| Author |
Message
|
| Mangesh1187 |
 Posted: Sun Apr 07, 2013 10:03 am Post subject: Diiff between group & principle authenticaion |
 |
|
Centurion
Joined: 23 Mar 2013
Posts: 116
|
Can any body explain me between giving authentication to the group and to the principle?
In fact I am not clear about the dufferance between group and principle.
Please help me to understand this concept..!  |
|
| Back to top |
|
 |
| Vitor |
| Posted: Sun Apr 07, 2013 10:29 am Post subject: Re: Diiff between group & principle authenticaion |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Mangesh1187 wrote: |
| Can any body explain me between giving authentication to the group and to the principle? |
WMQ does not do authentication for anyone or to anyone.
On Windows you can give authorization to a principle or to a group.
| Mangesh1187 wrote: |
| In fact I am not clear about the dufferance between group and principle. |
The dufferance is that a group is more than one individual.
Think about it.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Sun Apr 07, 2013 10:41 am Post subject: Re: Diiff between group & principle authenticaion |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Vitor wrote: |
The dufferance is that a group is more than one individual.
Think about it. |
And also think about the unintended consequences that can occur by giving a principle an authorisation as opposed to a group - you may not always be on Windows.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| zpat |
| Posted: Sun Apr 07, 2013 11:37 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| Do principals have principles? |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sun Apr 07, 2013 11:54 am Post subject: Re: Diiff between group & principle authenticaion |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Mangesh1187 wrote: |
Can any body explain me between giving authentication to the group and to the principle?
In fact I am not clear about the difference between group and principle.
Please help me to understand this concept..! |
The best-practice for security has us grant (or deny) privilege to groups. These groups are usually created along organizational lines (organization chart job titles), such as payroll clerks, payroll managers, VP of finance.
Once the organization determines who gets which job title, that individual is added (connected) to the appropriate group.
For a large organization, this dramatically reduces the effort to create effective security. The organization I came from has 2,500 employees. I can't image the effort required to create 2,500 individual (principal) rules.
Does this help?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| exerk |
| Posted: Sun Apr 07, 2013 1:13 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| zpat wrote: |
| Do principals have principles? |
It's a fair cop guvnor...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Sun Apr 07, 2013 3:35 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| zpat wrote: |
| Do principals have principles? |
...I think the OP meant principals.
Principal = OS Userid
Group = OS Group
WMQ OAM on Windows & z/OS allows principals to be granted specific authorities. WMQ OAM on UNIX is very different, OAM grants the authority to the principal's primary group.
The general recommendation is to avoid using principals.
_________________
Glenn |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sun Apr 07, 2013 4:18 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
IBM's RACF is the Security Server software on z/OS. Permissions may be granted to both users and groups.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| prash.powar |
| Posted: Mon Apr 15, 2013 11:26 pm Post subject: difference between principle and group |
|
|
Newbie
Joined: 04 Apr 2013
Posts: 1
|
individual user id (cerated as application user id or perosnal user id) is principle where as os user group is called as group in general.
Best practice is to provide authorities to group. user ids under a group inherits all the permission provided to the parent group.
advantage here is that whenever next time you want to give same permissions to a new user you can just add that user in that group and it will inherit tose permissions.
you will have to refresh auth security whenever you add a new user id in existing group.
Hope this helps. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Apr 16, 2013 4:49 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Check out section 4.11.2 in the "Secure Messaging Scenarios with
WebSphere MQ" Redbook.
http://www.redbooks.ibm.com/redbooks/pdfs/sg248069.pdf
It talks about principals versus groups and offers what can be considered an official best practice.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| umatharani |
| Posted: Tue Apr 16, 2013 7:26 pm Post subject: |
|
|
Apprentice
Joined: 23 Oct 2008
Posts: 39
|
| WebSphere MQ authorization works based on groups. If an authority is set to a specific user(principle), then the authority is granted to the primary group of the given user. However when authenticating a specific user, WMQ also considers secondary groups of the given user. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Apr 16, 2013 7:36 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
The biggest error is in the Title. WMQ does not authenticate. It authorizes the user presented. The OS authenticates the user, or not (java).
| Code: |
[list]
[*]Authentication
Action of verifying the identity of a principal / user
[*]Authorization
Action of allocating permissions to a principal / user[/list] |
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Tue Apr 16, 2013 11:13 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| umatharani wrote: |
| WebSphere MQ authorization works based on groups. If an authority is set to a specific user(principle), then the authority is granted to the primary group of the given user. |
Not on all platforms!
Grrr. The correct term is principal, not principle. When will people learn? 
| Quote: |
| However when authenticating a specific user, WMQ also considers secondary groups of the given user. |
When does WMQ authenticate a user? (trick question)
_________________
Glenn |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Apr 17, 2013 12:03 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| gbaddeley wrote: |
| umatharani wrote: |
| WebSphere MQ authorization works based on groups. If an authority is set to a specific user(principle), then the authority is granted to the primary group of the given user. |
Not on all platforms!
Grrr. The correct term is principal, not principle. When will people learn? |
Sorry, my fault due to an earlier post and spell auto-complete... 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
