ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexMainframe, CICS, TXSeriesFilter MQ objects in MQ Explorer accessing zOS qmgr

Post new topicReply to topic Goto page Previous  1, 2
Filter MQ objects in MQ Explorer accessing zOS qmgr View previous topic :: View next topic
Author Message
nathanw
PostPosted: Fri Oct 19, 2012 5:23 am Post subject: Reply with quote

Knight

Joined: 14 Jul 2004
Posts: 550

@Mr Butcher

If you do resolve this in MQE I would be very interested in how.
_________________
Who is General Failure and why is he reading my hard drive?

Artificial Intelligence stands no chance against Natural Stupidity.

Only the User Trace Speaks The Truth
Back to top
View user's profile Send private message MSN Messenger
mqjeff
PostPosted: Fri Oct 19, 2012 5:29 am Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

nathanw wrote:
@Mr Butcher

If you do resolve this in MQE I would be very interested in how.


As he said, he is creating a filter on the DESC parameter, and then populating the relevant property of each object with the correct information.
Back to top
View user's profile Send private message
Mr Butcher
PostPosted: Sun Oct 21, 2012 11:20 pm Post subject: Reply with quote

Padawan

Joined: 23 May 2005
Posts: 1716

fjb_saper wrote:
have you thought about assigning each group an SSL cert and a channel with an MCAUser? This way you set up the authorizations in RACF at the profile level. Each group has only view into what they are authorized for... (inq/dsp/browse/get/put).


yes. in fact i am already doing that, just without ssl certificate. their svrconn channel uses a specific mca user, and i bound racf security to that user. The problem is, that the MQADMIN class used for ressource security is not checked on DISPLAY command. So you can not limit access to objects being displayed..... i know that works on distributed, but z/OS is different here (sigh)
_________________
Regards, Butcher
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon Oct 22, 2012 9:04 am Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19996
Location: LI,NY

Mr Butcher wrote:
fjb_saper wrote:
have you thought about assigning each group an SSL cert and a channel with an MCAUser? This way you set up the authorizations in RACF at the profile level. Each group has only view into what they are authorized for... (inq/dsp/browse/get/put).


yes. in fact i am already doing that, just without ssl certificate. their svrconn channel uses a specific mca user, and i bound racf security to that user. The problem is, that the MQADMIN class used for ressource security is not checked on DISPLAY command. So you can not limit access to objects being displayed..... i know that works on distributed, but z/OS is different here (sigh)


Is that a feature of z/OS or a bug?
On the other hand does it matter. If you don't have inq authorization but have dsp do you still see anything ?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
bruce2359
PostPosted: Mon Oct 22, 2012 9:46 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8390
Location: US: west coast, almost. Otherwise, enroute.

fjb_saper wrote:
The problem is, that the MQADMIN class used for ressource security is not checked on DISPLAY command. So you can not limit access to objects being displayed.....

The profile you need is the MQCMDS class. From there you can create an ssid.DISPLAY.pkw rule. pkw=primary keyword, like QLOCAL.
_________________
There are two types of people in this world:
1) Those that can extrapolate from incomplete data
Back to top
View user's profile Send private message
Mr Butcher
PostPosted: Mon Oct 22, 2012 11:20 pm Post subject: Reply with quote

Padawan

Joined: 23 May 2005
Posts: 1716

[quote="fjb_saper]If you don't have inq authorization but have dsp do you still see anything ? [/quote]

It is the same. MQADMIN is not checked, not for MQOO_INQUIRE and not for DISPLAY command.


bruce2359 wrote:
The profile you need is the MQCMDS class. From there you can create an ssid.DISPLAY.pkw rule. pkw=primary keyword, like QLOCAL.


Yes, but that is not the point. I know i can use DISPLAY.pkw instead of DISPLAY.**. That would limit the command to a specifiy object type. But i need a limitation by object name, e.g. what you can do by using MQADMIN class for ALTER command. But MQADMIN is not checked for DISPLAY command, so i can not limit the object (names) displayed.
_________________
Regards, Butcher
Back to top
View user's profile Send private message
rujova
PostPosted: Mon Apr 15, 2019 2:57 pm Post subject: Reply with quote

Newbie

Joined: 07 Jan 2015
Posts: 5

Hey @Mr Butcher, did you resolve the MQE restricted displaying issue? I am facing the same requirement .

Additionally, filtered views cause AMQ8077 errors, so the monitoring environment will notify every single registry.
_________________
Looking Forward,

Rujova
Back to top
View user's profile Send private message
hughson
PostPosted: Mon Apr 15, 2019 8:59 pm Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1117
Location: Bay of Plenty, New Zealand

rujova wrote:
Hey @Mr Butcher, did you resolve the MQE restricted displaying issue? I am facing the same requirement .

Additionally, filtered views cause AMQ8077 errors, so the monitoring environment will notify every single registry.

You are on distributed platform if you are receiving AMQ error messages. This thread (from 2012) is about z/OS.

Command resource security still does not apply to DISPLAY Commands if that is what you are asking. See table on Profiles for command security in the V9.1 MQ Knowledge Center.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:
Post new topicReply to topic Goto page Previous  1, 2 Page 2 of 2

MQSeries.net Forum IndexMainframe, CICS, TXSeriesFilter MQ objects in MQ Explorer accessing zOS qmgr
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.