ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » iSeries Platform: Triggered jobs run under which user query

Post new topic  Reply to topic
 iSeries Platform: Triggered jobs run under which user query « View previous topic :: View next topic » 
Author Message
jd00h
PostPosted: Mon Feb 09, 2009 3:11 pm    Post subject: iSeries Platform: Triggered jobs run under which user query Reply with quote

Newbie

Joined: 09 Feb 2009
Posts: 1
Hi,

I've been tightening up security of our iSeries (or AS/400/System i) MQ environments lately and I have hit across a weird situation that has me stumped.

I have a triggered queue with the following process definition defined:

Queue manager name . . . . . . : MQCM01

Process name . . . . . . . . . : TSM.PROCESS.CLIENTACCT.UPDATE.START

Text 'description' . . . . . . : TSM: Trigger client account update

Application type . . . . . . . : *OS400
Application identifier . . . . : *LIBL/CA203401

Environment data . . . . . . . : JOB(CA203401) JOBD(*LIBL/CAPRD) INLLIBL (*JOBD) JOBQ(ESINGLE) JOBPTY(7)

The *JOBD specified in the environment data (CAPRD) has a user called CAUSR associated with it and this user is also a member of a group called PRDDTA.

Now, if I assign *GET authority to the PRDDTA group, everything works just fine - the trigger message gets created the program is called and gets the message from the queue and processes it. However, if I remove the *GET authority for PRDDTA I receive a 2035 authorisation error when attempting to open the queue for input. User QMQMADM has all rights to the queue in question.

The weird thing is that the SBMJOB command is not overriding the user as one can see from the environment data. By all rights the job submitted by the trigger monitor should be running with the QMQM profile as *CURRENT is the default value for the USER parameter on the SBMJOB command. When I check the job, it definitely is running with user QMQM but for some reason if the PRDDTA profile is not given *GET authority the 2035 error is received.

I have checked the application code and it is not using alternate user identities/authority.

I have also checked that the command defaults for the SBMJOB command have not been changed for the USER parameter to something like *JOBD (if this were the case, then everything would make sense).

I have been cracking my head on this for the better part of today/tonight now and it's driving me batty.

If anyone out there has any ideas as to what is going on here I'd really appreciate it.

Thanks,
John Dell'Oso
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » iSeries Platform: Triggered jobs run under which user query
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.