| Author |
Message
|
| Mr Butcher |
 Posted: Wed Oct 17, 2012 3:09 am Post subject: Filter MQ objects in MQ Explorer accessing zOS qmgr |
 |
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
Hello,
I want to use MQ Explorer to give some people access to MQSeries on z/OS.
I want to restrict those group of people to see only a specific set of objects.
Unfortunately, on z/OS, there is no MQADMIN class involved when displaying objects. Once i give that RACF group access to the
qmgr.DISPLAY MQCMDS profile they are allowed to see all objects defined in the queuemanager
(IMHO this works different on distributed plattforms)
So i am not able to limit the objects displayed by using z/OS MQADMIN security profiles.
I checked out MQ Explorer filtering, which would be a solution, but
the filters are very primitive. I can do something like "Queue name like
ABC*", but i can not do something like "Queue Name like ABC* or XYZ*". I need two different filters for that.
Is there any other solution available for MQSeries Explorer to limit the objects visible for a user?!?
Please no tool discussion, i know there are others around, but i like to have a MQ explorer solution......
_________________
Regards, Butcher |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Wed Oct 17, 2012 3:46 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Presumably it's insufficient for users to be prevented from accessing or managing queues that don't match?
They have to also be prevented from knowing that any queues other than the ones in question match? |
|
| Back to top |
|
|
| Mr Butcher |
| Posted: Wed Oct 17, 2012 5:42 am Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
It is not a security issue i have with that.
I just want them to focus on "their" objects, rather then to search and pick them between others. It is more a matter of comfort.
So i don't mind if it is a client-based solution, that someone may switch off or circumvent ....
_________________
Regards, Butcher |
|
| Back to top |
|
|
| nathanw |
| Posted: Wed Oct 17, 2012 6:20 am Post subject: |
|
|
Knight
Joined: 14 Jul 2004
Posts: 550
|
MO71? You can filter views in there
_________________
Who is General Failure and why is he reading my hard drive?
Artificial Intelligence stands no chance against Natural Stupidity.
Only the User Trace Speaks The Truth  |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Oct 17, 2012 6:48 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I suspect that the limit in MQExplorer is tied to the limit in the WHERE Clause in MQSC which is tied to the limit in the implementation behind MQSC/PCF messages.
That said, is it a significant burden to give them multiple filters, where they have to switch between filters to get different, smaller views? Or will they need to specifically address a combined filter in order to properly do the job?
It's worth the effort to file an RFE either way. |
|
| Back to top |
|
|
| Mr Butcher |
| Posted: Wed Oct 17, 2012 9:09 pm Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
@ nathanw
| Quote: |
| Please no tool discussion, i know there are others around, but i like to have a MQ explorer solution...... |
@mqjeff
i also though of defining multiple filters, but thats not very comfortable and will not provide an quick overview i want to provide.
Maybe some more background.
That access to MQseries is for helpdesk or customer support that are not very familiar with MQ. But - in case the customer has a problem the customer will hit them first. In most cases, people suspect that there is a problem with MQ or the network line (in 99,999% it is not), and thats the first thing they ask us to check. And i want to enable the helpdesk to do this task instead of getting all those calls routed to MQSeries administration.
Now - in addition - the customer person calling may not be an MQ expert too, so the communication will be on a very unspecific MQ level (e.g. "could you please check my MQ connection" instead of "could you please check MQ channel abc", or "could you please check if my messages on queue xyz have been processed".
Thats why i like to have an overview of all objects that belong to this application, e.g. all channels, so the customer support can see if there is any channel not running in the channel view, or if there is any queue having queuedepth > 0 in the queue view.
I know this is also related to monitoring, and we do monitor channels and queues, and we will be alerted if a channel is running or if there are messages piling up. Thats okay. I want to catch all those "is there something wrong in MQ" when this is not the case ......
One solution that came into my mind is to use "*" for filtering the object name and then use the "and" option to filter on a different object attribute that is the same for all objects for this application, e.g. let the description start with some unique characters and then filter on that. However, i would prefer a multiple name selection, just in case someone creates objects manually and does not keep the convention......
_________________
Regards, Butcher |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Oct 17, 2012 10:39 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Usually that access is given through your monitoring tool and the operational displays you build therein. Any specific reason for trying to do that in MQE? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Mr Butcher |
| Posted: Wed Oct 17, 2012 10:48 pm Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
because MQE is already in use for other reasons..........
_________________
Regards, Butcher |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Oct 18, 2012 3:45 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
There isn't a mechanism that I can see for manually editing the filter xml file to allow for more than one kind of thing to be filtered on. 
There isn't a published api for creating your own filters. So it doesn't appear that one can write an MQExplorer plugin to add this. |
|
| Back to top |
|
|
| Mr Butcher |
| Posted: Thu Oct 18, 2012 3:52 am Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
thanks for having a look at it!
_________________
Regards, Butcher |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Oct 18, 2012 4:11 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I will amend myself a minute.
It is entirely possible to write an MQExplorer plugin to provide this. But it requires creating an entirely new tree node to represent a "filtered view" and then implementing all of the views yourself.
But there's no easy way to implement a new filter. |
|
| Back to top |
|
|
| nathanw |
| Posted: Thu Oct 18, 2012 4:25 am Post subject: |
|
|
Knight
Joined: 14 Jul 2004
Posts: 550
|
@Butcher Apologies I did not see that line in your post.
However, judging by the other responses it may be that you need to use a different tool.
As mentioned MO71 but there is also MQ Visual Browse from capitalWare I know of a few places that use it for exactly what you want to do.
Only other thing I can suggest is as jeff has said and build your own with everything and then create a subset of that for each department / division
_________________
Who is General Failure and why is he reading my hard drive?
Artificial Intelligence stands no chance against Natural Stupidity.
Only the User Trace Speaks The Truth |
|
| Back to top |
|
|
| cicsprog |
| Posted: Thu Oct 18, 2012 7:27 am Post subject: |
|
|
Partisan
Joined: 27 Jan 2002
Posts: 347
|
| already mentioned...nevermind |
|
| Back to top |
|
|
| Mr Butcher |
| Posted: Thu Oct 18, 2012 9:36 pm Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
thank you all for the comments and suggestions.
I dont want people to use tool A for queuemanager X, and tool B for queuemanager Y.
As this is only a matter of comfort, all complex and/or expensive solutions can not be taken into account.
So i will stay with the description filter for the moment .....
_________________
Regards, Butcher |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Oct 19, 2012 4:51 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
have you thought about assigning each group an SSL cert and a channel with an MCAUser? This way you set up the authorizations in RACF at the profile level. Each group has only view into what they are authorized for... (inq/dsp/browse/get/put).
Yes I know zOS, number of channels limited (7?)
The alternative is have them use a tool like mo71 with an authorization profile
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
