| Author |
Message
|
| sunny_30 |
 Posted: Thu Jun 02, 2011 1:22 pm Post subject: Local-admin access for MQ-admin on Windows ? |
 |
|
Master
Joined: 03 Oct 2005
Posts: 258
|
HI
I would like to know if Local-Administrator access on a 'Windows Server 2003' system is mandatory for MQ-Admin type of support
In an ideal scenario, compared to a Unix environment, root/admin access should not be compulsory-> all the mq-guy needs to be is part of the 'mqm' group
But on Windows, I see there is a problem- A non-admin cannot start/ stop MQ-service if required.. I tested as a non-local_admin + a mqm-member & it doesnt work! Would like to know how it should normally be setup.. Any other workaround for this ?
In our place the WIN-admins would not give local-admin access to the MQ-support team
please suggest
Thanks |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Thu Jun 02, 2011 7:43 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Thank Windows for placing a number of things into the registry.
Access to the registry will be needed to administer MQ.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| sunny_30 |
| Posted: Fri Jun 03, 2011 5:53 am Post subject: |
|
|
Master
Joined: 03 Oct 2005
Posts: 258
|
Agree. Registry access is required to modify qm/mqs ini settings for Windows.
But Windows Registry access doesnt necessarily require Local-Admin privilege. In this case, all the mq-admin needs is write access to Registry parent key& subkeys eg: HKEY_LOCAL_MACHINE\SOFTWARE\IBM\MQSeries |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Jun 03, 2011 9:20 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| sunny_30 wrote: |
Agree. Registry access is required to modify qm/mqs ini settings for Windows.
But Windows Registry access doesnt necessarily require Local-Admin privilege. In this case, all the mq-admin needs is write access to Registry parent key& subkeys eg: HKEY_LOCAL_MACHINE\SOFTWARE\IBM\MQSeries |
Not quite, it also needs unlimited access to the MQ file system, at least for the id running the qmgr (service id)?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| sunny_30 |
| Posted: Mon Jun 06, 2011 12:53 pm Post subject: |
|
|
Master
Joined: 03 Oct 2005
Posts: 258
|
| fjb_saper wrote: |
| it also needs unlimited access to the MQ file system |
Thank you for your response
IF by "unlimited" you mean "write" access to all MQ-directories (install, working etc), that should be fine..
BUT Its still not clear to me if you are saying Local-Administrator level access is mandatory (or) not for MQ-admin type of duties on a Windows system ? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Jun 06, 2011 5:56 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| sunny_30 wrote: |
| fjb_saper wrote: |
| it also needs unlimited access to the MQ file system |
Thank you for your response
IF by "unlimited" you mean "write" access to all MQ-directories (install, working etc), that should be fine..
BUT Its still not clear to me if you are saying Local-Administrator level access is mandatory (or) not for MQ-admin type of duties on a Windows system ? |
Well on top of the accesses mentioned above you also need permission to resolve group membership etc for the MQ service Id. May be this is what mandates the membership in the local admins.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| sunny_30 |
| Posted: Tue Jun 07, 2011 7:36 am Post subject: |
|
|
Master
Joined: 03 Oct 2005
Posts: 258
|
| fjb_saper wrote: |
| Well on top of the accesses mentioned above you also need permission to resolve group membership etc for the MQ service Id. May be this is what mandates the membership in the local admins. |
Does this mean that Windows OS in order to authenticate group membership requires Administrator level access?
I just found this info today:
http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/index.jsp?topic=/com.ibm.mq.csqzae.doc/ic12660_.htm
which says-
| Quote: |
On Windows systems
Administration users must be part of both the mqm group and the administrators group on Windows systems if this ID is going to use WebSphere® MQ administration commands. |
Is it for the above reason IBM mandates as such for MQ Administration ? |
|
| Back to top |
|
|
|
|
