| Author |
Message
|
| mqjava |
 Posted: Tue Aug 10, 2010 6:39 am Post subject: same security for multiple queues |
 |
|
Voyager
Joined: 25 May 2009
Posts: 80
Location: New Jersey
|
Hi All,
In our environment we have a queue - QUEUE.A, we create a new queue - QUEUE.B. For the QUEUE.A some person ran a setmqaut command and he set some security for the QUEUE.A, now my question - how can i give the same security to QUEUE.B as QUEUE.A.
If i create QUEUE.B like(QUEUE.A) will it work?
And also i remeber when we run the dmpmqaut command it will give the output in setmqaut format, i forgot how to do that? can anybody please help here...
Thanks |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Tue Aug 10, 2010 6:48 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
If you issued the setmqaut command for exactly "QUEUE.A", then you can't do anything to cause that rule to apply to "QUEUE.B".
I wonder what dmpmqaut /? shows... |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Aug 10, 2010 6:55 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
And if your naming convention for queues means they are very similar in name, e.g. QUEUE.A, QUEUE.B etc., and the same security is required for them all, i.e. same userid, then consider using a profile. CAVEAT: there can be unintended consequences so plan accordingly.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqjava |
| Posted: Tue Aug 10, 2010 7:19 am Post subject: |
|
|
Voyager
Joined: 25 May 2009
Posts: 80
Location: New Jersey
|
mqjeff and exerk,
Thanks for the quick reply
| mqjeff wrote: |
I wonder what dmpmqaut /? shows... |
I dont remeber it exactly, if its dmpmqaut or some other command, but i remeber like a command will give you the security setup for the queue in setmqaut command format.
For example: For QUEUE.A, if some security is already in place, to see it we will use dmpmqaut which shows the output in its own format, but there is way which will show the output in setmqaut command, im wondering how can i get the ouput in setmqaut format.
Exerk, thanks for the suggetsion, i am not ware of how to use profile / CAVEAT, i have to research on it.
Thanks. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Aug 10, 2010 10:35 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Try amqoamd -s 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Aug 10, 2010 11:27 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Generic authority profiles can make life easier in granting common access rights to queues with similar names. Use * or % characters to pattern match (see the manual).
However whenever a queue is created (and this is one reason why only the user mqm should do this) is that the creating user's primary group (assuming on Unix) is added to the specificprofile's ACL automatically, along with mqm group.
All queues will therefore generally have a specific profile as well as (potentiall) being covered by a generic profile. The cumulative access rights are used. MQ explorer (latest) has a feature to display the access rights in various ways. |
|
| Back to top |
|
|
| mqjava |
| Posted: Wed Aug 11, 2010 10:00 am Post subject: |
|
|
Voyager
Joined: 25 May 2009
Posts: 80
Location: New Jersey
|
| fjb_saper wrote: |
| Try amqoamd -s |
Hi fjb_saper, this is the info i was looking for, thank you so much
| Quote: |
Generic authority profiles can make life easier in granting common access rights to queues with similar names. Use * or % characters to pattern match (see the manual).
|
zpat, i have no idea what profiles are if you could provide me some links it will be great. |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Aug 11, 2010 10:20 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Profiles are what setmqaut creates - you have them whether you know what they are or not!
By default you will only have specific profiles, not generic ones.
I recommend reading the MQ admin manual on the setmqaut command section.
e.g.
setmqaut 'ABC.**' -g groupname +allmqi
or something like that is using pattern characters to match multiple queues with names starting ABC. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Wed Aug 11, 2010 3:22 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| mqjava wrote: |
| fjb_saper wrote: |
| Try amqoamd -s |
Hi fjb_saper, this is the info i was looking for, thank you so much |
Note that amqoamd is not officially supported ( http://www.ibm.com/support/docview.wss?uid=swg21163239 ) and it does not reliably display profiles that only have +none authority. The latest MS03 saveqmgr produces the +none profiles correctly.
_________________
Glenn |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Wed Aug 11, 2010 8:55 pm Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| jennybond wrote: |
| You can Use the setmqaut Command this Will Help You in This kind of thing.I have just idea of this Command I never Use it in My Program. |
as mqjava has said initially "For the QUEUE.A some person ran a setmqaut command and he set some security for the QUEUE.A, now my question - how can i give the same security to QUEUE.B as QUEUE.A. "
I believe he knows setmqaut is used to grant/revoke authority to a profile, obj or class of objects.
dspmqaut and dmpmqaut are used to display and dump the authority respectively.
Read the OAM chapter in the manual.
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
|
|
