| Author |
Message
|
| solomita |
 Posted: Mon Aug 23, 2004 2:20 pm Post subject: mqsicreateaclgroup |
 |
|
Voyager
Joined: 06 May 2003
Posts: 94
|
Has anyone had any luck with createing ACL groups at the group level in a specific domain other than in a group that is local. The administrator can set up ACLs for local groups at the group level but if he uses a command similar to this:
mqsicreateaclgroup -g domain\groupname -x V -t
it fails with "(ConfigMgr) unable to validate specified user or group 'domain\groupname'
He can however set up ACLs for users within a group:
mqsicreateaclgroup -u domain/username -x V -t
Any ideas?
_________________
IBM Certified Specialist - WebSphere MQ Integrator
IBM Certified System Administrator - WebSphere MQ V5.3
IBM Certified System Administrator - WebSphere Business Integration Message Broker V5 |
|
| Back to top |
|
 |
| slaney |
| Posted: Tue Aug 24, 2004 2:34 am Post subject: Active Directory permissions for MQSICREATEACLGROUP |
|
|
Novice
Joined: 24 Aug 2004
Posts: 14
Location: Alphacourt (Swindon UK)
|
Are you setting this up in Active Directory??? If so the user ID that issues the mqsisetaclgroup command must be an AD user account as well as a local administrator. It must also have the authority to query the group membership of any account in AD much the same as the permissions required for a special MQ User in a Windows 2000 domain. The specific AD permissions required are:
Read Group Membership
Read groupMembershipSAM
HTH
Kind Regards
Steve Lane |
|
| Back to top |
|
|
| solomita |
| Posted: Tue Aug 24, 2004 2:41 am Post subject: |
|
|
Voyager
Joined: 06 May 2003
Posts: 94
|
Yes they are using Active Directory and have domain awareness enabled.
Also, I should clarify from my initial post that groupname is a domain group. So in the example, substitute "domain\groupname" for "domain\domain mqbropsdev"
_________________
IBM Certified Specialist - WebSphere MQ Integrator
IBM Certified System Administrator - WebSphere MQ V5.3
IBM Certified System Administrator - WebSphere Business Integration Message Broker V5
Last edited by solomita on Tue Aug 24, 2004 10:15 am; edited 1 time in total |
|
| Back to top |
|
|
| slaney |
| Posted: Wed Aug 25, 2004 1:09 am Post subject: |
|
|
Novice
Joined: 24 Aug 2004
Posts: 14
Location: Alphacourt (Swindon UK)
|
You know I think the syntax if the command you are using is incorrect. The manual states the -u switch is in the format of DOMAIN\USER but this is not correct for -g. -g refers the group within the domain that the confg mgr uses for its security. This is infuenced by the -d option when you create the config mgr:
| Quote: |
| -d SecurityDomainName (Optional) This parameter must be set to null. When you create the configuration manager, omit this parameter. The -u and -g options on the mqsicreateaclgroup command refer to users and groups within the domain that the Configuration Manager uses for its security. This domain is by default the machine on which the Configuration Manager resides, but is different if you use this option. |
HTH
Regards
Steve |
|
| Back to top |
|
|
| solomita |
| Posted: Wed Aug 25, 2004 4:34 am Post subject: |
|
|
Voyager
Joined: 06 May 2003
Posts: 94
|
Ok I think I see what you are saying. I did take a look through the manuals and they didnt seem as descriptive as they could be. So, you are saying that I I can only use mqsicreateaclgroup for the domain that the config mgr is running on whether it be the default on or the one specified by -d and cannot use mqsicreateaclgroup for a group outside the domain the config mgr is using.
_________________
IBM Certified Specialist - WebSphere MQ Integrator
IBM Certified System Administrator - WebSphere MQ V5.3
IBM Certified System Administrator - WebSphere Business Integration Message Broker V5 |
|
| Back to top |
|
|
| slaney |
| Posted: Wed Aug 25, 2004 5:30 am Post subject: |
|
|
Novice
Joined: 24 Aug 2004
Posts: 14
Location: Alphacourt (Swindon UK)
|
I think you have it.
Let me give you an example:
Consider a Windows member server that is not a domain controller. If you created the Configuration Manager using the command:
mqsicreateconfigmgr -i MYDOMAIN\wbimb -a apsswd -q QMGR1 -n CFMDB2 -u wbimb -p apasswd
Then the mqsicreateaclgroup -g mqbrkrs -F x -t would refer to the local groups on the server. You could then add domain groups or users to that local group.
_________________
Steven Lane AMBCS
Information Security Consultant
Alphacourt Limited
http://www.alphacourt.com/html/services/securityserv/ |
|
| Back to top |
|
|
| solomita |
| Posted: Wed Aug 25, 2004 2:02 pm Post subject: |
|
|
Voyager
Joined: 06 May 2003
Posts: 94
|
We ended up chaning the -d option on the config mgr to a specific domain and were able to create acl groups. THen we went to the toolkit to verify that we were restricted to certain actions based on the acess levels we set. We got an error message that I have never seen before
"BIP93043 Unable to locate message 'BIP1780' in resource bundle 'BIPv500' (resource bundle not available)"
In the event viewer, this 1780 message is listed as the user id not having authority. I think this is a bug as not only should my eg not be allowed to be created (even though it cannot be deployed to) but the event viewer message should appear in the toolkit event log.
Is this something that is different in CSD03 as I believe they are at CSD02 currently.
_________________
IBM Certified Specialist - WebSphere MQ Integrator
IBM Certified System Administrator - WebSphere MQ V5.3
IBM Certified System Administrator - WebSphere Business Integration Message Broker V5 |
|
| Back to top |
|
|
|
|
