| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| What I risk to grant put,get,dsp to S.D.MODEL.Q & S.A.CO |
« View previous topic :: View next topic » |
| Author |
Message
|
| issac |
 Posted: Sat Jan 28, 2012 5:25 pm Post subject: What I risk to grant put,get,dsp to S.D.MODEL.Q & S.A.CO |
 |
|
Disciple
Joined: 02 Oct 2008
Posts: 158
Location: Shanghai
|
Hello,
In order in enable supposedly read-only users to access qmgrs by MQ Explorer and mqsc support pack, I plan to grant dsp,put,get priviledges upon SYSTEM.DEFAULT.MODEL.QUEUE and SYSTEM.ADMIN.COMMAND.QUEUE to the userid which will be available to people who is supposed to be read-only to the QMGR.
But I don't quite understand how much risk I am exposing to the outside. Is what I do going to make the QMGR less secure? Will what I do enable these supposedly read-only users to do something terrible to the QMGR?
Thank you in advance.
_________________
Bazinga! |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Sat Jan 28, 2012 8:10 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9399
Location: US: west coast, almost. Otherwise, enroute.
|
What research have you done? Do you understand what these objects are used for?
What does read-only have to do with these objests?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| issac |
| Posted: Sat Jan 28, 2012 11:05 pm Post subject: |
|
|
Disciple
Joined: 02 Oct 2008
Posts: 158
Location: Shanghai
|
Mmmm... thanks very much for the reply. To be honest docs I found for these queues are somewhat vague, which includes the following:
SYSTEM.DEFAULT.MODEL.QUEUE Default model queue.
SYSTEM.ADMIN.COMMAND.QUEUE Administration command queue. Used for remote MQSC commands and PCF commands.
I'm trying to setup an userid, which has dsp priviledge upon almost every Q, CHL, ALIAS... but could not do anything other than dsp on them. So I call it meant to be read-only for short.
The reason for me to grant dsp,put,get upon S.D.M.Q and S.A.C.Q is to enable the userid to be able to work when users connect by MQ Explorer and mqsc support pack.
I plan to create a SVRCONN chl whose MCAUSER is set to this read-only userid, then provide the chl for developers so that they could connect to the QMGR by MQ Explorer or mqsc support pack, and be able to view various properties but still unable to make any change.
I'm not sure if I'm doing it right. Thanks again for your advice.
_________________
Bazinga! |
|
| Back to top |
|
|
| exerk |
| Posted: Sun Jan 29, 2012 3:47 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
THIS link should be of interest to you, if you have not already viewed it. And remember, any MCAUSER value set within a channel only mitigates what can be done - you are setting PUT/GET authorities for your user, which makes what you are doing NOT read-only.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Jan 29, 2012 9:32 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
Well the user will have to have put on at least the system admin queue.
Apart from display you might want to add inq for the regular objects, and if the users also need to see the message content, browse.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Sun Jan 29, 2012 9:46 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| fjb_saper wrote: |
| Well the user will have to have put on at least the system admin queue. |
That one's a given, however, I interpreted the PUT/GET and other comments to mean that more than just 'looking' was involved.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
