| Author |
Message
|
| olan022 |
 Posted: Thu Jun 13, 2002 4:43 am Post subject: Authority to use RUNMQSC |
 |
|
Acolyte
Joined: 17 Apr 2002
Posts: 50
|
I want to allow some users to be able to browse queues in MQSeries via RUNMQSC but not let them be a part of the mqm group. I've given them access to view a queue via SETMQAUT but cannot even start RUNMQSC - I get AMQ8135: Not Authorized. What am I missing?
Thanks! |
|
| Back to top |
|
 |
| mqonnet |
| Posted: Thu Jun 13, 2002 5:17 am Post subject: |
|
|
Grand Master
Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.
|
You can allow users to browse queues and set authorities using SETmqaut. And let them use amqsbcg or likes to browse them.
Rumqsc is an mq Admin utility and needs mqm authority to execute it. Hence giving permissions to users outside mqm group is not possible.
Cheers.
Kumar
_________________
IBM Certified WebSphere MQ V5.3 Developer
IBM Certified WebSphere MQ V5.3 Solution Designer
IBM Certified WebSphere MQ V5.3 System Administrator |
|
| Back to top |
|
|
| mrlinux |
| Posted: Thu Jun 13, 2002 5:31 am Post subject: |
|
|
Grand Master
Joined: 14 Feb 2002
Posts: 1261
Location: Detroit,MI USA
|
|
| Back to top |
|
|
| jhalstead |
| Posted: Thu Jun 13, 2002 6:04 am Post subject: |
|
|
Master
Joined: 16 Aug 2001
Posts: 258
Location: London
|
Would support pack MS0E be of any use? This allows anyone to have controlled & audited access to runmqsc without being a member of the mqm group
Jamie |
|
| Back to top |
|
|
| blane99 |
| Posted: Thu Jun 13, 2002 6:18 am Post subject: Re: Authority to use RUNMQSC |
|
|
Apprentice
Joined: 12 Jun 2002
Posts: 41
|
| What platform are you using? If unix I can provide safe way. |
|
| Back to top |
|
|
| mqonnet |
| Posted: Thu Jun 13, 2002 6:20 am Post subject: |
|
|
Grand Master
Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.
|
Jeff.
I could not really relate this issue with the link you mentioned earlier. Because the question in discussion here is Runmqsc and not queues. And runmqsc is purely an mqm utility. And no one other than mqm user is allowed to access it. Please correct me if i am wrong.
Cheers.
Kumar
_________________
IBM Certified WebSphere MQ V5.3 Developer
IBM Certified WebSphere MQ V5.3 Solution Designer
IBM Certified WebSphere MQ V5.3 System Administrator |
|
| Back to top |
|
|
| mrlinux |
| Posted: Thu Jun 13, 2002 6:37 am Post subject: |
|
|
Grand Master
Joined: 14 Feb 2002
Posts: 1261
Location: Detroit,MI USA
|
Well you are right about it being a mqm utility, however you can provide
execute rights to non mqm admins, but you then have to also provide the
permissions to the Command Server Queues, so the link is more for after you have set runmqsc to be run by non mqm group user.
I should have been more clear on that
_________________
Jeff
IBM Certified Developer MQSeries
IBM Certified Specialist MQSeries
IBM Certified Solutions Expert MQSeries |
|
| Back to top |
|
|
| blane99 |
| Posted: Thu Jun 13, 2002 7:09 am Post subject: |
|
|
Apprentice
Joined: 12 Jun 2002
Posts: 41
|
Jeff is right. You need execute permissions on the runmqsc executable
and the following minimum:
+connect on the qmgr
+dsp for the queue
example
setmqaut -m QMA -t qmgr -g mqmdev +connect
setmqaut -m QMA -n TESTQ -t q -g mqmdev +dsp |
|
| Back to top |
|
|
| mqonnet |
| Posted: Thu Jun 13, 2002 7:20 am Post subject: |
|
|
Grand Master
Joined: 18 Feb 2002
Posts: 1114
Location: Boston, Ma, Usa.
|
Ok. I am a bit confused here. Let me put forth myself in detail.
1) Runmqsc "as is" CANNOT be accessed by a non-mqm user.
2) Not quite sure what you mean by Command server in this case. Because if you involve it, it would be PCF messages and not Runmqsc perse. Then it would be like issuing runmqsc commands from, say a client, using PCF messages. But it is NOT equivalent to using RUNMQSC, which was the question in this thread.
3) Also could not really understand what you meant by "provide
execute rights to non mqm admins". Because whatever permissions you give to access the Executable Runmqsc, eventually the authority checking is done down under inside MQ. Which comes back to the same issue. Since the user is not in the mqm group, he/she is not allowed to run the command, even though you have granted "execute" permissions to it.
Please comment.
Cheers.
Kumar
_________________
IBM Certified WebSphere MQ V5.3 Developer
IBM Certified WebSphere MQ V5.3 Solution Designer
IBM Certified WebSphere MQ V5.3 System Administrator |
|
| Back to top |
|
|
| olan022 |
| Posted: Thu Jun 13, 2002 7:35 am Post subject: |
|
|
Acolyte
Joined: 17 Apr 2002
Posts: 50
|
WOW!
I'm really impressed by the amount of experts that have taken attention to this. I'm hearing a key point:
1) A user cannot run RUNMQSC without being in the mqm group (we are running AIX 5, by the way)
If this is the case, then SETMQAUT won't get me there.
Let me extrapolate on this:
I just want developers, etc. to be able to VIEW queues and queue contents via the SNOOP utility without giving them the keys to the city. They don't necessarily have to be able to run RUNMQSC, just a tool to non-destructively view information. I understand that MO71 and the MQ Explorer are not good options. |
|
| Back to top |
|
|
| blane99 |
| Posted: Thu Jun 13, 2002 7:39 am Post subject: |
|
|
Apprentice
Joined: 12 Jun 2002
Posts: 41
|
for unix do chmod o+x /opt/mqm/bin/runmqsc
to give execute permission. |
|
| Back to top |
|
|
| olan022 |
| Posted: Thu Jun 13, 2002 7:45 am Post subject: |
|
|
Acolyte
Joined: 17 Apr 2002
Posts: 50
|
CHMOD on the runmqsc executable itself will not allow me to run RUNMQSC. An authorization error occurs because there is some "deeper" check that is going on.
It is sounding like RUNMQSC is not the avenue I want to take if I just want people to view queues and messages, anyway. |
|
| Back to top |
|
|
| blane99 |
| Posted: Thu Jun 13, 2002 8:06 am Post subject: |
|
|
Apprentice
Joined: 12 Jun 2002
Posts: 41
|
We have used both of the following support paks:
MS0E: MQSeries Administration Wrapper
MS0H: MQSeries - Queue depth monitoring tool (browse also)
Both probably satisfy your requirements |
|
| Back to top |
|
|
| olan022 |
| Posted: Thu Jun 13, 2002 9:42 am Post subject: |
|
|
Acolyte
Joined: 17 Apr 2002
Posts: 50
|
Excellent!
THANKS SO MUCH, BLANE99!!! That looks exactly like what I am looking for! |
|
| Back to top |
|
|
| olan022 |
| Posted: Thu Jun 13, 2002 9:45 am Post subject: |
|
|
Acolyte
Joined: 17 Apr 2002
Posts: 50
|
| Whoops, thanks to JHALSTEAD too, as he suggested this as well! |
|
| Back to top |
|
|
|
|
