| Author |
Message
|
| zpat |
 Posted: Wed Jan 20, 2010 8:57 am Post subject: Issue with primary Unix group being added to MQ ACL |
 |
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
As mentioned in other threads, when a MQ object is created on Unix, the user's primary group (who is creating the object) is automatically added to the access list by the OAM.
Our admins have mqm group membership, but their primary group is not mqm (and this group should not be added to ACLs) - for various reasons we don't want to change their primary group to mqm.
What's the solution to this?
Using the mqm id (via sudo) seems old-fashioned and won't work for GUI tools.
Is this issue due to Unix or MQ (in other words could a MQ product change fix this)? |
|
| Back to top |
|
 |
| mvic |
| Posted: Wed Jan 20, 2010 9:56 am Post subject: Re: Issue with primary Unix group being added to MQ ACL |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| zpat wrote: |
| What's the solution to this? |
After creating the objects, perhaps use setmqaut to revoke access on the object from the group concerned? |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Jan 20, 2010 11:09 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Yes, bit of a pain doing this with the GUI tools which are meant to make life simpler.
Also assumes that the user is aware that this problem is happening (which is certainly not obvious).
One option would be to periodically remove all OAM access from the unwanted primary group - again a bit of a kludge.
Perhaps I should submit a user requirement to IBM on this one. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jan 20, 2010 11:28 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
If you are using a secured admin channel with mqm in the MCA User Id, you could use MO72 (mqsc) to create the objects as mqm....
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Jan 20, 2010 11:30 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| zpat wrote: |
| Yes, bit of a pain doing this with the GUI tools which are meant to make life simpler. |
Where does it say that?? 
You know where you are with a nice bit of script.... 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Jan 20, 2010 11:36 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
IMHO, the Explorer (actually, any GUI) is a wonderful tool for doing something one time. This is where GUIs make life easier.
If the thing needs to be repeated often, then a script is called for.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
