| Author |
Message
|
| ivanachukapawn |
 Posted: Wed Jun 08, 2011 7:20 am Post subject: OAM authority to connect |
 |
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
I ran this command (in order to facilitate a client M071 connection).
| Code: |
| setmqaut -m TEST -t qmgr -p h12345 +connect |
I then runmqsc TEST and successfully refreshed security. I expected the user (logged in as h12345) to connect to the TEST queue manager - however, this user gets
when attempting the connect. What am I missing? |
|
| Back to top |
|
 |
| skoobee |
| Posted: Wed Jun 08, 2011 7:33 am Post subject: |
|
|
Acolyte
Joined: 26 Nov 2010
Posts: 52
|
You also need +inq for a qmgr.
BTW, refresh security is used when OS users/groups are changed, not when WMQ is. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Jun 08, 2011 8:13 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
And be very aware of the frequently unintended consequences of giving principals authorities, give authorities to groups instead.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| ivanachukapawn |
| Posted: Wed Jun 08, 2011 8:18 am Post subject: |
|
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
| don't the groups have to be local? This user has a domain account and is a member of a domain group. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Jun 08, 2011 8:22 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
You didn't state it was Windows and I was making no assumptions...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| ivanachukapawn |
| Posted: Thu Jun 09, 2011 6:16 am Post subject: |
|
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
Thanks guys. I put in +inq and +allmqi for SYSTEM.DEFAULT.MODEL.QUEUE and SYSTEM.ADMIN.COMMAND.QUEUE and the user got a connection via M071. I thought it would be a simple matter to get this user access to the queue ABC via
| Code: |
setmqaut -m TEST -n ABC -t queue -p x12345 +al
lmqi +inq +alladm |
However, this doesn't work. When the user tries to find the queue ABC, he/she receives a not authorized message. |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Jun 09, 2011 6:22 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
What does the MQ log say?
Or enable AUTH events and look at the event message. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Jun 09, 2011 12:30 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
MO71 talks to the QM via the SYSTEM.ADMIN.COMMAND.QUEUE, so it needs access to that queue. Or to an Alias Q that refers to it.
You can avoid access to the SYSTEM.DEFAULT.MODEL.QUEUE by predefining an MO71 queue, and giving access to that instead.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
