| Author |
Message
|
| sfari |
 Posted: Tue Mar 15, 2005 1:07 am Post subject: Setmqaut returns "authorization specification not valid |
 |
|
Centurion
Joined: 15 Apr 2003
Posts: 144
|
Hallo,
I entred the commands below on our Unix Server. As you can see it returns an error when I try to remove the right. Any Idea what's wrong?
| Code: |
$ setmqaut -m QM_NAME -t qmgr -g myuser +connect
The setmqaut command completed successfully.
$ dspmqaut -m QM_NAME -t qmgr -g myuser
Entity myuser has the following authorizations for object QM_NAME:
connect
$ setmqaut -m QM_NAME -t qmgr -g myuser -remove
Q7097: You gave an authorization specification that is not valid.
|
Thanks in advance!
Silvano |
|
| Back to top |
|
 |
| Michael Dag |
| Posted: Tue Mar 15, 2005 1:19 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
|
| Back to top |
|
|
| sfari |
| Posted: Tue Mar 15, 2005 2:31 am Post subject: |
|
|
Centurion
Joined: 15 Apr 2003
Posts: 144
|
Thanks for the answer! That works but the profile for the user is still active even if there are no rights anymore:
| Code: |
$ dspmqaut -m QM_NAME -t qmgr -g myuser
Entity filetran has the following authorizations for object QM_NAME:
|
This is a problem because I want to remove this user from my server. And even if the user doesn't exist anymore the profile will still be active.
The -remove option should work according to the "System Administration Guide" and I have already used it successfully. No idea why it doesn't work in this case. |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Tue Mar 15, 2005 2:35 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
you talk about user but use -g which is for a group. If the user you are talking about is really a user and not a group id, try with -p instead of -g
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| sfari |
| Posted: Tue Mar 15, 2005 3:31 am Post subject: |
|
|
Centurion
Joined: 15 Apr 2003
Posts: 144
|
| Sorry that was not precise from my side. The user I am talking about has also its own primary group with the same name. The -remove fails with -p as well as with -g. |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Tue Mar 15, 2005 4:04 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
never used -remove myself, so when I look at the manual it looks like -remove applies to profiles, not to users or groups.
a profile can be a set of objects defined with generics like AQ.*
using -all should be enough to remove authorisation from MQ.
If you remove the user or group from the system itself, the authorisation should disappear as well.
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Mar 15, 2005 9:27 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| MichaelDag wrote: |
never used -remove myself, so when I look at the manual it looks like -remove applies to profiles, not to users or groups.
a profile can be a set of objects defined with generics like AQ.*
using -all should be enough to remove authorisation from MQ.
If you remove the user or group from the system itself, the authorisation should disappear as well. |
Michael has it right. I have used it. You cannot remove any of the authorizations that are part of the mqm group on the objects.
You should really setup your security on the profiles. O.K. some profile names = object name(queue name) but most of the time it should look something like xyz** or **uvt
Enjoy  |
|
| Back to top |
|
|
| sfari |
| Posted: Tue Mar 15, 2005 11:05 pm Post subject: |
|
|
Centurion
Joined: 15 Apr 2003
Posts: 144
|
Thanks for your answers, that helps a lot!
What is still not clear to me how to really remove an authorization for a specific group on a QM, where no profiles can be used, as in my samples. I understand that -all it has the same effect like it would be removed. But dmpmqaut still shows it, what means it is still stored in the SYSTEM.AUTH.DATA.QUEUE. Why isn't it removed? And is it still there when the group gets removed? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Mar 16, 2005 1:25 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
After changing the security do not forget to issue
command to the queue manager.
This is a runmqsc type of command and will refresh the security buffer.
Enjoy |
|
| Back to top |
|
|
| sfari |
| Posted: Thu Mar 17, 2005 3:56 am Post subject: |
|
|
Centurion
Joined: 15 Apr 2003
Posts: 144
|
I made this but even then if I am dumping the authorizations for the affected user they are still visible:
| Code: |
$ dmpmqaut -g filetran
profile: @class
object type: queue
entity: filetran
entity type: group
authority: none
- - - - - - - -
profile: @class
object type: qmgr
entity: filetran
entity type: group
authority: none
|
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Mar 17, 2005 4:36 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
try using -alladmin to remove those.
Enjoy  |
|
| Back to top |
|
|
| sfari |
| Posted: Thu Mar 17, 2005 6:35 am Post subject: |
|
|
Centurion
Joined: 15 Apr 2003
Posts: 144
|
-alladmin is not a known authorization
| Code: |
$ dmpmqaut -g filetran
profile: self
object type: qmgr
entity: filetran
entity type: group
authority: none
- - - - - - - -
profile: @class
object type: queue
entity: filetran
entity type: group
authority: none
- - - - - - - -
profile: @class
object type: qmgr
entity: filetran
entity type: group
authority: none
$ setmqaut -m C004501A.SUN.T -t qmgr -g filetran -alladmin
AMQ7097: You gave an authorization specification that is not valid.
|
|
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Mar 17, 2005 7:38 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
|
| Back to top |
|
|
| sfari |
| Posted: Thu Mar 17, 2005 10:49 pm Post subject: |
|
|
Centurion
Joined: 15 Apr 2003
Posts: 144
|
Thanks, "-alladm" works but has the same effect even after "REFRESH SEDURITY". Does this mean we have to live with these undeletable authorities?
| Code: |
$ setmqaut -m C004501A.SUN.T -t qmgr -g filetran -alladm
The setmqaut command completed successfully.
$ dmpmqaut -g filetran
profile: self
object type: qmgr
entity: filetran
entity type: group
authority: none
- - - - - - - -
profile: @class
object type: queue
entity: filetran
entity type: group
authority: none
- - - - - - - -
profile: @class
object type: qmgr
entity: filetran
entity type: group
authority: none
|
|
|
| Back to top |
|
|
| barftud |
| Posted: Tue Dec 01, 2009 3:59 am Post subject: |
|
|
Newbie
Joined: 19 Oct 2004
Posts: 3
|
I realise that this is an old posting, but I have run into the same question and I cannot find an answer. Is there a way to remove these authorities?
Thanks,
Adrian |
|
| Back to top |
|
|
|
|
