| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Alternante user authority |
« View previous topic :: View next topic » |
| Author |
Message
|
| edub1 |
 Posted: Thu Jun 18, 2009 7:58 am Post subject: Alternante user authority |
 |
|
Apprentice
Joined: 01 Apr 2008
Posts: 28
|
All
I'm having trouble understanding, based off what I've read in the Security and Application Programming guide manuals what abilities an application has if they are allowed to pass an alternate user id. In the end, I’m trying to have a better understanding on if I should allow this if an application team is requesting to be able to pass another userid.
Will giving this access allow an application to set their userid as mqm?
Will the application connecting assume all permissions set based off of the permissions set for that user, including any administrative authorities?
For a simple example, if the connecting user can browse only on the object level and has authority to pass an alternate userid, but passes a user with permissions to, lets say change queue attributes, would they be able to change the objects attributes as if they were this higher user?
As you may be able tell, I’m trying to avoid allowing someone with a bit of knowledge to do something they should not be doing. |
|
| Back to top |
|
 |
| Vitor |
| Posted: Thu Jun 18, 2009 8:03 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
First question - why does the application need to use multiple ids? What's the requirement? If it's because they don't want to use the logged on user id, then don't permit them to switch user id, set MCAUser on a channel and give them that.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| edub1 |
| Posted: Thu Jun 18, 2009 8:23 am Post subject: |
|
|
Apprentice
Joined: 01 Apr 2008
Posts: 28
|
Honestly, no one has come to me asking for this, however, I’ve come across some things that were set up prior to my time. I’m in the process of prioritizing some of this clean up and securing, so having the understanding of what capabilities allowing users to pass alternate user IDs gives would be helpful in building my case for why I’ve prioritized certain things the way I have.
Does this help? |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Jun 18, 2009 8:56 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
+altusr means you can choose what ID you want to impersonate as you open queues and put/get messages. You can pretend to be mqm.
Basically giving +altusr to someone means you are telling them they can have complete control of your Queue Manager.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| edub1 |
| Posted: Thu Jun 18, 2009 9:03 am Post subject: |
|
|
Apprentice
Joined: 01 Apr 2008
Posts: 28
|
| That is what I suspected. Thanks for confirming. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Jun 18, 2009 9:05 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9472
Location: US: west coast, almost. Otherwise, enroute.
|
Where I've seen this used (and recommended it) is when inbound messages are from an entity outside the security domain (a vendor perhaps).
The application, authorized to use alternateuserid, behaves like a proxy - on behalf of the otherwise untrusted message source.
As Mr. Potkay implies, very tight controls must be in place to ensure that the application doesn't misbehave - take on mqm or any inappropriate userid.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
