ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » setmqaut for full admin access

Post new topic  Reply to topic Goto page 1, 2  Next
 setmqaut for full admin access « View previous topic :: View next topic » 
Author Message
belchman
PostPosted: Fri Apr 12, 2019 9:33 am    Post subject: setmqaut for full admin access Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA

I have my QMgr LDAP enabled and my ID is in the mqm LDAP group and I have done what is here:

https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.sec.doc/q013750_.htm

Yet I still get

Quote:
AMQ8245W: Entity 'myID' has insufficient authority to display object
mySvrconn [channel].

EXPLANATION:
The specified entity is not authorized to display the required object. The
following requested permissions are unauthorized: dsp
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.


Even though I have done this:

Quote:
setmqaut -m CMMQD_1 -n '**' -t channel -g g.CMMQD_1.mqm +dsp


Now on channels, I have:

Quote:
profile: **
object type: channel
entity: cn=g.CMMQD_1.mqm,ou=MQSeries,ou=apps,ou=b2e,dc=test53,dc=com
entity type: group
authority: dlt chg dsp ctrl ctrlx

I have not added +dsp to:

Quote:
setmqaut -m CMMQD_1 -n @class -t channel -g g.CMMQD_1.mqm +crt


Can any one offer up any help? I try to come here before I open an ESR.
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter
Back to top
View user's profile Send private message
belchman
PostPosted: Fri Apr 12, 2019 10:10 am    Post subject: Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA

No worries all. I am stumped too. I will ask IBM for a clue.
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Fri Apr 12, 2019 3:50 pm    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

Did you add
Code:
setmqaut -m QMgrName -n @class -t channel -g GroupName +crt

_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
belchman
PostPosted: Sat Apr 13, 2019 2:23 am    Post subject: Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA

Peter,

I have that +crt allowance but I did not add +dsp allowance to it. I am not really sure what -n @class is.
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter
Back to top
View user's profile Send private message
hughson
PostPosted: Sat Apr 13, 2019 2:58 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

Be interesting to see the output of the following command. This is a way of asking the same question that was asked of the OAM to result in the error message.

MQSC command:-
Code:
DISPLAY ENTAUTH PRINCIPAL('myID') OBJTYPE(CHANNEL) OBJNAME('mySvrconn')


Can you also tell us what you were trying to do which resulted in the authorization error?

Cheers,
Morag

P.S. @class is the class of objects, in your case channels, that the entity (user or group) is allowed to create. You cannot restrict a user to only be able to create objects of a certain name. If you can create one channel you can create a channel of any name. +dsp is not meaningful on @class.
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
belchman
PostPosted: Sat Apr 13, 2019 3:36 am    Post subject: Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA

Morag,

Here is your output

Quote:
DISPLAY ENTAUTH PRINCIPAL('myID') OBJTYPE(CHANNEL) OBJNAME('mySVRCONN')
1 : DISPLAY ENTAUTH PRINCIPAL('myID') OBJTYPE(CHANNEL) OBJNAME('mySVRCONN')
AMQ8866I: Display entity authority details.
OBJNAME(mySVRCONN) ENTITY(myID)
ENTTYPE(PRINCIPAL) OBJTYPE(CHANNEL)
AUTHLIST( )


To answer your question

I am in MQ Explorer on a remote Windows box. I can connect to queue manager as myID. When I select the channels item for the queue manager, I get the error. It also happens for AUTHINFO, LISTENER, NAMELIST, PROCESS and SERVICE.

This is the SETAUTs I ran

Quote:
setmqaut -m CMMQD_1 -n '**' -t queue -g GroupName +alladm +browse
setmqaut -m CMMQD_1 -n @class -t queue -g g.CMMQD_1.mqm +crt
setmqaut -m CMMQD_1 -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g g.CMMQD_1.mqm +dsp +inq +put
setmqaut -m CMMQD_1 -n SYSTEM.MQEXPLORER.REPLY.MODEL -t queue -g g.CMMQD_1.mqm +dsp +inq +get
setmqaut -m CMMQD_1 -n '**' -t topic -g g.CMMQD_1.mqm +alladm +dsp
setmqaut -m CMMQD_1 -n @class -t topic -g g.CMMQD_1.mqm +crt
setmqaut -m CMMQD_1 -n '**' -t channel -g g.CMMQD_1.mqm +alladm +dsp
setmqaut -m CMMQD_1 -n @class -t channel -g g.CMMQD_1.mqm +crt
setmqaut -m CMMQD_1 -n '**' -t clntconn -g g.CMMQD_1.mqm +alladm +dsp
setmqaut -m CMMQD_1 -n @class -t clntconn -g g.CMMQD_1.mqm +crt
setmqaut -m CMMQD_1 -n '**' -t authinfo -g g.CMMQD_1.mqm +alladm +dsp
setmqaut -m CMMQD_1 -n @class -t authinfo -g g.CMMQD_1.mqm +crt
setmqaut -m CMMQD_1 -n '**' -t listener -g g.CMMQD_1.mqm +alladm +dsp
setmqaut -m CMMQD_1 -n @class -t listener -g g.CMMQD_1.mqm +crt
setmqaut -m CMMQD_1 -n '**' -t namelist -g g.CMMQD_1.mqm +alladm +dsp
setmqaut -m CMMQD_1 -n @class -t namelist -g g.CMMQD_1.mqm +crt
setmqaut -m CMMQD_1 -n '**' -t process -g g.CMMQD_1.mqm +alladm +dsp
setmqaut -m CMMQD_1 -n @class -t process -g g.CMMQD_1.mqm +crt
setmqaut -m CMMQD_1 -n '**' -t service -g g.CMMQD_1.mqm +alladm +dsp
setmqaut -m CMMQD_1 -n @class -t service -g g.CMMQD_1.mqm +crt
setmqaut -m CMMQD_1 -t qmgr -g g.CMMQD_1.mqm +alladm +connect

_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter
Back to top
View user's profile Send private message
hughson
PostPosted: Sat Apr 13, 2019 3:46 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

How sure are you that principal 'myID' is in group g.CMMQD_1.mqm ?

Was it recently added to said group? Have you refreshed the queue manager's view of group memberships since you added it?

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
belchman
PostPosted: Mon Apr 15, 2019 10:09 am    Post subject: Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA

Morag,

I appreciate your attention to this a bunch.

All I know is if I look in the tool that says what entitlements the ID has, it says it has the entitlement g.CMMQD_1.mqm. It also says it has three lower level entitlements as well. The are mqmpuser, mqmusr and mqmmon that each give lesser and lesser MQ privs. Perhaps it is stopping the search when it gets its first hit like I have seen DataPower do.

I am going to get the lesser entitlements removed. I already made the request last week and would have thought they would be gone by now.

Is it a refresh security command that "refreshes the queue manager's view of group memberships"? If yes, I have issued only the basic REFESH SECURITY commands.
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter
Back to top
View user's profile Send private message
hughson
PostPosted: Mon Apr 15, 2019 2:39 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

belchman wrote:
Is it a refresh security command that "refreshes the queue manager's view of group memberships"? If yes, I have issued only the basic REFESH SECURITY commands.

Yes, REFRESH SECURITY causes the queue manager to forget any group memberships it previous knew and ask about them again. Restarting the queue manager does the same.

Did YOU issue the REFRESH SECURITY command? Did you have authority to do that? i.e. did it work?

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
belchman
PostPosted: Tue Apr 16, 2019 4:39 am    Post subject: Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA

Yes I refreshed security. I did it from the command line on the Linux command line.

I am not authorized to issue refresh security from MQ Explorer on the remote host

EXPLANATION:
Quote:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: chg
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.

_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Apr 16, 2019 7:49 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

On the other hand if you want to look at stuff, I'd expect you'd have to allocate +alladmin +inq +dsp.


You might need to check and make sure if alladmin includes any of inq or dsp...

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
rujova
PostPosted: Tue Apr 16, 2019 8:17 am    Post subject: Reply with quote

Novice

Joined: 07 Jan 2015
Posts: 13

hughson wrote:
Did YOU issue the REFRESH SECURITY command? Did you have authority to do that? i.e. did it work?

Cheers,
Morag


Hey @belchman, Did you grant the authority records from the runmqsc console using a super user (root or mqm member)?

Code:

> runmqsc QMGR_NAME
SET AUTHREC PROFILE('CHANNEL_NAME') PRINCIPAL('USER@DOMAIN') OBJTYPE(CHANNEL) AUTHADD(DSP)
REFRESH SECURITY(*) TYPE(CONNAUTH)


It's probably the same as @Peter and @Morag suggestted, but it worked for me.

Did you set the MCA user for the channel?
_________________
Looking Forward,

Rujova
Back to top
View user's profile Send private message
belchman
PostPosted: Tue Apr 16, 2019 9:16 am    Post subject: Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA

No. I issued setmqaut commands from the command line as specified earlier in this thread. I issued those command while logged on as mqm because I could not connect to the queue manager as myself from the MQ Explorer jump box.

We use MQ Explorer on a jump box to control MQ Explorer proliferation and because we do not install MQ Explorer on every MQ node.
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter
Back to top
View user's profile Send private message
belchman
PostPosted: Tue Apr 16, 2019 9:22 am    Post subject: Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA

Right now I have 2 theories in the order I think they are likely;

1) When MQ does a lookup of what group I am in, it stops when it finds the first hit. Perhaps that first hit is not g.cmmqd_1.mqm. It is something else and I only ran the setmqaut commands for g.cmmqd_1.mqm. I am trying to get it setup that my ID is only in the mqm group to test the theory out. I know I had the same issue with DataPower in the past.

2) The breakdown is due to how I am interfacing MQ Explorer. I am using the Connection Properties function on MQ Explorer 9 and have my ID in the ID field. Maybe I need something close to what is in LDAP.

I have a ticket open with IBM on this and they are waiting on info but I have been delaying. I will update that ticket now. They want me to do some tracing.
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter
Back to top
View user's profile Send private message
belchman
PostPosted: Tue Apr 16, 2019 9:25 am    Post subject: Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA

I have 4 mq groups in descending order of MQ OAM auth

1) g.cmmqd_1.mqm
2) g.cmmqd_1.mqmpusr
3) g.cmmqd_1.mqmusr
4) g.cmmqd_1.mqmmon

My ID is in all 3. It was my brilliant way of thinking I could test. I think (cough) I was wrong headed in that decision.
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » General IBM MQ Support » setmqaut for full admin access
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.