| Author |
Message
|
| jeevan |
 Posted: Mon Mar 17, 2008 3:51 pm Post subject: I could not revoke the authority of SYS CLUSTER XMITQ |
 |
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
D:\>DSPmqaut -m XXXXXXXX -p USER -t queue -n SYSTEM.CLUSTER.TRANSMIT.QUEUE
Entity USER has the following authorizations for object SYSTEM.CLUSTER.TRANSM
IT.QUEUE:
put
inq
D:\>setmqaut -m XXXXXXXX -p USER -t queue -n SYSTEM.CLUSTER.TRANSMIT.QUEUE -all
The setmqaut command completed successfully.
D:\>DSPmqaut -m XXXXXXXX -p USER -t queue -n SYSTEM.CLUSTER.TRANSMIT.QUEUE
Entity USER has the following authorizations for object SYSTEM.CLUSTER.TRANSM
IT.QUEUE:
put
inq
Any clue why I can not do that?
I also did refresh but still the same. |
|
| Back to top |
|
 |
| jeevan |
| Posted: Mon Mar 17, 2008 6:38 pm Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| With the same command, I was able to revoke permission of the other queeus and qmgr but I could not do that for the xmitq. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Mar 17, 2008 8:18 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Possibly because the user is member of a group that has access to the cluster xmitq?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| jeevan |
| Posted: Mon Mar 17, 2008 9:04 pm Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| fjb_saper wrote: |
Possibly because the user is member of a group that has access to the cluster xmitq?
|
No, I am able to revoke the permission from other object for that user but I can not do for the particular object. That is why I post here thinking that whether there is any thing special withh this. I rem, it has to be authorised at the beginning to put the message across but now, they do not need it and when i want to revoke, I could not.
It is mq6.0.2.2 on windows 2003.
Any thinkg that I can check for ? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Mar 18, 2008 3:01 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| jeevan wrote: |
| fjb_saper wrote: |
Possibly because the user is member of a group that has access to the cluster xmitq?
|
No, I am able to revoke the permission from other object for that user but I can not do for the particular object. |
Not a valid objection
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Mar 18, 2008 4:58 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
dmpmqaut the auts for the S.C.T.Q. and see what groups have access to it and see if USER is in one of those groups.
Just becasue you successfully removed USER's auts to other objects doesn't prove anything. Maybe those other objects weren't covered by a group USER is in like S.C.T.Q. might be.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| jeevan |
| Posted: Tue Mar 18, 2008 10:22 am Post subject: |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| PeterPotkay wrote: |
dmpmqaut the auts for the S.C.T.Q. and see what groups have access to it and see if USER is in one of those groups.
Just becasue you successfully removed USER's auts to other objects doesn't prove anything. Maybe those other objects weren't covered by a group USER is in like S.C.T.Q. might be. |
I saw that the USER is in the domain group *staff which the user who has still permission to SCTQ belongs to.
The thing is like this:
this user used in Dev. but the user used in Dev and Test belong to the same group *staff.
Therefore, the permission is granted based on principal not based on group.
But still the condition is the same.
If being in exactly in the same group, I can revoke its permission to other queues, and qmgr but why not on this ? I am just wondering.
I showed to my colleague, thinking that I missed something, the same result.
Any clue /brainstorm |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Mar 18, 2008 3:48 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Quote: |
| Therefore, the permission is granted based on principal not based on group. |
Wrong... Group permission takes precedence in most cases.
You can remove all permissions from the principal. If he is in the mqm group he will still have full access...
In fact in Unix there is no principal permission. It gets set to the primary group of the principal...
Enjoy
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
