| Author |
Message
|
| flwilliams87 |
 Posted: Mon Jul 09, 2007 10:41 am Post subject: Does my default group have to be mqm If I'm an MQ admin? |
 |
|
Acolyte
Joined: 04 Feb 2003
Posts: 66
Location: Chicago, IL
|
I've always have made my default group mqm as long as I've been doing MQ admin work. But recently a co-worker asked my why this is necessary and I could not come up with a concrete reason. Does any one know if there are any for making mqm your default group? Let me know. Thanks
_________________
IBM Certified WebSphere MQ Administrator |
|
| Back to top |
|
 |
| jeevan |
| Posted: Mon Jul 09, 2007 11:04 am Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
Hope this will help:
Security considerations
Are you installing WebSphere® MQ on a network where the domain controller is on a Windows® 2000 or Windows 2003 server? If so, you probably need to obtain a special domain account from your domain administrator. For further information, and the details that the domain administrator needs to set up this special account, refer to Configuring WebSphere MQ accounts.
You must have local administrator authority when you are installing. Define this authority through the Windows facilities.
Your user ID must belong to the local mqm or Administrators group in order to administer any queue manager on that system, or to run any of the WebSphere MQ control commands. If the local mqm group does not already exist on the local computer, it is created automatically when WebSphere MQ is installed. The user ID can either belong to the local mqm group directly, or belong indirectly through the inclusion of global groups in the local mqm group.
If you intend to administer queue managers on a remote system, your user ID must be authorized on the target system. The information on protecting WebSphere MQ resources in the WebSphere MQ System Administration Guide includes more information on this topic.
A user account that is used to run the IBM® WebSphere MQ Services COM server is set up by default during the installation process, typically with the user ID MUSR_MQADMIN. This account is reserved for use by WebSphere MQ. Refer to Configuring WebSphere MQ accounts.
When an MQ client connects to a queue manager on the server, the username under which the client runs must not be same as the domain or machine name. If the user has the same name as the domain or machine, the connection fails with return code 2035(MQRC_NOT_AUTHORIZED).
For further information about WebSphere MQ user IDs on Windows systems and the WebSphere MQ Object Authority Manager (OAM), see the WebSphere MQ System Administration Guide.
for further, visit the following link:
Parent topic: Installing the WebSphere MQ Server
http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp |
|
| Back to top |
|
|
| flwilliams87 |
| Posted: Tue Jul 10, 2007 7:25 am Post subject: OK.... |
|
|
Acolyte
Joined: 04 Feb 2003
Posts: 66
Location: Chicago, IL
|
| So to make a long story short it is not absolutely necessary to have mqm be your default group to perform MQ Admin responsibilities. And I am strictly talking about open systems here LINUX, AIX, and zLinux. Thanks |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Jul 10, 2007 8:49 am Post subject: Re: OK.... |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| flwilliams87 wrote: |
| So to make a long story short it is not absolutely necessary to have mqm be your default group to perform MQ Admin responsibilities. And I am strictly talking about open systems here LINUX, AIX, and zLinux. Thanks |
I wouldn't. There are many features including OAM that do reverse look ups of the Admin user's group to do functions on Unix and Linux. There are a couple of things that I have noticed over the years but they slip my mind right now. (OAM and directory permissions ring a bell)
You can go through great hoops to setup security (via setmqaut) for a user to be an MQAdmin but I have to ask why? If they are truly an MQAdmin, then the simpliest and easiest solution is to put their UserId in the mqm group.
Anyway, that's my 2 cents.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| flwilliams87 |
| Posted: Tue Jul 10, 2007 9:31 am Post subject: Thanks Roger |
|
|
Acolyte
Joined: 04 Feb 2003
Posts: 66
Location: Chicago, IL
|
Thanks Roger, that is just the information I was looking for...
_________________
IBM Certified WebSphere MQ Administrator |
|
| Back to top |
|
|
| flwilliams87 |
| Posted: Tue Jul 10, 2007 9:37 am Post subject: And I agree with you... |
|
|
Acolyte
Joined: 04 Feb 2003
Posts: 66
Location: Chicago, IL
|
Roger, I also agree you with that anyone doing MQ admin work should have their default group set to mqm. But since the WAS team has taken over the responsibilities of MQ Admin, the have been resistant to change their default group to mqm without a concrete reason and I couldn't think of one that they wouldn't shoot down. Again Thanks
_________________
IBM Certified WebSphere MQ Administrator |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Jul 10, 2007 9:49 am Post subject: Re: And I agree with you... |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| flwilliams87 wrote: |
| Roger, I also agree you with that anyone doing MQ admin work should have their default group set to mqm. But since the WAS team has taken over the responsibilities of MQ Admin, the have been resistant to change their default group to mqm without a concrete reason and I couldn't think of one that they wouldn't shoot down. Again Thanks |
Ahhh. Invasion of the WAS team. You'll need to hire more MQ Admins to fight them off. I would suggest Raid but they may counter with RAD. Also, watch out for their BI because they may BS you about their MB. 
If all else fails you could counter with 3 letters: BEA. That might keep them at bay.  
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jul 10, 2007 2:50 pm Post subject: Re: And I agree with you... |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| flwilliams87 wrote: |
| Roger, I also agree you with that anyone doing MQ admin work should have their default group set to mqm. But since the WAS team has taken over the responsibilities of MQ Admin, the have been resistant to change their default group to mqm without a concrete reason and I couldn't think of one that they wouldn't shoot down. Again Thanks |
Easiest reason in the book:
When you create a file the permissions are set according to your umask and the group is set according to your primary group.
There is an advantage as an MQ admin to have mqm as your primary group. You don't have to consistantly chgrp mqm the files you happen to create...
Omissions can be costly...
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| flwilliams87 |
| Posted: Wed Jul 11, 2007 6:22 am Post subject: Great |
|
|
Acolyte
Joined: 04 Feb 2003
Posts: 66
Location: Chicago, IL
|
Thanks. Now I can take this information to initiate the necessary changes in our group. PEACE
_________________
IBM Certified WebSphere MQ Administrator |
|
| Back to top |
|
|
|
|
