ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ Supportdspmqaut for a single group or principal possible?

Post new topicReply to topic
dspmqaut for a single group or principal possible? View previous topic :: View next topic
Author Message
pcelari
PostPosted: Tue Sep 17, 2019 11:11 am Post subject: dspmqaut for a single group or principal possible? Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 363
Location: New York

Greetings. I need to query all authorization settings for a single principal or group in a qmgr, using dspmqaut or dmpmqaut.

But 'dmpmqaut -m QMName -t queue -n ** -g mygroup' wouldn't work. nor does it work with dspmqaut.

Can an expert please share some insight? thanks much!
_________________
pcelari
-----------------------------------------
- a master of always being a newbie
Back to top
View user's profile Send private message
hughson
PostPosted: Tue Sep 17, 2019 1:47 pm Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1277
Location: Bay of Plenty, New Zealand

It is a shame that the MQSC equivalent command (DISPLAY AUTHREC) does not allow the WHERE clause because that would solve your problem.

<vendor-plug>
The MQGem tool MQSCX supports the MQ WHERE clause but also provides it's own WHERE clause using the =WHERE keyword. The =WHERE clause removes a number of the restrictions in the IBM MQ supplied WHERE clause and this is one example of that. Using MQSCX, you can issue the following command:-

Code:
DISPLAY AUTHREC OBJTYPE(QUEUE) =WHERE(ENTITY EQ "mqgemusr@GEMWIN1")


If this interests you, please read further at http://www.mqgem.com/mqscx.html and/or contact us off-list (email on the website).
</vendor-plug>
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
HubertKleinmanns
PostPosted: Wed Sep 18, 2019 3:04 am Post subject: Reply with quote

Shaman

Joined: 24 Feb 2004
Posts: 723
Location: Germany

The command
Code:
dmpmqaut -m QMName -t queue -n ** -g mygroup
profile:     **
object type: queue
entity:      mygroup
entity type: group
authority:   allmqi dlt chg dsp clr

lists exactly the profile named '**'. It does not mean "any queue profile".

To list all queue profles for a specific user, just omit the '-n' parameter like this:
Code:
dmpmqaut -m QMName -t queue -g mygroup
profile:     @class
object type: queue
entity:      mygroup
entity type: group
authority:   none
- - - - - - - -
profile:     **
object type: queue
entity:      mygroup
entity type: group
authority:   allmqi dlt chg dsp clr


And omit the object type to list all profiles for a user:
Code:
dmpmqaut -m QMName -t queue -g mygroup
profile:     self
object type: qmgr
entity:      mygroup
entity type: group
authority:   allmqi dlt chg dsp ctrl system
- - - - - - - -
profile:     @class
object type: queue
entity:      mygroup
entity type: group
authority:   none
- - - - - - - -
profile:     @class
object type: qmgr
entity:      mygroup
entity type: group
authority:   none
- - - - - - - -
profile:     **
object type: queue
entity:      mygroup
entity type: group
authority:   allmqi dlt chg dsp clr


So "generic" in "dmpmqaut" means "omit" these parameters.

Unfortunately "dspmqaut" does not have such a pseudo-generic feature. But you could use "amqoamd" instead in combination with a shell function (Unix sample, use FINDSTR on Windows):
Code:
amqoamd -m QMName -s | grep mygroup
setmqaut -m QMName -t qmgr -g mygroup +altusr +connect +inq +set +setall +setid +chg +dlt +dsp +system
setmqaut -m QMName -n '**' -t queue -g mygroup +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp

_________________
Regards
Hubert
Back to top
View user's profile Send private message Visit poster's website
pcelari
PostPosted: Thu Sep 26, 2019 10:50 am Post subject: Reply with quote

Partisan

Joined: 31 Mar 2006
Posts: 363
Location: New York

Quote:
So "generic" in "dmpmqaut" means "omit" these parameters


thanks for clarifying this! I had always consider "**" a wild card meaning "any name"

I ended up doing a "dmpmqaut -m QMgrName -g mygroup" which generates a list of thousands of lines. I then use a shell script to format the result into a records of comma delimited lines of records for all profiles, filter out those records containing the specific groupid, which turns out to be of a manageable number of records for me to duplicate.

thanks for all your input!
_________________
pcelari
-----------------------------------------
- a master of always being a newbie
Back to top
View user's profile Send private message
HubertKleinmanns
PostPosted: Thu Sep 26, 2019 10:25 pm Post subject: Reply with quote

Shaman

Joined: 24 Feb 2004
Posts: 723
Location: Germany

pcelari wrote:
thanks for clarifying this! I had always consider "**" a wild card meaning "any name"


No, this means "use this permissions on any object without a more specific rule".

For example you have these profiles
Code:
setmqaut -m QMName -t queue -n '**' -g mygroup +put +get
setmqaut -m QMName -t queue -n 'TEST.**' -g mygroup +inq +browse


and these objects
Code:
DEFINE QLOCAL(TESTIT.ONE)
DEFINE QLOCAL(TEST.TWO)


then a member of group mygroup would be allowed to PUT messages to and GET message from queue TESTIT.ONE (because this queue fits to profile '**', but not to profile 'TEST.**').

On queue TEST.TWO this user would only be able to INQuire and BROWSE messages (no PUT and no GET). This queue fits to both profiles above, but the profile 'TEST.**' is more specific and so only this profile is used.
_________________
Regards
Hubert
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ Supportdspmqaut for a single group or principal possible?
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.