| Author |
Message
|
| jeevan |
 Posted: Thu Feb 14, 2008 10:19 am Post subject: Revoking sec did not work |
 |
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
For a testing, we granted permission to access queue manager, and put/get message from a certain queue. When we revoked the permission and refreshed the queue manager, still the quy is able to connect to the queue manager and put the message.
What could be wrong ? I refreshed the queue manager and dspmqaut does not display any permission including connecting to queue manager.
thanks a lot |
|
| Back to top |
|
 |
| PeterPotkay |
| Posted: Thu Feb 14, 2008 10:37 am Post subject: Re: Revoking sec did not work |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| jeevan wrote: |
| When we revoked the permission |
How?
| jeevan wrote: |
| and refreshed the queue manager |
No need to. (only needed if you removed or added him from O/S level groups)
| jeevan wrote: |
| dspmqaut does not display any permission including connecting to queue manager. |
what does dmpmqaut show? He probably is inheriting his permissions from a group he is in that still has that access.
What O/S is this? What groups is this guy in? List and then check every single one.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| jeevan |
| Posted: Thu Feb 14, 2008 12:29 pm Post subject: Re: Revoking sec did not work |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
[quote="PeterPotkay"]
| jeevan wrote: |
| When we revoked the permission |
How?
That is what we are puzzled. We recently verified that he was even able to connect to another queue manager and put a message which is never authorised for his and his group's id. We told him the name of the server conn channel though.
| jeevan wrote: |
| and refreshed the queue manager |
No need to. (only needed if you removed or added him from O/S level groups)
You are right but I did all possible stuff
| jeevan wrote: |
| dspmqaut does not display any permission including connecting to queue manager. |
what does dmpmqaut show?
| Quote: |
P:\>
P:\>dspmqaut -m MQXXXXX -t qmgr -p user@domain
Entity user@domain has the following authorizations for object MQXXXXXX:
P:\>dspmqaut -m MQXXXXXX -n YY.** -t queue -p user@domain
Entity user@domain has the following authorizations for object YY.**:
P:\>dspmqaut -m MQXXXXXX -n SYSTEM.CLUSTER.TRANSMIT.QUEUE -t queue -user@domain
Entity user@domain has the following authorizations for object
SYSTEM.CLUSTER.TRANSMIT.QUEUE:
|
| Quote: |
He probably is inheriting his permissions from a group he is in that still has that access.
|
The usual practice here is to authorise the principle.
My understanding is that when we authorise a principal, the other members of that group get the same permission. But when we revoke, what happens? does the group still hold that permissions?
One thing I noticed in dmpmqaut, that the user is mentioned but with authority none. But still wondering why is that? But there is not the group the guy belong to.
| Quote: |
What O/S is this? What groups is this guy in? List and then check every single one. |
Windows 2000 server, MQ 5.3.11 |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Feb 15, 2008 12:47 am Post subject: Re: Revoking sec did not work |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| jeevan wrote: |
| We told him the name of the server conn channel though. |
Has somebody added an MCAUser to the svrconn?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| jeevan |
| Posted: Fri Feb 15, 2008 11:03 am Post subject: Re: Revoking sec did not work |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| Vitor wrote: |
| jeevan wrote: |
| We told him the name of the server conn channel though. |
Has somebody added an MCAUser to the svrconn? |
Not at all. I checked that already.
thanks |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Feb 15, 2008 11:06 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
You have to list every group this guy is in and then check each and every group to see what authorities it has. If he is in the Administrators group or the mqm group he is going to have mqm authourity no matter what you do.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| jeevan |
| Posted: Fri Feb 15, 2008 12:57 pm Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| PeterPotkay wrote: |
| You have to list every group this guy is in and then check each and every group to see what authorities it has. If he is in the Administrators group or the mqm group he is going to have mqm authourity no matter what you do. |
I am suspecting two things: one like you, the group( one of the groups) the guy belogs has been authorised to access mq. Second, there is a bug.
I will find it out.
thanks a lot |
|
| Back to top |
|
|
|
|
