| Author |
Message
|
| nryoung415 |
 Posted: Mon Oct 08, 2007 2:02 pm Post subject: specific versus generic OAM authority records |
 |
|
Newbie
Joined: 08 Oct 2007
Posts: 4
|
MQ level is 6.0.1, platform is Linux on zSeries.
I notice that every time a new queue is created, there are two specific OAM authority records created, one with group 'mqm' and one with group 'users'. I would like to use generic authority records rather than specific, but the sys admin book says specific records win over generic because they're a better match.
Does that mean that, after I create the generic records I want, I have to do setmqaut (or use MQ Explorer) for every specific record and remove access, like allmqi? |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Mon Oct 08, 2007 2:28 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
No it means you have the queues created by a user in the mqm group that has mqm as its primary group.
You can then use setmqaut to authorize other groups....
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| nryoung415 |
| Posted: Tue Oct 09, 2007 6:40 am Post subject: |
|
|
Newbie
Joined: 08 Oct 2007
Posts: 4
|
That is not my experience from testing, unless 'primary' group means something different than 'default' group in Linux.
Case 1: My default group is 'audio', and I'm a member of 'users'. I define a qlocal. OAM records are created for 'mqm' and 'users'.
Case 2: My default group is 'audio', I'm NOT a member of 'users'. I define another qlocal. OAM records are created for 'mqm' and 'users'. |
|
| Back to top |
|
|
| nryoung415 |
| Posted: Tue Oct 09, 2007 8:29 am Post subject: |
|
|
Newbie
Joined: 08 Oct 2007
Posts: 4
|
I talked to a consultant, and he said these two OAM records are automatically created when a queue is created.
What I have done is create a new Linux group and a generic OAM record for that group. Then I don't have to worry about all the OAM records for the group 'users'. I guess that's probably what most people do, but I'm new to MQ security...
OAM seems to work somewhat like RACF, and I'm pretty familiar with RACF. |
|
| Back to top |
|
|
| jsware |
| Posted: Tue Oct 09, 2007 8:38 am Post subject: |
|
|
Chevalier
Joined: 17 May 2001
Posts: 455
|
| nryoung415 wrote: |
That is not my experience from testing, unless 'primary' group means something different than 'default' group in Linux.
Case 1: My default group is 'audio', and I'm a member of 'users'. I define a qlocal. OAM records are created for 'mqm' and 'users'.
Case 2: My default group is 'audio', I'm NOT a member of 'users'. I define another qlocal. OAM records are created for 'mqm' and 'users'. |
Are you also a member of the mqm group?
What authority is given to the group 'users'?
_________________
Regards
John
The pain of low quaility far outlasts the joy of low price. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Oct 09, 2007 3:00 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| nryoung415 wrote: |
That is not my experience from testing, unless 'primary' group means something different than 'default' group in Linux.
Case 1: My default group is 'audio', and I'm a member of 'users'. I define a qlocal. OAM records are created for 'mqm' and 'users'.
Case 2: My default group is 'audio', I'm NOT a member of 'users'. I define another qlocal. OAM records are created for 'mqm' and 'users'. |
Did you do a refresh security or restart the qmgr between case1 and 2. When changing group membership for a user you might have to use refresh security as some of the OS user information gets cached...
Enjoy
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| nryoung415 |
| Posted: Thu Oct 11, 2007 7:17 am Post subject: |
|
|
Newbie
Joined: 08 Oct 2007
Posts: 4
|
Mystery solved. I had changed my default group, but I didn't logout and login again. When I did that, then created a new queue, it created two specific OAM records: one with group 'mqm' and one with my (new) default group.
Thanks for your help. |
|
| Back to top |
|
|
|
|
