| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| What all Authorizations, last done ? |
« View previous topic :: View next topic » |
| Author |
Message
|
| shashivarungupta |
 Posted: Sun Nov 21, 2010 3:42 am Post subject: What all Authorizations, last done ? |
 |
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
Hi,
I have couple of scenarios here..
Do we have any option by which we can identify 'what all authorizations were given to a particular user and on which mq objects and what date/time'.
{I know 'dspmqaut' which shows only authorization level on mq objs for some principal id/group id}
we have an 'amqoamd' and I used it no. of times before but it doesn't show last time/date as it doesn't have this capability. I took the backup of authorities by that 'amqoamd -m QMgrName -s > filename.mqsc' {ofcourse I know when the last backup was taken by the creation date of bkup files}.
As we know by display qlocal(queuename) , it would show the queue creation & last Alteration date&time BUT by we can't guess which Property of that queue was being modified last !!!
Same is the case I wanted to know what all authorization levels were set on a queue in the past, unless I look into the backup file ?
I believe you too might have faced such situations.
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
 |
| exerk |
| Posted: Sun Nov 21, 2010 4:23 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Why would you want to know? Any authorities granted should be only what the applications need, and if those needs change so should the authorities. Your change management and documentation should include the detail of any additions/subtractions, so why double up by 'diffing' authority back-up files?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Sun Nov 21, 2010 4:55 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| exerk wrote: |
| Why would you want to know? Any authorities granted should be only what the applications need, and if those needs change so should the authorities. Your change management and documentation should include the detail of any additions/subtractions, so why double up by 'diffing' authority back-up files? |
You know application teams demand irrelevant things from middle-ware guys most of the times.
But for us, before making any further changes related to authority on mq objs, anyone would like to know what&when authorities were set on it, 'quickly' !! (though change requests/old docs can speak out but those are time taking and takes effort to create&manage them too.)
I believe we doesn't have that facility AFA oam is concerned (other then amqoamd).
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sun Nov 21, 2010 7:30 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
The auditors (both internal and external) at my last real job wanted the capability to view security permission history - by user, by object, by application, etc.. (Auditors come to the battle scene - after the battle, and shoot the wounded.) In the business big-picture, I don't find this to be an unreasonable request.
One of the sponsors of this site may have such a package.
As an alternative, you will need to extract permissions from OAM (or RACF) on a daily basis; populate them to a database; then write whatever SQL you need to satisfy management.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Sun Nov 21, 2010 8:10 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| bruce2359 wrote: |
As an alternative, you will need to extract permissions from OAM (or RACF) on a daily basis; populate them to a database; then write whatever SQL you need to satisfy management. |
hmmmm.... another method to keep the data for records. 
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Sun Nov 21, 2010 9:29 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
Another thing which I pointed out here, unfortunately  falls under same question :
" As we know by display qlocal(queuename) , it would show the queue creation & last Alteration date&time BUT we can't guess which Property of that queue was being modified last (unless we hit the docs again )!!! "
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sun Nov 21, 2010 12:01 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| ...it would show the queue creation & last Alteration date&time BUT we can't guess which Property of that queue was being modified last (unless we hit the docs again )!!! " |
Search for SYSTEM.ADMIN.CONFIG.EVENT.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
