| Author |
Message
|
| ammx |
 Posted: Thu Dec 21, 2017 11:07 am Post subject: Options to grant access to all MQ objects |
 |
|
Acolyte
Joined: 08 Sep 2017
Posts: 50
|
Hi
When you want to grant all access to all MQ objects under a queue manager, which is the best option, to add the user to the mq group and then use the following comand
setmqaut -m QMgrName -n '**' -t queue -g GroupName +alladm
or to use the -p option like this:
setmqaut -m QMgrName -n '**' -t queue -p Username +alladm
Thanks in advance |
|
| Back to top |
|
 |
| exerk |
| Posted: Thu Dec 21, 2017 1:07 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Any user within the mqm group automatically has god rights to MQ resources, so setting any authorities for that user is pointless.
That said, DON'T EVER, EVER, ADD USERS TO THE mqm GROUP! On UNIX (depending on version and security model) DON'T EVER, EVER, USE A PRINCIPAL NAME WHEN SETTING AUTHORITIES!
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Dec 21, 2017 1:11 pm Post subject: Re: Options to grant access to MQ objects |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| ammx wrote: |
Hi
When you want to grant all access to all MQ objects under a queue manager, which is the best option, to add the user to the mq group and then use the following comand
setmqaut -m QMgrName -n '**' -t queue -g GroupName +alladm
or to use the -p option like this:
setmqaut -m QMgrName -n '**' -t queue -p Username +alladm
Thanks in advance |
No, no, no, no, NO!
Do not add anyone to the the mqm administrative group who isn't an administrator. Members of the mq admin group have ALL privilege - without restriction.
Why do you want to grant all to anyone? An auditor? A programmer?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| ammx |
| Posted: Thu Dec 21, 2017 2:18 pm Post subject: |
|
|
Acolyte
Joined: 08 Sep 2017
Posts: 50
|
| Yes, i wanted to grant access for a single user to all of the MQ objects of a queue manager and wasn't sure if the -p Username parameter of the setmqaut was the correct one |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Dec 21, 2017 3:31 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
The mqm admin group also grants access to control commands, like crtmqm (create a qmgr), strmqm (start qmgr), endmqm (stop a qmgr), dltmqm (delete qmgr), and other dangerous commands.
Why are you doing this? Did management approve? The auditors? Who (job description) wants this privilege?
As my esteemed colleague noted, there is no need to grant (or deny) permissions to a member of the mqm admin group - all permissions are granted to mqm members (group and principal). You cannot take away any permissions from an mqm group/principal.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Dec 22, 2017 10:13 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
The OP never mentioned the mqm group.
As of MQ version 8 it is possible to safely grant a principle MQ authorities without it cascading up to the principle's primary group and thus all members of that group.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Dec 22, 2017 10:33 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| PeterPotkay wrote: |
| The OP never mentioned the mqm group. |
True, but the OP did mention the mq group so my assumption was that the mqm group was meant.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| ammx |
| Posted: Fri Dec 22, 2017 2:35 pm Post subject: |
|
|
Acolyte
Joined: 08 Sep 2017
Posts: 50
|
Hi
I am the system administrator of the server and I got the request to create the new user, I don't know which is the role of the person who requested this, but management has already approved. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Dec 22, 2017 6:19 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
I believe strongly that the primary responsibility of a sysadmin is to protect the organization from the ignorance of management.
Ask management why this person needs all access. Will read-only access suffice? Is this person MQ admin trained?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
