MQSeries.net :: View topic - Authentication Records Displaying on Read Only Group

MQSeries.net

Tech Exchange

Education

Certifications

Library

Info Center

SupportPacs

FAQÂ Â

Usergroups

RSS Feed - WebSphere MQ Support

RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Authentication Records Displaying on Read Only Group

Authentication Records Displaying on Read Only Group

« View previous topic :: View next topic »

Author

Message

myip

Posted: Mon Feb 19, 2018 7:33 am Post subject: Authentication Records Displaying on Read Only Group

Newbie

Joined: 14 Feb 2018
Posts: 6

Hi team,

The MQ version is 7.5.0.0.3

I want to setup a Read Only group ('it-read') that can only display QUEUES and TOPICS using MQ Explorer.

These are the script:

SET AUTHREC OBJTYPE(QMGR) GROUP('it-read') AUTHADD(CONNECT,INQ,DSP)
SET AUTHREC PROFILE(**) OBJTYPE(QUEUE) GROUP('it-read') AUTHADD(DSP,BROWSE)
SET AUTHREC PROFILE(**) OBJTYPE(TOPIC) GROUP('it-read') AUTHADD(DSP)

The problem is that I have some Channel Authentication Records that maps users and channels to allow or block access on channels by remote user ID. Some of this records are admin users mapped to certain Channel.

When I connect using a user from the Read Only group, I can display the Channel Authentication Records, and therefore I can see which admin user ID is mapped to what Channel and then connect as a admin.

Is there a way to prevent this?

Thanks in advance!

Last edited by myip on Mon Feb 19, 2018 8:55 am; edited 1 time in total

zpat

Posted: Mon Feb 19, 2018 8:14 am Post subject:

Jedi Council

Joined: 19 May 2001
Posts: 5866
Location: UK

Guess where MQ stores the chlauth mapping info?

SYSTEM.CHLAUTH.DATA.QUEUE

Don't grant read access to this queue if you want to hide it.

However hiding it is not really a substitute for proper security.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.

myip

Posted: Mon Feb 19, 2018 8:53 am Post subject:

Newbie

Joined: 14 Feb 2018
Posts: 6

zpat wrote:

I have taken the read access and it is still showing :/

bruce2359

Posted: Mon Feb 19, 2018 9:34 am Post subject:

Poobah

Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.

Did you refresh security?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.

myip

Posted: Mon Feb 19, 2018 11:11 am Post subject:

Newbie

Joined: 14 Feb 2018
Posts: 6

bruce2359 wrote:

Did you refresh security?

yes, I even restarted the QM

zpat

Posted: Mon Feb 19, 2018 11:27 am Post subject:

Jedi Council

Joined: 19 May 2001
Posts: 5866
Location: UK

Then you have not taken away access to that queue.

Start again and don't grant access to all queues (**).
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.

myip

Posted: Mon Feb 19, 2018 12:11 pm Post subject:

Newbie

Joined: 14 Feb 2018
Posts: 6

zpat wrote:

Then you have not taken away access to that queue.

Start again and don't grant access to all queues (**).

I have again, deleted the QMGR and created a new one, then I only granted the read only group access to connect, then I connected with that group user in MQ Explorer and I still can see the Channel Authentication Records.

SET AUTHREC OBJTYPE(QMGR) GROUP('it-read') AUTHADD(CONNECT,INQ,DSP)

zpat

Posted: Tue Feb 20, 2018 12:21 am Post subject:

Jedi Council

Joined: 19 May 2001
Posts: 5866
Location: UK

What groups is the user a member of?
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.

myip

Posted: Wed Feb 21, 2018 7:03 am Post subject:

Newbie

Joined: 14 Feb 2018
Posts: 6

zpat wrote:

What groups is the user a member of?

only it-read

PeterPotkay

Posted: Wed Feb 21, 2018 3:22 pm Post subject:

Poobah

Joined: 15 May 2001
Posts: 7722

Look at Table 2 here:
https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.ref.adm.doc/q083500_.htm

Notice CHLAUTH records don't have their own column.
Guess which column IBM uses to control access to CHLAUTH records.

Right below that table is the following:

Quote:

chg
A user needs chg authority to make any authorization changes on the queue manager. The authorization changes include:
Changing the authorizations to a profile, object, or class of objects
Creating and modifying channel authentication records, and so on

Access to CHLAUTH records is controlled by access to the QM object.

_________________
Peter Potkay
Keep Calm and MQ On

myip

Posted: Thu Mar 01, 2018 2:49 pm Post subject:

Newbie

Joined: 14 Feb 2018
Posts: 6

PeterPotkay wrote:

Quote:

Access to CHLAUTH records is controlled by access to the QM object.

hi, sorry for the late response.

so basically there is no way to hide or not displaying the Channel Authentication Records from other users?

My goal is that a Queue reader user can only read Queues from the the MQ Explorer and cant display anything else.

fjb_saper

Posted: Fri Mar 02, 2018 2:12 am Post subject:

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY

Have you tried removing display from the QMGR object?

_________________
MQ & Broker admin

Display posts from previous:

Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Authentication Records Displaying on Read Only Group

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Protected by Anti-Spam ACP