| Author |
Message
|
| jeevan |
 Posted: Sun Dec 20, 2009 11:42 pm Post subject: Is not mqm being an user of the mqm group enough? |
 |
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| Is not mqm being an user of the mqm group enough? should it be an user of the group staff? which is the primary group of all ids. |
|
| Back to top |
|
 |
| Michael Dag |
| Posted: Mon Dec 21, 2009 12:11 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Dec 21, 2009 5:34 am Post subject: Re: Is not mqm being an user of the mqm group enough? |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| jeevan wrote: |
| ....the group staff? which is the primary group of all ids. |
ALL of them? Including the mqm ID?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Dec 21, 2009 5:41 am Post subject: Re: Is not mqm being an user of the mqm group enough? |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| jeevan wrote: |
| Is not mqm being an user of the mqm group enough? |
Not if, while logged onto a given box it needs to do something non-WMQ releated.
| jeevan wrote: |
| should it be an user of the group staff? |
Or db2, or wmbadmin, or wasadmin, or finapp, or whatever it needs. It's only an id.
| jeevan wrote: |
| which is the primary group of all ids. |
No it isn't. Many ids will have a different primary group. Unless your site has some interesting views on security.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| jeevan |
| Posted: Mon Dec 21, 2009 6:10 am Post subject: Re: Is not mqm being an user of the mqm group enough? |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| Vitor wrote: |
| jeevan wrote: |
| Is not mqm being an user of the mqm group enough? |
Not if, while logged onto a given box it needs to do something non-WMQ releated.
| jeevan wrote: |
| should it be an user of the group staff? |
Or db2, or wmbadmin, or wasadmin, or finapp, or whatever it needs. It's only an id.
| jeevan wrote: |
| which is the primary group of all ids. |
No it isn't. Many ids will have a different primary group. Unless your site has some interesting views on security. |
Sorry not being explicit in my question. But you guys sensed what I wanted to ask. I meant in relation to managing the mq resources, should not it be enough the mqm id being the member of mqm group? I agree with you that we can make it member of other groups as needed.
Also, mqm is not logged in id( I am not sure whether these is any differences between a login id and an id used for suing). We su to mqm once we log in with our own id first.
Thanks |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Dec 21, 2009 6:59 am Post subject: Re: Is not mqm being an user of the mqm group enough? |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| jeevan wrote: |
| I meant in relation to managing the mq resources, should not it be enough the mqm id being the member of mqm group? |
To manage WMQ then mqm membership is all that's needed. What other memberships are needed in the context of how your site works is a local problem.
| jeevan wrote: |
| I am not sure whether these is any differences between a login id and an id used for suing). |
There's no difference - check any standard Unix reference. Your id has been given the authority to su into mqm, and mqm (as a user) has been barred from logging onto the box. It's a standard security & audit practice with anonomous ids like mqm.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| jeevan |
| Posted: Mon Dec 21, 2009 7:08 am Post subject: Re: Is not mqm being an user of the mqm group enough? |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| Vitor wrote: |
| jeevan wrote: |
| I meant in relation to managing the mq resources, should not it be enough the mqm id being the member of mqm group? |
To manage WMQ then mqm membership is all that's needed. What other memberships are needed in the context of how your site works is a local problem.
| jeevan wrote: |
| I am not sure whether these is any differences between a login id and an id used for suing). |
There's no difference - check any standard Unix reference. Your id has been given the authority to su into mqm, and mqm (as a user) has been barred from logging onto the box. It's a standard security & audit practice with anonomous ids like mqm. |
Thanks a lot. I appreciate. |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Mon Dec 21, 2009 7:48 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
and don't forget that on UNIX authorities are stored on group level rather then principal!!!
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| zpat |
| Posted: Mon Dec 21, 2009 8:06 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
You can add your normal id to mqm group - which makes it easier to use GUIs for admin, instead of just line commands.
But make your principal unix group mqm, otherwise you will get another group added to all profiles when queues are created. |
|
| Back to top |
|
|
| jeevan |
| Posted: Mon Dec 21, 2009 8:20 am Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| zpat wrote: |
You can add your normal id to mqm group - which makes it easier to use GUIs for admin, instead of just line commands.
|
What GUI are you talking? We use mo71 and MQExplorer. We have mcauser with enough permission so that we can use thesee GUI.
| zpat wrote: |
But make your principal unix group mqm, otherwise you will get another group added to all profiles when queues are created. |
Is not this a bad idea to add individual id to mqm group?
| zpat wrote: |
otherwise you will get another group added to all profiles when queues are created. |
I have this issue already and I am aware of it.
Thanks |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Dec 21, 2009 10:03 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| jeevan wrote: |
| zpat wrote: |
You can add your normal id to mqm group - which makes it easier to use GUIs for admin, instead of just line commands.
|
What GUI are you talking? We use mo71 and MQExplorer. We have mcauser with enough permission so that we can use thesee GUI.
|
Right, but now you can't tell who does what. You are all seen as that same User ID to MQ. If each MQ Admin has his own channel protected by SSL or an exit so no one else can use it, you have better control and auditability.
| jeevan wrote: |
| zpat wrote: |
But make your principal unix group mqm, otherwise you will get another group added to all profiles when queues are created. |
Is not this a bad idea to add individual id to mqm group?
|
Usually only a bad idea if the individual ID is not an MQ Admin AND that individual ID's primary group is not mqm.
Generally I like any and all work to be done only by the mqm ID. But in this day and age that conflicts with what auditors like to see, bless their little hearts.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Dec 21, 2009 10:09 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| PeterPotkay wrote: |
| Generally I like any and all work to be done only by the mqm ID. |
| PeterPotkay wrote: |
| But in this day and age that conflicts with what auditors like to see, bless their little hearts. |
You can often soothe their fevered brows with su (as jeevan indicates). This way there is one and only one mqm, there are no other Gods Of The Queue Manager bar mqm, and the auditors can tell who's su'd to do what at what time and tie it back to a given business need and requirement. Then write it up in a big report that no-one will read but everyone will sign off on.
(I get a bit jaded and cynical about audits sometimes  )
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Dec 21, 2009 10:12 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| Vitor wrote: |
| PeterPotkay wrote: |
| Generally I like any and all work to be done only by the mqm ID. |
| PeterPotkay wrote: |
| But in this day and age that conflicts with what auditors like to see, bless their little hearts. |
You can often soothe their fevered brows with su (as jeevan indicates). This way there is one and only one mqm, there are no other Gods Of The Queue Manager bar mqm, and the auditors can tell who's su'd to do what at what time and tie it back to a given business need and requirement. Then write it up in a big report that no-one will read but everyone will sign off on.
(I get a bit jaded and cynical about audits sometimes ) |
This is how we do it, BUT, since 2 or more people can use su to be mqm at the same time, you lose the ability to tell exactly who did what. This is what I am being told and why su is no longer good enough. (Don't these people have anything better to do?)
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| jeevan |
| Posted: Mon Dec 21, 2009 10:34 am Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| PeterPotkay wrote: |
| Don't these people have anything better to do? |
I think there is none so they are doing all these none sense stuff. Do you guys remember one of my post a few months ago? I am lucky now I am no more with that company. The auditor asked a documentation for the amqoamd command when my supervisor told them that we use amqoamd utility in setting/removing permission( security management) in MQ.
http://www.mqseries.net/phpBB2/viewtopic.php?t=51041&sid=64475e0bfc565418a1196597f85bb2bf |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Dec 21, 2009 10:40 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| PeterPotkay wrote: |
| (Don't these people have anything better to do?) |
Not usually.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
