| Author |
Message
|
| craig0 |
 Posted: Thu Dec 20, 2007 7:58 am Post subject: Restricting access to commands within MQSC |
 |
|
Novice
Joined: 11 Jun 2007
Posts: 17
|
I would like to restrict access for a particular set of users so that they can only do the following within the MQSC command interpreter
1 stop and start channels
2 display channel and queue attributes
3 reset channel sequence numbers
How can I accompolish this?
Thanks,
Craig |
|
| Back to top |
|
 |
| Gaya3 |
| Posted: Thu Dec 20, 2007 8:05 am Post subject: |
|
|
Jedi
Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US
|
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Dec 20, 2007 8:53 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
|
| Back to top |
|
|
| craig0 |
| Posted: Thu Dec 20, 2007 10:48 am Post subject: |
|
|
Novice
Joined: 11 Jun 2007
Posts: 17
|
Unfortunately that wrapper utility is not available for the HP Nonstop platform 
|
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Dec 20, 2007 10:58 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| craig0 wrote: |
| Unfortunately that wrapper utility is not available for the HP Nonstop platform |
Well. Contact the author... 
Or consider using a properly secured and scoped MQ Explorer connection, and ms0s.
That is, assuming that HP Nonstop has a command server? I confess that I haven't personally done any testing against that platform.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| craig0 |
| Posted: Thu Dec 20, 2007 12:51 pm Post subject: |
|
|
Novice
Joined: 11 Jun 2007
Posts: 17
|
So just to confirm then there is no facility to restrict access within MQSC?
if a user has the ability to run MQSC then they have full access to administer queues, channels etc???
I am not familiar with MQ explorer, but will look into it.
Thanks,
Craig |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Dec 20, 2007 1:24 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Runmqsc bypasses the security checking provisions, as far as I understand it. If you can run the command, you can do anything.
Using PCF messages instead, ala MQ Explorer, uses the Command Server, which does check the user id on the messages being sent.
Again, I don't know about HP Nonstop. Maybe one of the regulars who does will kindly correct where I'm wrong.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| craig0 |
| Posted: Thu Dec 20, 2007 2:44 pm Post subject: |
|
|
Novice
Joined: 11 Jun 2007
Posts: 17
|
Thanks very much.
The Nonstop does run a command server under Pathway so maybe this will work with the MQ Explorer. I'll look into it. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Dec 21, 2007 5:31 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You can also have the users use MO71 / MO72(mqsc) and specify the user on the channel's mcauser so that the access is restricted to what you will allow. Again this makes use of a client connection and the command server.
MO71's security features will allow you to restrict access to connection configuration. You can then use a wrapper for MO72 (-g -m) and have the users use that
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
