| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Restricting access to MQPut |
« View previous topic :: View next topic » |
| Author |
Message
|
| jmac |
 Posted: Wed Aug 22, 2001 8:37 am Post subject: |
 |
|
Jedi Knight
Joined: 27 Jun 2001
Posts: 3081
Location: EmeriCon, LLC
|
Is it possible to restrict which users can issue Puts to a given queue?
As a complete novice in MQSeries, I am not sure where to even start looking for this.
Thanks
_________________
John McDonald
RETIRED |
|
| Back to top |
|
 |
| bduncan |
| Posted: Wed Aug 22, 2001 10:15 am Post subject: |
|
|
Padawan
Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley
|
John,
MQSeries offers quite a bit of granularity when it comes to authorities for various MQSeries objects. For instance, when talking about a queue object, you can specify whether or not a particular user or group has authority to: put, get, browse, set, inquire, etc.., the queue in question. On most MQSeries platforms, this is done with two command line programs: setmqaut and dspmqaut. These set and display the permissions for a particular user/group on a given MQSeries object. Again, this object can be a queue, queue manager, process, etc...
The commands are pretty simple, and examples would probably be best:
dspmqaut -t qmgr -p mqm - this will show what permissions the user mqm has on the default queue manager.
dspmqaut -n TESTQMGR -t qmgr -p mqm - same as above, except you are specifying the name of the queue manager (in case the queue manager you want to query isn't the default queue manager.
setmqaut -n TESTQ -t queue -g testgroup +get +browse - will grant anyone who is a member of testgroup to get or browse messages from the queue called TESTQ. In this example the queue manager isn't specified, so the command assumes the default queue manager.
setmqaut -n TESTQ -t queue -g testgroup -get - will remove the authority of testgroup to get messages from TESTQ. Keep in mind that if the previous command was already executed, then after executing this command, testgroup will no longer be able to get from TESTQ, but they will still be able to browse it.
One other thing to keep in mind. Mixing user and group permissions can make administation a nightmare. In other words, if you grant certain permissions for group testgroup, and then you want to change permissions for particular members of testgroup, you can do this, and MQSeries will function, but it can make determining who has what permissions a tricky thing.
Hope this gets you started...
_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator |
|
| Back to top |
|
|
| jmac |
| Posted: Wed Aug 22, 2001 12:41 pm Post subject: |
|
|
Jedi Knight
Joined: 27 Jun 2001
Posts: 3081
Location: EmeriCon, LLC
|
Thanks Brandon.... I stumbled upon this command about 10 mins prior to looking at your response... Please have a look at this output:
C:>dspmqaut -m FMCQM -t queue -n EXEXMLINPUTQ -p noauthority
Entity noauthority has the following authorizations for object EXEXMLINPUTQ:
get
browse
put
inq
set
passid
passall
setid
setall
C:>setmqaut -m FMCQM -t queue -n EXEXMLINPUTQ -p noauthority -browse
The setmqaut command completed successfully.
C:>dspmqaut -m FMCQM -t queue -n EXEXMLINPUTQ -p noauthority
Entity noauthority has the following authorizations for object EXEXMLINPUTQ:
get
browse
put
inq
set
passid
passall
setid
setall
In the first command I issue a dspmqaut and see the current authorities.
In the second, I attempt to remove browse, and based on the response it appears to work.
In the third, I display again, and the browse authority is still there.
I saw in the manual something about the object needing to be reset, so I started and stopped my queue manager and got the same results.
Can you shed any light on what I am doing wrong here?
Thanks
_________________
John McDonald
RETIRED |
|
| Back to top |
|
|
| jmac |
| Posted: Wed Aug 22, 2001 1:27 pm Post subject: |
|
|
Jedi Knight
Joined: 27 Jun 2001
Posts: 3081
Location: EmeriCon, LLC
|
OK... just remember I really dont know a whole heck of a lot about MQSeries or NT Administration in general.
My problem above was that the user I was working with "noauthority" is part of a group called "users".
Turns out that MQWorkflow on install authorizes all members of the group "users" to allmqi.
Problem solved for now I think.
Thanks again
_________________
John McDonald
RETIRED |
|
| Back to top |
|
|
| bduncan |
| Posted: Wed Aug 22, 2001 3:12 pm Post subject: |
|
|
Padawan
Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley
|
Yeah, like I said in my first response, mixing user and group permissions can be a headache because you get weird side effects like what you saw. I recommend always using group level permissions for MQSeries - never user based. It just makes administration easier, and there's nothing wrong with having to make groups with only one member...
Also, if you are using MQSeries 5.2 or higher, you can just issue the "REFRESH SECURITY" command from within the runmqsc console to update permissions after using setmqaut. This means you don't have to recycle the queue manager as you did in 5.1 and earlier....
_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
