| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| setmqaut doesn't revoke authorizations to a queue |
« View previous topic :: View next topic » |
| Author |
Message
|
| yasaboy |
 Posted: Fri Nov 21, 2014 8:31 pm Post subject: setmqaut doesn't revoke authorizations to a queue |
 |
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
HI,
I want to remove all the permissions to access the TEST.OUTQUEUE1 for all the users and add +put and +inq privileges to only the user nev51. Following are my commands that doesn't work?
any suggestions ?
| Code: |
>dspmqaut -m TESTQMAN.1 -n TEST.OUTQUEUE1 -t queue -p dev51
Entity newcdev51 has the following authorizations for object TEST.OUTQUEUE1:
get
browse
put
inq
set
crt
dlt
chg
dsp
passid
passall
setid
setall
clr
>setmqaut -m TESTQMAN.1 -n TEST.OUTQUEUE1 -t queue -p dev51 -remove
The setmqaut command completed successfully.
>dspmqaut -m TESTQMAN.1 -n TEST.OUTQUEUE1 -t queue -p dev51
Entity newcdev51 has the following authorizations for object TEST.OUTQUEUE1:
get
browse
put
inq
set
crt
dlt
chg
dsp
passid
passall
setid
setall
clr
> |
|
|
| Back to top |
|
 |
| zpat |
| Posted: Fri Nov 21, 2014 11:54 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
I always use the -all operand on all my setmqaut commands, this avoids the need to remove the profile.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Nov 22, 2014 3:16 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20697
Location: LI,NY
|
Something fishy: Why do you get the permissions for newdev51 displayed when you asked for the permissions for dev51 ??
Are you by chance on Unix Linux? What have you done to enable principal permissions? Which version of WMQ are you on? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Sat Nov 22, 2014 4:41 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7716
|
By applying setmqaut to the dev51 ID, you have granted that same access to the primary group of dev51, and so now all members of that group have the same access.
First research what the primary group is for dev51, then find out all the members of that group. Then decide what the ramifications are for removing all access for that group and all its members to clean up what you unintentionally granted.
This is the right way to do what you originally asked:
| Code: |
| setmqaut -m TESTQMAN.1 -n TEST.OUTQUEUE1 -t queue -g A_Group_That_dev51_Is_In -all +put +inq |
Like zpat said, always start with -all, then list specifically what you want. And on Unix, before MQ 8, always, always apply permissions to groups, never IDs.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
