ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » Restricting access to MQPut

Post new topic  Reply to topic
 Restricting access to MQPut « View previous topic :: View next topic » 
Author Message
jmac
PostPosted: Wed Aug 22, 2001 8:37 am    Post subject: Reply with quote

Jedi Knight

Joined: 27 Jun 2001
Posts: 3081
Location: EmeriCon, LLC

Is it possible to restrict which users can issue Puts to a given queue?

As a complete novice in MQSeries, I am not sure where to even start looking for this.

Thanks

_________________
John McDonald
RETIRED
Back to top
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger
bduncan
PostPosted: Wed Aug 22, 2001 10:15 am    Post subject: Reply with quote

Padawan

Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley

John,
MQSeries offers quite a bit of granularity when it comes to authorities for various MQSeries objects. For instance, when talking about a queue object, you can specify whether or not a particular user or group has authority to: put, get, browse, set, inquire, etc.., the queue in question. On most MQSeries platforms, this is done with two command line programs: setmqaut and dspmqaut. These set and display the permissions for a particular user/group on a given MQSeries object. Again, this object can be a queue, queue manager, process, etc...
The commands are pretty simple, and examples would probably be best:
dspmqaut -t qmgr -p mqm - this will show what permissions the user mqm has on the default queue manager.
dspmqaut -n TESTQMGR -t qmgr -p mqm - same as above, except you are specifying the name of the queue manager (in case the queue manager you want to query isn't the default queue manager.
setmqaut -n TESTQ -t queue -g testgroup +get +browse - will grant anyone who is a member of testgroup to get or browse messages from the queue called TESTQ. In this example the queue manager isn't specified, so the command assumes the default queue manager.
setmqaut -n TESTQ -t queue -g testgroup -get - will remove the authority of testgroup to get messages from TESTQ. Keep in mind that if the previous command was already executed, then after executing this command, testgroup will no longer be able to get from TESTQ, but they will still be able to browse it.
One other thing to keep in mind. Mixing user and group permissions can make administation a nightmare. In other words, if you grant certain permissions for group testgroup, and then you want to change permissions for particular members of testgroup, you can do this, and MQSeries will function, but it can make determining who has what permissions a tricky thing.
Hope this gets you started...


_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator
Back to top
View user's profile Send private message Visit poster's website AIM Address
jmac
PostPosted: Wed Aug 22, 2001 12:41 pm    Post subject: Reply with quote

Jedi Knight

Joined: 27 Jun 2001
Posts: 3081
Location: EmeriCon, LLC

Thanks Brandon.... I stumbled upon this command about 10 mins prior to looking at your response... Please have a look at this output:

C:>dspmqaut -m FMCQM -t queue -n EXEXMLINPUTQ -p noauthority
Entity noauthority has the following authorizations for object EXEXMLINPUTQ:
get
browse
put
inq
set
passid
passall
setid
setall

C:>setmqaut -m FMCQM -t queue -n EXEXMLINPUTQ -p noauthority -browse
The setmqaut command completed successfully.

C:>dspmqaut -m FMCQM -t queue -n EXEXMLINPUTQ -p noauthority
Entity noauthority has the following authorizations for object EXEXMLINPUTQ:
get
browse
put
inq
set
passid
passall
setid
setall

In the first command I issue a dspmqaut and see the current authorities.

In the second, I attempt to remove browse, and based on the response it appears to work.

In the third, I display again, and the browse authority is still there.

I saw in the manual something about the object needing to be reset, so I started and stopped my queue manager and got the same results.

Can you shed any light on what I am doing wrong here?

Thanks

_________________
John McDonald
RETIRED
Back to top
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger
jmac
PostPosted: Wed Aug 22, 2001 1:27 pm    Post subject: Reply with quote

Jedi Knight

Joined: 27 Jun 2001
Posts: 3081
Location: EmeriCon, LLC

OK... just remember I really dont know a whole heck of a lot about MQSeries or NT Administration in general.

My problem above was that the user I was working with "noauthority" is part of a group called "users".

Turns out that MQWorkflow on install authorizes all members of the group "users" to allmqi.

Problem solved for now I think.

Thanks again

_________________
John McDonald
RETIRED
Back to top
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger
bduncan
PostPosted: Wed Aug 22, 2001 3:12 pm    Post subject: Reply with quote

Padawan

Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley

Yeah, like I said in my first response, mixing user and group permissions can be a headache because you get weird side effects like what you saw. I recommend always using group level permissions for MQSeries - never user based. It just makes administration easier, and there's nothing wrong with having to make groups with only one member...
Also, if you are using MQSeries 5.2 or higher, you can just issue the "REFRESH SECURITY" command from within the runmqsc console to update permissions after using setmqaut. This means you don't have to recycle the queue manager as you did in 5.1 and earlier....


_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator
Back to top
View user's profile Send private message Visit poster's website AIM Address
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » Restricting access to MQPut
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.