| Author |
Message
|
| zpat |
 Posted: Tue Dec 15, 2009 6:20 am Post subject: SYSTEM.AUTH.DATA.QUEUE |
 |
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
This queue holds the OAM authority info, but in explorer this queue does not itself have an authority list viewable.
However some users are getting logged against this queue for display and I don't understand why since they are allowed display against any queue using SYSTEM.** and ** generic profiles.
Any ideas? I think it is explorer itself trying to access the queue.
| Quote: |
----- amqzfubx.c : 530 --------------------------------------------------------
15/12/09 13:59:10 - Process(278534.9) User(mqm) Program(amqzlaa0_nd)
AMQ8077: Entity 'xxxxxxx ' has insufficient authority to access object
'SYSTEM.AUTH.DATA.QUEUE'.
EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: dsp
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.
|
|
|
| Back to top |
|
 |
| exerk |
| Posted: Tue Dec 15, 2009 6:32 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Have you sanitised the output, or did it genuinely display as 'xxxxxxx ' ?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| zonko |
| Posted: Tue Dec 15, 2009 6:40 am Post subject: |
|
|
Voyager
Joined: 04 Nov 2009
Posts: 78
|
| Access to the queue is hard coded to mqm only. |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Dec 15, 2009 6:42 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Sanitised it.
It's definitely caused by Explorer - when I access the QM as the user in question, explorer lists all the queues except the SYSTEM.AUTH.DATA.QUEUE queue.
The curious thing is that access to the other system queues are controlled by the same profile (SYSTEM.**) and they are listed OK.
There does not seem to be a specific profile for SYSTEM.AUTH.DATA.QUEUE, which I presume is normal? |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Dec 15, 2009 6:45 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| zonko wrote: |
| Access to the queue is hard coded to mqm only. |
That would explain it, but means that any user using explorer is going to generate authority events or log records (if you have the option set) every 5 mins when it tries and fails to list the queue.
However there is an APAR, fixed in 6.0.2.8
http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg1IZ52608
| Quote: |
PROBLEM SUMMARY:
Currently it is impossible to grant users or groups access to
the SYSTEM.AUTH.DATA.QUEUE. The reason behind this is that
this queue contains the authority records for the queue
manager so granting a user put or get authority on this queue
would compromise the security of the queue manager.
However, the inability to set authorities on this queue causes
difficulties for GUI administration tools as typically they
perform a PCF command (MQCMD_INQUIRE_Q) with a wildcard to
return back information about all queues on the system. Any
queue for which the user does not have DISPLAY authority will
a) Return a failure PCF message to the application
b) Generate an authority event message
|
|
|
| Back to top |
|
|
| exerk |
| Posted: Tue Dec 15, 2009 6:52 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| zonko wrote: |
| Access to the queue is hard coded to mqm only. |
zonko, can you justify that statement please, and quote the source?
zpat, what does dsmpqaut show for the entity against that queue?
EDIT: saw zpat's edited(?) response after I posted, and assumed that the 'fixed' level of WMQ was in use.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Dec 15, 2009 7:10 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
My level is 6.0.2.7, I have just seen the APAR.
dspmqaut shows nothing against the queue for the group in question.
I tried adding an explicit profile but I can't see it afterwards. Looks like this won't work until 6.0.2.8. |
|
| Back to top |
|
|
|
|
