| Author |
Message
|
| flaufer |
 Posted: Wed Aug 18, 2010 6:24 am Post subject: OAM +browse but need +get in order to browse a queue? |
 |
|
Acolyte
Joined: 08 Dec 2004
Posts: 59
|
Folks,
having some trouble here with using WMQTool (niratul) to browse a queue (and only to browse it, no more rights should be allowed).
Setup as follows:
Client connecting through SSL to the QMGR. MCAuser is set (mymcauser) and connection is working fine.
authorizations for queues as follows:
Entity mymcauser has the following authorizations for object **:
browse
inq
dsp
Entity mymcauser has the following authorizations for object SYSTEM.ADMIN.COMMAND.QUEUE:
put
inq
dsp
Entity mymcauser has the following authorizations for object SYSTEM.DEFAULT.MODEL.QUEUE:
get
put
inq
dsp
clr
Unfortunately I have no way of using another tool (MO71 or similar) to cross check if the tool is the issue here... but if I give +get in the queue, it is working... +browse alone will not allow me to browse the queue.
Security event logs in the error.log don't tell me more.
Any ideas? I'm not allowed to put +get on the queue, this would be against security regulations and is in fact what I'm trying to prevent.. I want the user just to be able to BROWSE, look into the msgs and that's it.
Cheers,
Felix |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Wed Aug 18, 2010 6:32 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Perhaps WMQTool, which is really unsupported AFAIK, is issuing open options to Get and Browse.
Perhaps you should strongly consider a different tool. |
|
| Back to top |
|
|
| zonko |
| Posted: Wed Aug 18, 2010 10:54 pm Post subject: |
|
|
Voyager
Joined: 04 Nov 2009
Posts: 78
|
Perhaps if you posted the results you are actually getting instead of
| Quote: |
| having some trouble here |
t may be possible to help you.
If you enable security events, they will tell you the operation attempted and the auth you have (or require, I cannot remember which). You can then add the required auth. |
|
| Back to top |
|
|
| flaufer |
| Posted: Wed Aug 18, 2010 11:27 pm Post subject: +get -browse allows me to browse, -get +browse will not |
|
|
Acolyte
Joined: 08 Dec 2004
Posts: 59
|
| zonko wrote: |
Perhaps if you posted the results you are actually getting instead of
| Quote: |
| having some trouble here |
t may be possible to help you.
If you enable security events, they will tell you the operation attempted and the auth you have (or require, I cannot remember which). You can then add the required auth. |
It's simple.
a: WMQTool tells me, it can't open the queue for browsing (it has +browse). If I give +get rights on the queue/user, WMQTool CAN browse the queue.
b: security event in the logfile tells me that the user I use has not the proper privileges to perform the action. It just tells me:
08/18/10 15:03:48 - Process(1831036.5) User(mqm) Program(amqzlaa0_nd)
AMQ8077: Entity 'mymcauser ' has insufficient authority to access object
'mai.dummy'.
Unfortunately it does not tell me WHICH activity WMQTool tries to perform on the queue (get or get with browse option or whatelse).
Again... it does not seem to be a matter of the mcauser.. if I allow him to +get from the queue, WMQTool will lets me browse the queue, but not with -get +browse
But exactly this is what I want... enable a group of users ONLY to browse queues using WMQTool.
Felix |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Aug 18, 2010 11:51 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
Enable authorisation events and see what event messages appear.
If WMQTool is coded in a way that does not allow browse only access then contact the developer. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Aug 19, 2010 1:08 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| zpat wrote: |
| Enable authorisation events and see what event messages appear... |
Or investigate the use of the MQS_REPORT_NOAUTH variable 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| flaufer |
| Posted: Thu Aug 19, 2010 1:10 am Post subject: ... permissions are unauthorized: get |
|
|
Acolyte
Joined: 08 Dec 2004
Posts: 59
|
| zpat wrote: |
Enable authorisation events and see what event messages appear.
If WMQTool is coded in a way that does not allow browse only access then contact the developer. |
Errr.... ok.
This is what I get in the log:
08/18/10 15:03:48 - Process(1831036.5) User(mqm) Program(amqzlaa0_nd)
AMQ8077: Entity 'techmqm2 ' has insufficient authority to access object
'mai.dummy'.
EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: get
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.
I am under the impression that I actually DID enable security events and that is what I have to expect.
Felix
P.S: I'm in touch with the developer, however no success so far. |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Aug 19, 2010 3:13 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
By event message, I did mean event MQ messages on SYSTEM.ADMIN.QMGR.EVENT
However you have enough detail to go on. The program does a get, the OAM says no.
MQ is working as designed. |
|
| Back to top |
|
|
| flaufer |
| Posted: Thu Aug 19, 2010 3:30 am Post subject: thanks! |
|
|
Acolyte
Joined: 08 Dec 2004
Posts: 59
|
| zpat wrote: |
By event message, I did mean event MQ messages on SYSTEM.ADMIN.QMGR.EVENT
However you have enough detail to go on. The program does a get, the OAM says no.
MQ is working as designed. |
Thanks zpat,
I'll see what the developer has to say about that and if WMQTool allows any way of read-only browsing access to a queue.
Felix |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Aug 19, 2010 4:12 am Post subject: Re: thanks! |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| flaufer wrote: |
| I'll see what the developer has to say about that and if WMQTool allows any way of read-only browsing access to a queue. |
Other (free) tools do. You might want to consider an alternative.
IMHO some offer advantages over WMQTool. But I repeat, that's IMHO and other opinions are valid here.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Aug 19, 2010 4:27 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
IBM support pac MO71 does a tremendous amount of things and most of them extremely well.
You can also detune it for less experienced users by turning off options in the menu (there are rather a lot of options). |
|
| Back to top |
|
|
| flaufer |
| Posted: Thu Aug 19, 2010 4:43 am Post subject: portable MQ admin tool? |
|
|
Acolyte
Joined: 08 Dec 2004
Posts: 59
|
| zpat wrote: |
IBM support pac MO71 does a tremendous amount of things and most of them extremely well.
You can also detune it for less experienced users by turning off options in the menu (there are rather a lot of options). |
I know MO71... have used it in the past, however in this installation I'm (for now) not allowed to use any tool other than WMQTool. I'd try and install MO71, but it required MQ libs, which I can't install (security is keeping me from installing a more secure tool, so to say).
Cheers,
Felix
P.S. anybody know which tools run as portable app, means no install, no prerequisites? |
|
| Back to top |
|
|
| flaufer |
| Posted: Mon Dec 13, 2010 12:53 am Post subject: Re: thanks! |
|
|
Acolyte
Joined: 08 Dec 2004
Posts: 59
|
| Vitor wrote: |
| flaufer wrote: |
| I'll see what the developer has to say about that and if WMQTool allows any way of read-only browsing access to a queue. |
Other (free) tools do. You might want to consider an alternative.
IMHO some offer advantages over WMQTool. But I repeat, that's IMHO and other opinions are valid here. 8) |
After talking to the developer, we found out the reason why WMQTool opens a queue with 'get' authority along with 'browse'. WMQTool provides a context sensitive menu on each message while browsing a queue. This menu includes the option 'Delete message' which requires a destructive read, get. That is why WMQTool opens a queue with get while browsing. You can easily turn 'Delete message' option off, by unchecking one option in settings, to exclude the 'get' authority on browsing a queue.
So... it works as expected.
Felix |
|
| Back to top |
|
|
|
|
