| Author |
Message
|
| NMurn_5 |
 Posted: Wed Sep 13, 2006 10:40 am Post subject: Blocking users using 3rd party software. |
 |
|
Newbie
Joined: 11 Aug 2006
Posts: 7
|
A while back I had an issue with a developer using a 3rd party application to access and in the end accidentally deleting some queues because he didn't think that the changes made with the application would make any changes on our server or mainframe.
My question is, is it possible to block certain users from accessing and making changes to our queues, queue managers, etc.? If so, will this prevent them from using 3rd party tools to access? |
|
| Back to top |
|
 |
| vennela |
| Posted: Wed Sep 13, 2006 10:44 am Post subject: |
|
|
Jedi Knight
Joined: 11 Aug 2002
Posts: 4055
Location: Hyderabad, India
|
| You should be able to do that as long as you set the right permissions. |
|
| Back to top |
|
|
| NMurn_5 |
| Posted: Wed Sep 13, 2006 11:05 am Post subject: |
|
|
Newbie
Joined: 11 Aug 2006
Posts: 7
|
I was reading up on OAM and I had kind of a side question(probably a noob question  ). If I set the permissions to a queue manager, the queues, channels, etc that the queue manager manages will obtain the same permissions as well correct? |
|
| Back to top |
|
|
| vennela |
| Posted: Wed Sep 13, 2006 11:15 am Post subject: |
|
|
Jedi Knight
Joined: 11 Aug 2002
Posts: 4055
Location: Hyderabad, India
|
| You can set permissions to users/groups for QMGR also |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Sep 13, 2006 11:17 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Generally, you have to set specific permissions for each object specifically.
You can set permissions for a set of objects by using wildcards in the object name, but permissions that are granted to the queue manager do not propagate down to queues and channels and etc.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| NMurn_5 |
| Posted: Wed Sep 13, 2006 11:23 am Post subject: |
|
|
Newbie
Joined: 11 Aug 2006
Posts: 7
|
| Ok, thank you for the quick responses. I would assume that OAM would be the easiest/best way to accomplish this? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Sep 13, 2006 11:27 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Actually, the easiest/best way to ensure the security of a queue manager is to put it behind a firewall and only allow specific, known users to connect through that firewall.
The next best way is to put SSL on all your channels, and then use OAM to limit what users can do once they have established a connection.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| NMurn_5 |
| Posted: Thu Sep 14, 2006 4:42 am Post subject: |
|
|
Newbie
Joined: 11 Aug 2006
Posts: 7
|
| I'm still a little confused on how this would work. My server is running AIX 5.3, and I'm still a little confused about this. I've created all of the file structures, groups, and user ids that were required upon the initial install. If I use OAM to change the permissions on my queue managers, queues, etc, won't that only affect the users/groups I've created in smitty? How will this stop someone(like our developers did) from using a Windows GUI to view and ultimatly edit our queues? Any insight is appreciated. Thank you in advance. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Sep 14, 2006 5:21 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
If the firewall blocks all the windows machines from accessing your AIX box, the developers can't do anything.
If all of your server connection channels require SSL, and the developers don't have any certificates, or all of the certificates they have only work on channels that have an MCA user that is not able to administer the queue manager..
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
|
|
