| Author |
Message
|
| anveshita |
 Posted: Fri Nov 14, 2008 7:10 am Post subject: MQ Security authorizations |
 |
|
Master
Joined: 27 Sep 2004
Posts: 254
Location: Jambudweepam
|
Hello:
Can you help me with the following:
I have to request security access for MQ. Since I am not an admin, my knowledge in this is so... so...
In Development environment I could ask for mqm access that would allow me to do all admin tasks ( like create/delete/browse/start/stop) tasks.
In production I would like to have the same abilities. But its a wish very hard to sell. So what do I need to have to do the following:
1.ability to use runmqsc
2. Start/stop/channels/QM
Can I ask for an ID that would allow to perform on the QM which our application own. Please let me know. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Fri Nov 14, 2008 7:39 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
To start / stop channels there is some authorizations that are available see setmqaut documentation.
To start / stop a qmgr you must be part of the mqm group.
You'd be better off to have access to the command server to run mqsc commands in pcf format (finer grained authorisations) than to ask for runmqsc because that requires you to be part of the MQ admin group.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| anveshita |
| Posted: Fri Nov 14, 2008 7:47 am Post subject: |
|
|
Master
Joined: 27 Sep 2004
Posts: 254
Location: Jambudweepam
|
| Quote: |
| You'd be better off to have access to the command server to run mqsc commands in pcf format (finer grained authorisations) than to ask for runmqsc because that requires you to be part of the MQ admin group. |
Thanks. What authorization do I need to have to have access to the command server? Please let me know |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Nov 14, 2008 8:09 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
In Development environment I could ask for mqm access that would allow me to do all admin tasks ( like ceate/delete/browse/start/stop) tasks.
In production I would like to have the same abilities. But its a wish very hard to sell. |
This has been discussed here many times. These accesses are administrative. If you are an application developer, you do not need this level of access; although you might want it.
I would have little concern with you having an MQ instance on your pc so that you could do these things in order to enhance your overall MQ skills and understanding - R&D.
But, in order to ensure that applications percolate from TEST to QA to PROD, with little chance for errors, I would only grant application-related (MQI) auth to applications and application users - based on application reuirements.
Sysadmins should maintain responsibility for admin activities. Object definitions percolate along with application programs. I would not want application programmers creating or altering object definitions in TEST or QA or PROD.
This is one of those best-prectice thingies.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| anveshita |
| Posted: Fri Nov 14, 2008 8:24 am Post subject: |
|
|
Master
Joined: 27 Sep 2004
Posts: 254
Location: Jambudweepam
|
Bruce2359:
Thanks. I understand what you are saying.
In the current set up our organization, some times the application folks have to do certain admin tasks. While agreeing that sysadmins need to be responsible for the admin tasks, I need to be having access to do to perform the tasks asked frequently of me. Again it needs to go through the same approval channels and may not even be granted. I just wanted to find out what is just for me. |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Nov 14, 2008 9:00 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
If the things that you are required to do are repetitive, have them scripted and run by the Sys Admins (under the appropriate userid) and have them pipe out the output to a location where you can get to it.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
