| Author |
Message
|
| NewMB |
 Posted: Thu May 26, 2005 9:29 am Post subject: Prevent deleting broker from the toolkit |
 |
|
Apprentice
Joined: 05 Jan 2005
Posts: 42
|
Is it possible to restrict users accidentally delete broker from the toolkit? I found out a command "mqsicreateaclgroup" can set user access control to broker but I am not sure it is what I am looking for.
Thanks! |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Thu May 26, 2005 9:47 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Don't put them in the ops group.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| ydsk |
| Posted: Thu May 26, 2005 10:38 am Post subject: |
|
|
Chevalier
Joined: 23 May 2005
Posts: 410
|
| That would restrict the users from adding brokers to the domain...even from connecting to the domain. Right ? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu May 26, 2005 10:45 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| ydsk wrote: |
| That would restrict the users from adding brokers to the domain...even from connecting to the domain. Right ? |
Developers shouldn't need to add or delete brokers. Operational Staff should know not to delete brokers from the Toolkit.
With the Access Control Lists, you can give users different permissions on the Topology than on Brokers. You can not give them different permissions to create a broker than to delete it.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| ydsk |
| Posted: Thu May 26, 2005 2:08 pm Post subject: |
|
|
Chevalier
Joined: 23 May 2005
Posts: 410
|
| I am not talking about the real create with the 'mqsicreatebroker' command. Not adding a user to mqbrops on the ConfigMgr box would restrict the user from connecting to the domain through a toolkit on his desktop. Right ? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu May 26, 2005 2:41 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| ydsk wrote: |
| I am not talking about the real create with the 'mqsicreatebroker' command. Not adding a user to mqbrops on the ConfigMgr box would restrict the user from connecting to the domain through a toolkit on his desktop. Right ? |
I've forgotten. I dug through the infocenter stuff on security earlier, and didn't find the stuff I remember seeing where it spelled out what the classical groups were and what permissions they gave.
It did say that ACLs were used if the user WASN'T found in the groups, or didn't have the permission from the groups they were asking for.
Regardless... I'm not positive that developers need to connect to the domain, except in dev.
And even then, they can be told 'Don't delete the broker!'.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| ydsk |
| Posted: Tue May 31, 2005 6:27 am Post subject: |
|
|
Chevalier
Joined: 23 May 2005
Posts: 410
|
Jeff,
I don't know much about ACLs. Do you know if both the mqb*** groups and ACLs can be used for security ? We have a similar situation...we informed the developers not to delete the brokers through a toolkit. They were added to the mqbrops group in the dev environment as they needed it.
Though we told the developers not to delete the brokers from toolkit we can't stop them technically from doing so. Do you know how we can achieve this through ACLs or a combination of both mq**** groups and ACLs. ?
Appreciate any explanation.
Thanks. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue May 31, 2005 6:37 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Developers don't need the ability to change the topology.
The Topology is a different object in the ACLs than the Brokers are. You can use the ACLs to deny the ability to change the topology (prevent them from deleting AND creating brokers) without affecting their ability to use the brokers.
The ACLs are checked only if the user is not in the traditional groups, according to the documentation.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| ydsk |
| Posted: Tue May 31, 2005 6:46 am Post subject: |
|
|
Chevalier
Joined: 23 May 2005
Posts: 410
|
Jeff,
Thanks for the information. I know the developers don't need to modify topology. But a developer can't see the brokers in the domain unless he is in mqbrops group on the configmgr ( I am sure of it as I saw it myself).
As you said, we might have to do away with the mq**** groups completely to implement security with ACLs.
Anyone has any different experiences ? Pls let me know.
Thanks. |
|
| Back to top |
|
|
|
|
