| Author |
Message
|
| ivanachukapawn |
 Posted: Wed Mar 10, 2010 10:51 am Post subject: generic SETMQAUT for everyone not MQM group |
 |
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
I want to setup a generic setmqaut which will prevent everyone NOT in mqm group from performing MQ admin
my wish is for a command such as:
setmqaut -m QmgrName -g NOTmqm -alladm
but there doesn't not appear to be a way to specify "everyone not in mqm".
I am not able to specify individual principles (volatile list) and these people (developers) are domain users and not part of a group. |
|
| Back to top |
|
 |
| exerk |
| Posted: Wed Mar 10, 2010 12:26 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Assuming Windows (as you mention 'domain'), anyone with Administrator rights on the server has implicit mqm group privileges, and if your developers userid's are not given explicit authorisations, they can't do anything anyway. So what's the issue?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| ivanachukapawn |
| Posted: Wed Mar 10, 2010 2:00 pm Post subject: |
|
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
| the problem was described to me by the manager as follows: the developers do not have administrator rights on the Win 2003 server but nevertheless can delete queues and channels etc. via access to the Qmgr via JExplorer - so I guess I should research this one from that angle i.e. how could JExplorer expose a "backdoor" to MQ admin for users who do not have administrator rights? |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Mar 10, 2010 2:14 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Find the channel they're using (someone define a SYSTEM.ADMIN.SVRCONN by any chance?) and lock it, or block it! Slap BlockIP2 on the box and explicitly block them...and lack of security in java connections to WMQ is a well known issue.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| ivanachukapawn |
| Posted: Wed Mar 10, 2010 3:02 pm Post subject: |
|
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
| I am not permitted to block the SVRCONN being used by JExplorer. The developers need to be able to view/browse the queues, etc. That's why I posed the original post re: SETMQAUT to block access for NON-administrators to admin commands - apparently the developers could get by with just MQI - but SETMQAUT does not appear to have a setting for -g 'NON'-administrator. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Mar 10, 2010 5:51 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Tag the channel with an ID in the MCAUSER field.
Grant that ID the minimum access it needs to only allow non admin stuff. Search this site for what setmqaut commands are needed for a non admin MQ Explorer connection.
Start thinking about getting off JExplorer. When was the last time that was updated? It won't work forever as new MQ versions come out.
If you don't want the developers doing admin type stuff, they shouldn't have an admin type tool to begin with.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Mar 10, 2010 11:27 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| Use BlockIP2 to stop blank and MQM id connections, except from known users or known IP addresses. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Mon Mar 15, 2010 3:42 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| ivanachukapawn wrote: |
| I am not permitted to block the SVRCONN being used by JExplorer. The developers need to be able to view/browse the queues, etc. |
First-off, MQJExplorer does not send a UserID when it connects to the queue manager (it is blank) - which is a security hole. Plus it can only connect to SYSTEM.ADMIN.SVRCONN channel (hard-coded in the app). Finally, MQJExplorer was withdrawn from the market at least 5 years ago.
Why not just give the developers a tool that can only do message editing? (i.e. MQ Visual Edit)
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
