ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Authorizing access to Domain Groups on Windows MQSrv objects

Post new topic  Reply to topic
 Authorizing access to Domain Groups on Windows MQSrv objects « View previous topic :: View next topic » 
Author Message
dakoroni
PostPosted: Wed Oct 21, 2020 7:11 am    Post subject: Authorizing access to Domain Groups on Windows MQSrv objects Reply with quote

Acolyte

Joined: 10 Jan 2020
Posts: 50

Dear MQ security forum users, 

I would appreciate if you could advise on the correct domain group name format in order to grant the proper access on MQ objects.
I have a Windows DEV MQ  Server v9.1.5 (host name : V000080117) joined domain NBGIT.

I need to grant numerous developers that they belong to AD domain groups (such as: NBGIT\Domain Users, NBGIT\Domain Computers) but not on mqm group -since they should not have MQ Admin rights-with specific MQ authorities.

Using IBM MQ explorer, i am capable to grant access to individual domain users IDs(principals) on that MQ Server objects (Queue Manager, Queues, Chasnels), for instance : exxxxx@NBGIT  or fullname@NBGIT,  BUT
I am not capable of adding domain group in the object access list. 

For example, I am able to add the mqm group in the (QM) access list -> mqm@V000080117 and
Users@BUILTIN
where "Users" is local group on that Windows 2019 Server including NBGIT\Domain Users & NBGIT\Domain Computers. 

But when trying to add Domain Users@NBGIT in the (QM) access list, I am receiving the error msg: AMQ4808: Unknown Group 'Domain Users@NBGIT'.
But the domain group name is valid since it exists on Active Driectory..

In the MQ server error log it appears the AMQ8075W: Authorization failed because the SID for entity 'domain_users@nbgit' cannot be obtained.

I have read that the correct Group name format is the following:
GroupName@domain domain_name\group_name
So, I am very skeptical about  what might be wrong..

I have read also in IBM MQ 9.2 KnowledgeCenter that "For IBM MQ authorizations, names of user IDs and groups must be no longer than 64 characters (spaces are not allowed)."
Do you think that spaces in Domain Group names might be the root cause?

Any advise will be much appreciated.
Cheers Nick.
Back to top
View user's profile Send private message
gbaddeley
PostPosted: Wed Oct 21, 2020 2:39 pm    Post subject: Reply with quote

Jedi

Joined: 25 Mar 2003
Posts: 2492
Location: Melbourne, Australia

I haven't encountered that issue, but we don't use spaces in AD group names. We use hyphen (-) or (_) when separators are needed. This is actually an enterprise standard for all AD groups in our company, for MQ or other uses. I don't know the reasons or its origins.
_________________
Glenn
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Oct 21, 2020 8:17 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

you may need to remember that you're only allowed 1 level below the group name. So if your group domain Users@nbgit only contains users you are fine.
Should that group also contain subgroups, they will not be authorized...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
dakoroni
PostPosted: Wed Oct 21, 2020 11:50 pm    Post subject: Authorizing access to Domain Groups on Windows MQSrv objects Reply with quote

Acolyte

Joined: 10 Jan 2020
Posts: 50

Dear all,

Thanks for your responses.
The problem was resolved by updating the qm.ini with security stanza setting -> GroupModel=GlobalGroups, so that OAM checks global groups membership.

Cheers Nick.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Authorizing access to Domain Groups on Windows MQSrv objects
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.