| Author |
Message
|
| zpat |
 Posted: Tue Nov 03, 2009 2:41 am Post subject: setmqaut generic profiles |
 |
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
I want to implement some generic setmqaut profiles for queue security.
Currently these queues each have their own setmqaut profile created automatically when the queue was defined (e.g. HLQ.A.B.C)
If I now create a generic setmqaut security profile (e.g. HLQ.**) to cover the same queues, do I have to delete the specific profiles so that this new one takes effect?
Presumably the queue manager create a specific setmqaut profile for a new queue, if there is not a generic profile covering it at the time of definition?
Does the queue manager only ever match the most specific security profile, or if that does not grant access will it look at more generic ones? |
|
| Back to top |
|
 |
| Michael Dag |
| Posted: Tue Nov 03, 2009 3:28 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
I just gave that a shot and putting in the HLQ definition does not cleanup the old ones, figuring out which one is in effect can best be experienced on a test system I guess to be sure... 
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Nov 03, 2009 3:34 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
The QM seems to create specific profiles for new queues even when the generic profile is in place.
Can anyone offer some best practice guidelines for working with generic setmqaut profiles? |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Tue Nov 03, 2009 3:39 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| zpat wrote: |
The QM seems to create specific profiles for new queues even when the generic profile is in place.
|
only for the mqm group id and any user id in the mqm group on my windows machine, not for non mqm userids like mquser:
| Quote: |
setmqaut -m TTTT -n HLQ.A.B.C.D -t queue -p Michael@T61P-001 +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m TTTT -n HLQ.A.B.C.D -t queue -g mqm +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m TTTT -n HLQ.** -t queue -p mquser@T61P-001 +browse
|
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Nov 03, 2009 4:45 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Which brings me back to the question - the manual says the most specific profile only is used.
Surely this wouldn't work unless it also looks at the generic profile as well? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Nov 03, 2009 4:57 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| zpat wrote: |
Which brings me back to the question - the manual says the most specific profile only is used.
Surely this wouldn't work unless it also looks at the generic profile as well? |
I suspect the code asks for the most specific profile first. If it doesn't get a response, it asks again for something less specific, and repeats until it gets a good answer or it's out of wildcards.
So it's probably not reasonable to say that it looks at the generic profiles unless it has to. |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Nov 03, 2009 6:04 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| So is the correct answer - that the most specific setmqaut profile which relates to a relevant group membership for this access attempt is used to determine access rights? |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat Nov 21, 2009 5:22 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Moved to Security forum.
The most restrictive rule applies to RACF mainframe security, as well.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Jan 12, 2010 7:15 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
MQExplorer (or at least a recent fix level of it) has some nice features to display the setmqaut profiles (object authorities), including generic profiles (be nice if MO71 could have something to do this).
It can also display the cummulative authorities of the profiles matching the resource (which seems to be the answer to what access is granted).
My question now is, has anyone taken the step of removing all the specific (explicit) profiles and just using some generic ones (e.g. SYSTEM.**)?
The problem as I see it is that MQ creates a new specific profile automatically when a queue is created.
(1) Is it necessary to retain these specific profiles (assuming mqm is granted full access via a generic one)?
(2) Is there any way to suppress creation of these specific profiles when a new queue is created?
It would seem a lot simpler to just have a handful of generic profiles (or even just "**" for granting mqm access) than to have hundreds of explicit profiles (one per queue).
Interested in what other sites do to make this simpler to manage? |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Tue Jan 12, 2010 1:48 pm Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
Well, I like the rule that only mqm creates objects.
If you must do it as somebody else, make sure mqm is the primary group. UNIX only grants by group. Windows just sucks.
Often, I will get rid of all implicit ACL creations due to creating objects.
One of my main pet peeves is having to grant everything to the XMITQ so a server can reply to a msg's ReplyToQ and ReplyToQmgr. I should be able to create a reply to msgs based on a request I received. But I guess, how would MQ know if I built it or received it... |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Jan 12, 2010 4:40 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| zpat wrote: |
MQExplorer (or at least a recent fix level of it) has some nice features to display the setmqaut profiles (object authorities), including generic profiles (be nice if MO71 could have something to do this).
|
MO71 does.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Jan 12, 2010 4:57 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| One of my main pet peeves is having to grant everything to the XMITQ so a server can reply to a msg's ReplyToQ and ReplyToQmgr. I should be able to create a reply to msgs based on a request I received. But I guess, how would MQ know if I built it or received it... |
This is the security exposure that reply msgs (and COA and COD) pose to the requesting app.
A best-practice envisions the requesting apps knowing which request msgs it sent, and then matching them against replies it receives.
Not everyone should be able to put a msg to an xmit queue.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Jan 13, 2010 6:26 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| PeterPotkay wrote: |
| zpat wrote: |
MQExplorer (or at least a recent fix level of it) has some nice features to display the setmqaut profiles (object authorities), including generic profiles (be nice if MO71 could have something to do this).
|
MO71 does. |
So it does, under authorisation record list.
Not perhaps the easiest to use part of MO71. I tried to add and modify profiles but it had problems. Also does not seem to allow options like -all, or +allmqi which the setmqaut command does.
Probably needs a bit of updating, I'll drop the Author some suggestions to make it more useful. |
|
| Back to top |
|
|
|
|
