ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » OAM - setall privilege given to an application user

Post new topic  Reply to topic
 OAM - setall privilege given to an application user « View previous topic :: View next topic » 
Author Message
kordi
PostPosted: Thu May 21, 2015 1:11 pm    Post subject: OAM - setall privilege given to an application user Reply with quote

Centurion

Joined: 28 May 2012
Posts: 146
Location: PL
Hi There,

Is there any reason for giving setall privilege to application user? By application user I mean the one provided in MCAUSER attribute in SVRCONN channel used by specific application to connect, put and get messages from queues.

Thanks in advance.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Thu May 21, 2015 5:36 pm    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7722
If the application needs to set some or all the context fields in the MQMD, yes, you need to give it. Its not common, but the situation is not unheard of.

When the app is WMB or DataPower its more common.

Protect that channel (Security Exit, SSL, CHLAUTH) so that only the intended user(s) can use that channel and do this setall.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
kordi
PostPosted: Thu May 21, 2015 11:45 pm    Post subject: Reply with quote

Centurion

Joined: 28 May 2012
Posts: 146
Location: PL
Thanks Peter for your answer.

What I meant was: If we want to allow application just to exchange messages using MQ, does this application user need to have setall on any of the objects (queues, channels)?

setall allows to control context of the message, including changing user id so per my understanding application with such privilege can change user id to mqm for example and overpass some security settings.
Back to top
View user's profile Send private message
hughson
PostPosted: Fri May 22, 2015 2:00 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
As Peter said, it is not commonly needed. In fact it is needed ONLY if your application uses the MQOO_SET_ALL_CONTEXT open option.

If this is a simple putting and getting application then it is certainly worth investigating why they believe they need +setall

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
kordi
PostPosted: Fri May 22, 2015 9:18 am    Post subject: Reply with quote

Centurion

Joined: 28 May 2012
Posts: 146
Location: PL
OK, thanks a lot guys for clarification. I found also interesting chapter about "setall privilege in "Secure Messaging Scenarios with WebSphere MQ.

Cheers. Have a great weekend
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » OAM - setall privilege given to an application user
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.