| Author |
Message
|
| keyswest |
 Posted: Tue Sep 07, 2010 1:17 pm Post subject: Suggestions on implementing MQ objects access security |
 |
|
Novice
Joined: 25 Apr 2008
Posts: 14
|
Hi,
I am beginner with MQ administration. In our organization, the current setup is that all users are part of the MQM group. We have MQ 6 on both windows and mainframe.
We are looking at implementing a security process where in the users are split into different groups i.e admin users in mqm, view queues only in one group, make changes to queus and channels in one group.
wat is the best way to do this? is is to use setmqaut and set permissions on each object? if a user is in multiple groups, how will the access rights work?
ne suggestions or the right direction would be really helpful...
thank you,
kris |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Tue Sep 07, 2010 2:12 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9399
Location: US: west coast, almost. Otherwise, enroute.
|
Do you mean that ALL users (admin and end-user) are in the mqm group??
Or do you mean that you want to split WMQ sysadmin tasks into multiple admin groups?
Or something else?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Sep 08, 2010 4:30 am Post subject: Re: Suggestions on implementing MQ objects access security |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| keyswest wrote: |
| In our organization, the current setup is that all users are part of the MQM group. We have MQ 6 on both windows and mainframe. |
Be aware that mainframe doesn't have the concept of an mqm group.
| keyswest wrote: |
| wat is the best way to do this? is is to use setmqaut and set permissions on each object? if a user is in multiple groups, how will the access rights work? |
Again, setmqaut doesn't work on mainframe though the other concepts are valid. Speak to whoever runs your RACF for advice.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Sep 08, 2010 5:33 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
OAM profiles can grant access to one or more groups. Users can belong to zero or more groups and will get their cumulative access rights.
It's all fairly straightforward, but you need to combine this work with setting up the channels properly to avoid access to the mqm id. |
|
| Back to top |
|
|
| keyswest |
| Posted: Wed Sep 08, 2010 12:56 pm Post subject: |
|
|
Novice
Joined: 25 Apr 2008
Posts: 14
|
thx all for your suggestions..
@bruce all users - admin and end users are in MQM group. we are looking to split them in different groups and set up security accordingly.
@Vitor - let me check with my mainframe person for more information on this.
@zpat - OAM profiles looks like an interesting choice. let me dig a little deeper on it and see how to set it up and test it.
once again thanks all for your suggestions,
kris. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Sep 08, 2010 1:11 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9399
Location: US: west coast, almost. Otherwise, enroute.
|
No security checks are performed for members of mqm group. This means that end-users can use dltmqm, and all other control commands; and runmqsc CLEAR Queue and all other mqsc command. Your environment is not secured.
Whoever put end-users in the mqm group should be beaten with a sharpened trout. End-users have no legitimate business reason to do admin tasks. How this passed audit at you organization is a mystery.
Please read the WMQ Security manual. Also read the WMQ System Admin manual sections on security, and the setmqaut control command.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Wed Sep 08, 2010 3:50 pm Post subject: |
|
|
Jedi
Joined: 25 Mar 2003
Posts: 2495
Location: Melbourne, Australia
|
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Sep 08, 2010 3:57 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3253
Location: London, ON Canada
|
Hi,
Yes, you should absolutely remove non-admin UserIDs from the mqm group.
Remember, there are security holes in MQ that easily allows users / application to set (spoof) whatever UserID they want to use. This applies to all platforms include z/OS (mainframe).
So, setting authorization is a great plan unless you REALLY know who is connecting then it is pointless. 
You need to understand the difference between "authentication" and "authorization". First, you authenticate (via SSL or security exit) then MQ's OAM (RACF on z/OS) looks up its ACL (Access Control List) to see if that UserID has permission to access what it is trying to access.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
