| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| just don't get it ... MQExplorer +get on S.A.C.Q? |
« View previous topic :: View next topic » |
| Author |
Message
|
| flaufer |
 Posted: Mon Mar 19, 2012 11:41 pm Post subject: just don't get it ... MQExplorer +get on S.A.C.Q? |
 |
|
Acolyte
Joined: 08 Dec 2004
Posts: 59
|
Folks,
I'm reviewing out security and have a section for MQExplorer users and how OAM needs to be set to allow MQExplorer to work. Apart from the usual OAM settings for the objects I want to grant users access to, I'm really wondering (and can't find any explanation that explains to me) why an MQExplorer User requires +get access to the SYSTEM.ADMIN.COMMAND.QUEUE.
I can figure out why it needs +put (of course), but not +browse or +get access.
Maybe I'm just not enlightened enough, but my impression was, that only the command server reads from the S.A.C.Q.
(We run the SVRCONN chl with a blank mcauser setting using the clients mcauser and block certain critical users with a self written security exit, e.g. mqm and a few more).
Cheers,
Felix |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Tue Mar 20, 2012 5:07 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
SACQ is used as a model for the replytoqueue.
At least, as I understand it. |
|
| Back to top |
|
|
| flaufer |
| Posted: Tue Mar 20, 2012 5:21 am Post subject: SYSTEM.MQEXPLORER.REPLY.MODEL? |
|
|
Acolyte
Joined: 08 Dec 2004
Posts: 59
|
| mqjeff wrote: |
SACQ is used as a model for the replytoqueue.
At least, as I understand it. |
Jeff,
wouldn't that be the SYSTEM.MQEXPLORER.REPLY.MODEL queue instead?
Felix |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Mar 20, 2012 5:24 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
A simple test would be to -get from that queue profile to see what happens.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Mr Butcher |
| Posted: Tue Mar 20, 2012 5:37 am Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
However, this browse or get is not in the manuals.... ?!?
| Code: |
To connect to a remote queue manager and perform remote administrative tasks using the WebSphere MQ Explorer, the user executing the WebSphere MQ Explorer is required to have the following authorities:
v CONNECT authority on the target queue manager object
v INQUIRE authority on the target queue manager object
v DISPLAY authority to the target queue manager object
v INQUIRE authority to the queue, SYSTEM.MQEXPLORER.REPLY.MODEL
v DISPLAY authority to the queue, SYSTEM.MQEXPLORER.REPLY.MODEL
v INPUT authority to the queue, SYSTEM.MQEXPLORER.REPLY.MODEL
v OUTPUT authority to the queue, SYSTEM.ADMIN.COMMAND.QUEUE
v Authority to perform the action selected
|
_________________
Regards, Butcher |
|
| Back to top |
|
|
| flaufer |
| Posted: Tue Mar 20, 2012 5:51 am Post subject: |
|
|
Acolyte
Joined: 08 Dec 2004
Posts: 59
|
| Mr Butcher wrote: |
However, this browse or get is not in the manuals.... ?!?
|
Shame on my, I thought I've read it thorroughly... but then I maybe overinterpreted a blog post I found.
Thanks,
Felix |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Mar 20, 2012 6:18 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| flaufer wrote: |
| Mr Butcher wrote: |
However, this browse or get is not in the manuals.... ?!?
|
Shame on my, I thought I've read it thorroughly... but then I maybe overinterpreted a blog post I found.
Thanks,
Felix |
What blog post? Can you post the URL here, please?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| flaufer |
| Posted: Tue Mar 20, 2012 6:33 am Post subject: |
|
|
Acolyte
Joined: 08 Dec 2004
Posts: 59
|
| bruce2359 wrote: |
| flaufer wrote: |
| Mr Butcher wrote: |
However, this browse or get is not in the manuals.... ?!?
|
Shame on my, I thought I've read it thorroughly... but then I maybe overinterpreted a blog post I found.
Thanks,
Felix |
What blog post? Can you post the URL here, please? |
I think it must have been this:
http://hursleyonwmq.wordpress.com/2007/02/08/using-websphere-mq-explorer-as-a-read-only-viewer/
| Code: |
Next, you need to give permission to the queues that WMQ Explorer will need:
setmqaut -m YOUR_QUEUE_MANAGER -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -p YOUR_USER_NAME +get +browse +inq
setmqaut -m YOUR_QUEUE_MANAGER -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -p YOUR_USER_NAME +get +browse +inq +put
setmqaut -m YOUR_QUEUE_MANAGER -t q -n SYSTEM.MQEXPLORER.REPLY.MODEL -p YOUR_USER_NAME +inq +browse +get +dsp
|
Cheers,
Felix |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Mar 20, 2012 6:38 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| That blog post is probably out of date. You should compare with the docs. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
