| Author |
Message
|
| mqjava |
 Posted: Fri Mar 18, 2011 7:22 am Post subject: MQ Security vs Groups |
 |
|
Voyager
Joined: 25 May 2009
Posts: 80
Location: New Jersey
|
Hi All,
I have a small doubt in setting up MQ Security, your help would be much appreciated. Below is the question:
I have GroupA with UserA1, UserA2 and GroupB with UserB.
GroupA has access to connect to QM, and PUT and GET to QUEUEA
GroupB has access to connect to QM, and PUT and GET to QUEUEB
Now if i add UserA to GroupB in OS level:
UserA1 will be able to PUT and GET to QUEUEB? (I think yes since UserA1 is member of GroupB)
UserA2 will be able to PUT and GET to QUEUEB?
Thanks. |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Fri Mar 18, 2011 8:25 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
first off, mq security depends on what platform you are on.
If you are on unix, it is not the user that is ever authorized. It is the primary group of the user.
If you are on windows, it is the user, not the primary group.
If you are on zOS, it is RACF.
Secondly, you have not explained at all the relationship between "UserA" and "UserA1" and "UserA2".
These are all three different words, so it is not clear how putting "UserA" into a group will make any difference for "UserA1".
So I have a small doubt on your question. |
|
| Back to top |
|
|
| mqjava |
| Posted: Fri Mar 18, 2011 9:12 am Post subject: |
|
|
Voyager
Joined: 25 May 2009
Posts: 80
Location: New Jersey
|
mqjeff, thanks for the good explanation, i really appreciate your time.
I did a mistake while posting the question:
| Quote: |
Secondly, you have not explained at all the relationship between "UserA" and "UserA1" and "UserA2".
|
Below is the corrected question, and it is on Unix platform:
Now if i add UserA1 to GroupB in OS level:
UserA1 will be able to PUT and GET to QUEUEB? (I think yes since UserA1 is member of GroupB)
UserA2 will be able to PUT and GET to QUEUEB? |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Mar 18, 2011 10:03 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Test.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| mqjava |
| Posted: Fri Mar 18, 2011 10:14 am Post subject: |
|
|
Voyager
Joined: 25 May 2009
Posts: 80
Location: New Jersey
|
I dont have Sys Admin access to change the user properties, thats the reason i posted the question here. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Mar 18, 2011 11:30 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| mqjava wrote: |
mqjeff, thanks for the good explanation, i really appreciate your time.
I did a mistake while posting the question:
| Quote: |
Secondly, you have not explained at all the relationship between "UserA" and "UserA1" and "UserA2".
|
Below is the corrected question, and it is on Unix platform:
Now if i add UserA1 to GroupB in OS level:
UserA1 will be able to PUT and GET to QUEUEB? (I think yes since UserA1 is member of GroupB) |
I would expect so too 
| mqjava wrote: |
| UserA2 will be able to PUT and GET to QUEUEB? |
Why is UserA2 now also a member of GroupB? or of the mqm group? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqjava |
| Posted: Fri Mar 18, 2011 11:44 am Post subject: |
|
|
Voyager
Joined: 25 May 2009
Posts: 80
Location: New Jersey
|
| fjb_saper wrote: |
| mqjava wrote: |
| UserA2 will be able to PUT and GET to QUEUEB? |
Why is UserA2 now also a member of GroupB? or of the mqm group? |
UserA2 is not a member of GroupB / not not a member of mqm. Its member of GroupA alone.
But after adding UserA1 to GroupB, UserA1 has access to put & get to QUEUEB, and UserA1 and UserA2 are part of same group GroupA, so UserA2 will be able to PUT and GET to QUEUEB? |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Mar 18, 2011 12:34 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
The primary groups for each of these IDs is relevant.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| skoobee |
| Posted: Mon Mar 21, 2011 2:37 pm Post subject: |
|
|
Acolyte
Joined: 26 Nov 2010
Posts: 52
|
| Quote: |
If you are on unix, it is not the user that is ever authorized. It is the primary group of the user.
|
No. The WMQ auth is the auth for all the groups the user is in. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Mar 21, 2011 2:45 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| skoobee wrote: |
| mqjeff wrote: |
If you are on unix, it is not the user that is ever authorized. It is the primary group of the user.
|
No. The WMQ auth is the auth for all the groups the user is in. |
Well, yes.
If you issue a setmqaut command against userA, the authorization is actually granted against the primary group of userA. So in this case, the primary group of userA is relevant.
However, if you attempt to connect as userA, the full group membership of userA is checked for authorization, and the privileges granted are some combination thereof. So in this case, the primary group of userA is not relevant. |
|
| Back to top |
|
|
| mqdogsbody |
| Posted: Thu Apr 18, 2013 3:31 am Post subject: |
|
|
Acolyte
Joined: 01 Jun 2010
Posts: 71
|
| mqjeff wrote: |
| the full group membership of userA is checked for authorization, and the privileges granted are some combination thereof. |
That appears to clear up a doubt of mine. All the documentation for UNIX systems emphasizes the primary group. That makes sense when granting authorization.
But when authorization is checked, I kind of asume that (following the UNIX model) all the user's groups are checked.
Is this right or am I making a false assumption? Though I have read more than a few pages in the MQ documentation I have not seen that spelled out in black and white. For isnatnce I read
| Principals and groups wrote: |
| When a user is granted access to a particular resource, the user ID's primary group is included in the ACL, not the individual user ID, and authority is granted to all members of that group. |
That probably means "all member of that group (regardless of whether it is their primary group)" but it is not explicit.
_________________
-- mqDB -- |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Sun Apr 21, 2013 4:13 pm Post subject: Re: MQ Security vs Groups |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| mqjava wrote: |
Hi All,
I have a small doubt in setting up MQ Security, your help would be much appreciated. Below is the question:
I have GroupA with UserA1, UserA2 and GroupB with UserB.
GroupA has access to connect to QM, and PUT and GET to QUEUEA
GroupB has access to connect to QM, and PUT and GET to QUEUEB
Now if i add UserA to GroupB in OS level:
UserA1 will be able to PUT and GET to QUEUEB? (I think yes since UserA1 is member of GroupB)
UserA2 will be able to PUT and GET to QUEUEB?
Thanks. |
Its good to see you have set up MQ security profiles based on Groups !
| Quote: |
| Now if i add UserA to GroupB in OS level: |
I assume you meant add UserA1...
If you are changing group memberships at the OS level, make sure that you do a REFRESH SECURITY in runmqsc so that the queue manager notices the change.
If a userid needs to access QUEUEB, MQ will check if they are a member (primary or secondary on UNIX) of GroupB.
| Quote: |
| UserA1 will be able to PUT and GET to QUEUEB? (I think yes since UserA1 is member of GroupB) |
Yes, you are correct.
| Quote: |
| UserA2 will be able to PUT and GET to QUEUEB? |
Are they in GroupB? No, so no they will not have access. (Unless they have access via some other group membership and MQ security profile that you have not mentioned)
_________________
Glenn |
|
| Back to top |
|
|
|
|
