, USA
|
What is the exact command (with parameters) you are trying to run?
_________________
Kiran
IBM Cert. Solution Designer & System Administrator - WBIMB V5
IBM Cert. Solutions Expert - WMQI
IBM Cert. Specialist - WMQI, MQSeries
IBM Cert. Developer - MQSeries
|
|
| Back to top |
|
|
| sorn73 |
| Posted: Thu Mar 25, 2004 8:10 am Post subject: |
|
|
Novice
Joined: 24 Mar 2004
Posts: 24
Location: Sweden
|
I set my rights with
| Code: |
mqsicreateaclgroup -u MYDOMAIN\MYUSER -x F -t
mqsicreateaclgroup -u MYDOMAIN\MYUSER -x F -r
mqsicreateaclgroup -u MYDOMAIN\MYUSER -x F -s
mqsicreateaclgroup -u MYDOMAIN\MYUSER -x F -b BROKER
mqsicreateaclgroup -u MYDOMAIN\MYUSER -x F -e BROKER\default |
both with and without MYDOMAIN. In both cases (I think, I don't have access to the server today) I get full access to the broker and can start and stop flows etc. But I can't do "Cancel deployment" from the Broker Toolkit (rightclick on Domain Object and select "Cancel deployment"), I get an Access Denied. |
|
| Back to top |
|
|
| slaney |
| Posted: Tue Sep 07, 2004 12:43 am Post subject: |
|
|
Novice
Joined: 24 Aug 2004
Posts: 14
Location: Alphacourt (Swindon UK)
|
Did anyone discover the answer to this. I am also experiencing the same problem and I have given the same acl permissions. I can only solve this problem by adding my domain user into the local mqbrops group (which defeats the point of mqsicreateaclgroup doesn't it?)
The actual error I get is:
BIP1780E: Unable to validate specified user 'slane'.
User 'slane' does not have the required authority to complete the requested operation on the resource of type 'DeployDomainActionCollection' with UUID 'DeployDomainAction'.
Ensure that the user exists and has the necessary permissions to access the requested resource. Restart the Configuration Manager and retry the operation. If the exception still occurs, contact your IBM support center.
The user I am logged on with 'slane' is a domain user.
_________________
Steven Lane AMBCS
Information Security Consultant
Alphacourt Limited
http://www.alphacourt.com/html/services/securityserv/ |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Sep 07, 2004 5:08 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
I don't know the answer to this.
But I have some guesses.
Did you specify the domain name when building the configmgr - in addition to making it "domain aware"? That is, did you specify the -d option in addition to the -l option?
Although the current help is very confusing...
| Reference for mqsicreateconfigmgr wrote: |
-d SecurityDomainName
(Optional) This parameter must be set to null. When you create the configuration manager, omit this parameter.
The -u and -g options on the mqsicreateaclgroup command refer to users and groups within the domain that the Configuration Manager uses for its security. This domain is by default the machine on which the Configuration Manager resides, but is different if you use this option.
|
It seems that this parameter is being deprecated for some reason?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| slaney |
| Posted: Tue Sep 07, 2004 6:32 am Post subject: |
|
|
Novice
Joined: 24 Aug 2004
Posts: 14
Location: Alphacourt (Swindon UK)
|
I did not use the -d option when I created the configmgr. There is no need for it unless you want group enumeration to be based on a domain. So if the config mgr is running on a windows server in a domain (say the name of the domain is ENGINEERING) it is possible for the config mgr to look for group membership of the groups ENGINEERING\domain mqbr* and not look at all at the local groups. But what the point? You can have the configmgr enumerate group membership from local groups and it is still able to enumerate group membership of domain users added to local groups or global groups added to local groups. So there is a granularity here per server based on local groups if you go that way. However our choice is to use mqsisetaclgroup to provide even more granular RBAC.
So the groups referenced by my config mgr are the local groups. I have added domain users to local groups (via a global group) and issued a mqsisetaclgroup -g wmq-sprt -x F -<<some object>> to these and this works.
Currently my ACL looks like the following:
wmq-sprt - GROUP - F - EXE - BRK00001\CASH
wmq-sprt - GROUP - F - EXE - BRK00001\TRADES
wmq-sprt - GROUP - F - RTS -
wmq-sprt - GROUP - F - EXE - BRK00001\GLOBAL
wmq-sprt - GROUP - F - BRK - BRK00001
wmq-sprt - GROUP - F - EXE - BRK00001\STOCKUPDATES
wmq-sprt - GROUP - F - EXE - BRK00001\REUTERS
wmq-sprt - GROUP - F - TOP -
Where wmq-sprt is the local group on the local member server (i.e not a DC). I have added my domain user i.e DOMAIN\slane to this group. Note I have also tried adding ACLs directly to the user DOMAIN\slane and this gives me the same access rights and the same problem cancelling a deploy.
The only way out I have found at the moment is to add my user to mqbrops. Hardly a solution since the ACL route was supposed to remove the need for these groups and adding myself to mqbrops removes all role based access control.
My hunch is that it is not possible to rely entirely on ACLs and some tasks require you to revert to the legacy security model. So each network needs a superuser who is a member of the mqbrops and mqbrkrs groups.... Unless someone else can correct me???? IBM'ers perhaps you can help out with this please.
_________________
Steven Lane AMBCS
Information Security Consultant
Alphacourt Limited
http://www.alphacourt.com/html/services/securityserv/ |
|
| Back to top |
|
|
|
|
