| Author |
Message
|
| belchman |
 Posted: Fri Apr 12, 2019 9:33 am Post subject: setmqaut for full admin access |
 |
|
Partisan
Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA
|
I have my QMgr LDAP enabled and my ID is in the mqm LDAP group and I have done what is here:
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.sec.doc/q013750_.htm
Yet I still get
| Quote: |
AMQ8245W: Entity 'myID' has insufficient authority to display object
mySvrconn [channel].
EXPLANATION:
The specified entity is not authorized to display the required object. The
following requested permissions are unauthorized: dsp
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group. |
Even though I have done this:
| Quote: |
setmqaut -m CMMQD_1 -n '**' -t channel -g g.CMMQD_1.mqm +dsp
|
Now on channels, I have:
| Quote: |
profile: **
object type: channel
entity: cn=g.CMMQD_1.mqm,ou=MQSeries,ou=apps,ou=b2e,dc=test53,dc=com
entity type: group
authority: dlt chg dsp ctrl ctrlx
|
I have not added +dsp to:
| Quote: |
| setmqaut -m CMMQD_1 -n @class -t channel -g g.CMMQD_1.mqm +crt |
Can any one offer up any help? I try to come here before I open an ESR.
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter |
|
| Back to top |
|
 |
| belchman |
| Posted: Fri Apr 12, 2019 10:10 am Post subject: |
|
|
Partisan
Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA
|
No worries all. I am stumped too. I will ask IBM for a clue.
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Apr 12, 2019 3:50 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Did you add
| Code: |
| setmqaut -m QMgrName -n @class -t channel -g GroupName +crt |
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| belchman |
| Posted: Sat Apr 13, 2019 2:23 am Post subject: |
|
|
Partisan
Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA
|
Peter,
I have that +crt allowance but I did not add +dsp allowance to it. I am not really sure what -n @class is. 
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter |
|
| Back to top |
|
|
| hughson |
| Posted: Sat Apr 13, 2019 2:58 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
Be interesting to see the output of the following command. This is a way of asking the same question that was asked of the OAM to result in the error message.
MQSC command:-
| Code: |
| DISPLAY ENTAUTH PRINCIPAL('myID') OBJTYPE(CHANNEL) OBJNAME('mySvrconn') |
Can you also tell us what you were trying to do which resulted in the authorization error?
Cheers,
Morag
P.S. @class is the class of objects, in your case channels, that the entity (user or group) is allowed to create. You cannot restrict a user to only be able to create objects of a certain name. If you can create one channel you can create a channel of any name. +dsp is not meaningful on @class.
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| belchman |
| Posted: Sat Apr 13, 2019 3:36 am Post subject: |
|
|
Partisan
Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA
|
Morag,
Here is your output
| Quote: |
DISPLAY ENTAUTH PRINCIPAL('myID') OBJTYPE(CHANNEL) OBJNAME('mySVRCONN')
1 : DISPLAY ENTAUTH PRINCIPAL('myID') OBJTYPE(CHANNEL) OBJNAME('mySVRCONN')
AMQ8866I: Display entity authority details.
OBJNAME(mySVRCONN) ENTITY(myID)
ENTTYPE(PRINCIPAL) OBJTYPE(CHANNEL)
AUTHLIST( )
|
To answer your question
I am in MQ Explorer on a remote Windows box. I can connect to queue manager as myID. When I select the channels item for the queue manager, I get the error. It also happens for AUTHINFO, LISTENER, NAMELIST, PROCESS and SERVICE.
This is the SETAUTs I ran
| Quote: |
setmqaut -m CMMQD_1 -n '**' -t queue -g GroupName +alladm +browse
setmqaut -m CMMQD_1 -n @class -t queue -g g.CMMQD_1.mqm +crt
setmqaut -m CMMQD_1 -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g g.CMMQD_1.mqm +dsp +inq +put
setmqaut -m CMMQD_1 -n SYSTEM.MQEXPLORER.REPLY.MODEL -t queue -g g.CMMQD_1.mqm +dsp +inq +get
setmqaut -m CMMQD_1 -n '**' -t topic -g g.CMMQD_1.mqm +alladm +dsp
setmqaut -m CMMQD_1 -n @class -t topic -g g.CMMQD_1.mqm +crt
setmqaut -m CMMQD_1 -n '**' -t channel -g g.CMMQD_1.mqm +alladm +dsp
setmqaut -m CMMQD_1 -n @class -t channel -g g.CMMQD_1.mqm +crt
setmqaut -m CMMQD_1 -n '**' -t clntconn -g g.CMMQD_1.mqm +alladm +dsp
setmqaut -m CMMQD_1 -n @class -t clntconn -g g.CMMQD_1.mqm +crt
setmqaut -m CMMQD_1 -n '**' -t authinfo -g g.CMMQD_1.mqm +alladm +dsp
setmqaut -m CMMQD_1 -n @class -t authinfo -g g.CMMQD_1.mqm +crt
setmqaut -m CMMQD_1 -n '**' -t listener -g g.CMMQD_1.mqm +alladm +dsp
setmqaut -m CMMQD_1 -n @class -t listener -g g.CMMQD_1.mqm +crt
setmqaut -m CMMQD_1 -n '**' -t namelist -g g.CMMQD_1.mqm +alladm +dsp
setmqaut -m CMMQD_1 -n @class -t namelist -g g.CMMQD_1.mqm +crt
setmqaut -m CMMQD_1 -n '**' -t process -g g.CMMQD_1.mqm +alladm +dsp
setmqaut -m CMMQD_1 -n @class -t process -g g.CMMQD_1.mqm +crt
setmqaut -m CMMQD_1 -n '**' -t service -g g.CMMQD_1.mqm +alladm +dsp
setmqaut -m CMMQD_1 -n @class -t service -g g.CMMQD_1.mqm +crt
setmqaut -m CMMQD_1 -t qmgr -g g.CMMQD_1.mqm +alladm +connect |
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter |
|
| Back to top |
|
|
| hughson |
| Posted: Sat Apr 13, 2019 3:46 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
How sure are you that principal 'myID' is in group g.CMMQD_1.mqm ?
Was it recently added to said group? Have you refreshed the queue manager's view of group memberships since you added it?
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| belchman |
| Posted: Mon Apr 15, 2019 10:09 am Post subject: |
|
|
Partisan
Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA
|
Morag,
I appreciate your attention to this a bunch.
All I know is if I look in the tool that says what entitlements the ID has, it says it has the entitlement g.CMMQD_1.mqm. It also says it has three lower level entitlements as well. The are mqmpuser, mqmusr and mqmmon that each give lesser and lesser MQ privs. Perhaps it is stopping the search when it gets its first hit like I have seen DataPower do.
I am going to get the lesser entitlements removed. I already made the request last week and would have thought they would be gone by now.
Is it a refresh security command that "refreshes the queue manager's view of group memberships"? If yes, I have issued only the basic REFESH SECURITY commands.
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Apr 15, 2019 2:39 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| belchman wrote: |
| Is it a refresh security command that "refreshes the queue manager's view of group memberships"? If yes, I have issued only the basic REFESH SECURITY commands. |
Yes, REFRESH SECURITY causes the queue manager to forget any group memberships it previous knew and ask about them again. Restarting the queue manager does the same.
Did YOU issue the REFRESH SECURITY command? Did you have authority to do that? i.e. did it work?
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| belchman |
| Posted: Tue Apr 16, 2019 4:39 am Post subject: |
|
|
Partisan
Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA
|
Yes I refreshed security. I did it from the command line on the Linux command line.
I am not authorized to issue refresh security from MQ Explorer on the remote host
EXPLANATION:
| Quote: |
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: chg
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.
|
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Apr 16, 2019 7:49 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
On the other hand if you want to look at stuff, I'd expect you'd have to allocate +alladmin +inq +dsp.
You might need to check and make sure if alladmin includes any of inq or dsp...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| rujova |
| Posted: Tue Apr 16, 2019 8:17 am Post subject: |
|
|
Novice
Joined: 07 Jan 2015
Posts: 13
|
| hughson wrote: |
Did YOU issue the REFRESH SECURITY command? Did you have authority to do that? i.e. did it work?
Cheers,
Morag |
Hey @belchman, Did you grant the authority records from the runmqsc console using a super user (root or mqm member)?
| Code: |
> runmqsc QMGR_NAME
SET AUTHREC PROFILE('CHANNEL_NAME') PRINCIPAL('USER@DOMAIN') OBJTYPE(CHANNEL) AUTHADD(DSP)
REFRESH SECURITY(*) TYPE(CONNAUTH)
|
It's probably the same as @Peter and @Morag suggestted, but it worked for me.
Did you set the MCA user for the channel?
_________________
Looking Forward,
Rujova |
|
| Back to top |
|
|
| belchman |
| Posted: Tue Apr 16, 2019 9:16 am Post subject: |
|
|
Partisan
Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA
|
No. I issued setmqaut commands from the command line as specified earlier in this thread. I issued those command while logged on as mqm because I could not connect to the queue manager as myself from the MQ Explorer jump box.
We use MQ Explorer on a jump box to control MQ Explorer proliferation and because we do not install MQ Explorer on every MQ node.
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter |
|
| Back to top |
|
|
| belchman |
| Posted: Tue Apr 16, 2019 9:22 am Post subject: |
|
|
Partisan
Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA
|
Right now I have 2 theories in the order I think they are likely;
1) When MQ does a lookup of what group I am in, it stops when it finds the first hit. Perhaps that first hit is not g.cmmqd_1.mqm. It is something else and I only ran the setmqaut commands for g.cmmqd_1.mqm. I am trying to get it setup that my ID is only in the mqm group to test the theory out. I know I had the same issue with DataPower in the past.
2) The breakdown is due to how I am interfacing MQ Explorer. I am using the Connection Properties function on MQ Explorer 9 and have my ID in the ID field. Maybe I need something close to what is in LDAP.
I have a ticket open with IBM on this and they are waiting on info but I have been delaying. I will update that ticket now. They want me to do some tracing.
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter |
|
| Back to top |
|
|
| belchman |
| Posted: Tue Apr 16, 2019 9:25 am Post subject: |
|
|
Partisan
Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA
|
I have 4 mq groups in descending order of MQ OAM auth
1) g.cmmqd_1.mqm
2) g.cmmqd_1.mqmpusr
3) g.cmmqd_1.mqmusr
4) g.cmmqd_1.mqmmon
My ID is in all 3. It was my brilliant way of thinking I could test. I think (cough) I was wrong headed in that decision.
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter |
|
| Back to top |
|
|
|
|
