| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| Filter MQ objects in MQ Explorer accessing zOS qmgr |
« View previous topic :: View next topic » |
| Author |
Message
|
| nathanw |
 Posted: Fri Oct 19, 2012 5:23 am Post subject: |
 |
|
Knight
Joined: 14 Jul 2004
Posts: 550
|
@Mr Butcher
If you do resolve this in MQE I would be very interested in how.
_________________
Who is General Failure and why is he reading my hard drive?
Artificial Intelligence stands no chance against Natural Stupidity.
Only the User Trace Speaks The Truth  |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Fri Oct 19, 2012 5:29 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| nathanw wrote: |
@Mr Butcher
If you do resolve this in MQE I would be very interested in how. |
As he said, he is creating a filter on the DESC parameter, and then populating the relevant property of each object with the correct information. |
|
| Back to top |
|
|
| Mr Butcher |
| Posted: Sun Oct 21, 2012 11:20 pm Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
| fjb_saper wrote: |
| have you thought about assigning each group an SSL cert and a channel with an MCAUser? This way you set up the authorizations in RACF at the profile level. Each group has only view into what they are authorized for... (inq/dsp/browse/get/put). |
yes. in fact i am already doing that, just without ssl certificate. their svrconn channel uses a specific mca user, and i bound racf security to that user. The problem is, that the MQADMIN class used for ressource security is not checked on DISPLAY command. So you can not limit access to objects being displayed..... i know that works on distributed, but z/OS is different here (sigh) 
_________________
Regards, Butcher |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Oct 22, 2012 9:04 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Mr Butcher wrote: |
| fjb_saper wrote: |
| have you thought about assigning each group an SSL cert and a channel with an MCAUser? This way you set up the authorizations in RACF at the profile level. Each group has only view into what they are authorized for... (inq/dsp/browse/get/put). |
yes. in fact i am already doing that, just without ssl certificate. their svrconn channel uses a specific mca user, and i bound racf security to that user. The problem is, that the MQADMIN class used for ressource security is not checked on DISPLAY command. So you can not limit access to objects being displayed..... i know that works on distributed, but z/OS is different here (sigh) |
Is that a feature of z/OS or a bug?
On the other hand does it matter. If you don't have inq authorization but have dsp do you still see anything ? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Oct 22, 2012 9:46 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| fjb_saper wrote: |
| The problem is, that the MQADMIN class used for ressource security is not checked on DISPLAY command. So you can not limit access to objects being displayed..... |
The profile you need is the MQCMDS class. From there you can create an ssid.DISPLAY.pkw rule. pkw=primary keyword, like QLOCAL.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Mr Butcher |
| Posted: Mon Oct 22, 2012 11:20 pm Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
[quote="fjb_saper]If you don't have inq authorization but have dsp do you still see anything ? [/quote]
It is the same. MQADMIN is not checked, not for MQOO_INQUIRE and not for DISPLAY command.
| bruce2359 wrote: |
| The profile you need is the MQCMDS class. From there you can create an ssid.DISPLAY.pkw rule. pkw=primary keyword, like QLOCAL. |
Yes, but that is not the point. I know i can use DISPLAY.pkw instead of DISPLAY.**. That would limit the command to a specifiy object type. But i need a limitation by object name, e.g. what you can do by using MQADMIN class for ALTER command. But MQADMIN is not checked for DISPLAY command, so i can not limit the object (names) displayed.
_________________
Regards, Butcher |
|
| Back to top |
|
|
| rujova |
| Posted: Mon Apr 15, 2019 2:57 pm Post subject: |
|
|
Novice
Joined: 07 Jan 2015
Posts: 13
|
Hey @Mr Butcher, did you resolve the MQE restricted displaying issue? I am facing the same requirement  .
Additionally, filtered views cause AMQ8077 errors, so the monitoring environment will notify every single registry.
_________________
Looking Forward,
Rujova |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Apr 15, 2019 8:59 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| rujova wrote: |
Hey @Mr Butcher, did you resolve the MQE restricted displaying issue? I am facing the same requirement .
Additionally, filtered views cause AMQ8077 errors, so the monitoring environment will notify every single registry. |
You are on distributed platform if you are receiving AMQ error messages. This thread (from 2012) is about z/OS.
Command resource security still does not apply to DISPLAY Commands if that is what you are asking. See table on Profiles for command security in the V9.1 MQ Knowledge Center.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
