| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Channels - Administration authorization |
« View previous topic :: View next topic » |
| Author |
Message
|
| Carla Viragh |
 Posted: Thu May 19, 2005 11:45 am Post subject: Channels - Administration authorization |
 |
|
Voyager
Joined: 31 Oct 2003
Posts: 92
Location: São Paulo - Brasil
|
Hi!
There is a new "MQ administrator" here (but he is still learning MQ) and we need him to view queues and channels status but never modify them.
The question is:
We´ve tried to deny admin authorization and it is working like expected for queues, BUT NOT FOR CHANNELS.
I saw some posts that let us know about MCAUSER and permissions to applications connect/put/get messages and I understood why admin authority for channels is not necessary (that´s why there is nothing for channels on setmqaut), but I need something different:
Is there a way to protect channels definitions, so the new administrator can not change a conname but can see the channel status? (It´s like a read only access).
Hope I made myself clear 
Carla Viragh
_________________
Carla Viragh |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Thu May 19, 2005 11:47 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Probably not with runmqsc or anything that uses standard MQ authorities, no.
Some of the professional management packages should let you lock someone down this way.
But you're probably not running one of those... 
It may be possible to put in Malammik's "free" solution, and configure it in a browse only mode.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu May 19, 2005 4:39 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Carla, are you familiar with the MO71 Support Pack?
Get it, and configure a SVRCONN channel on each of your QM's called MO71.VIEW.ONLY, or something like that.
On each MO71.VIEW.ONLY channel, hardcode the mcauser to MO71VIEW.
On each server, make a MO71VIEW group, and put an MO71VIEW user in there.
Then run the following commands on each QM:
| Code: |
• setmqaut –m YourQMName –t qmgr –g MO71VIEW +dsp +inq +connect
• setmqaut –m YourQMName –n *.** –t q –g MO71VIEW +dsp +inq +browse
• setmqaut –m YourQMName –n *.** –t nl –g MO71VIEW +dsp +inq
• setmqaut –m YourQMName –n *.** –t prcs –g MO71VIEW +dsp +inq
• setmqaut –m YourQMName –n SYSTEM.ADMIN.COMMAND.QUEUE –t q –g MO71VIEW +dsp +inq +put
• setmqaut –m YourQMName –n SYSTEM.DEFAULT.MODEL.QUEUE –t q –g MO71VIEW +allmqi +dsp
|
When your new guy uses MO71 to connect to the QM over the MO71.VIEW.ONLY channel, he can't hurt anything, not even channels. He can only look.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Carla Viragh |
| Posted: Fri May 20, 2005 9:42 am Post subject: |
|
|
Voyager
Joined: 31 Oct 2003
Posts: 92
Location: São Paulo - Brasil
|
Thanks Peter, Jeff!
Yes, I have MQMON here but I didn´t know how to configure it to my needs...
I will try to create a SVRCONN and configure it as you said.
It seems to be a good way!
Thanks again.
_________________
Carla Viragh |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
