| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Authorizing access to Domain Groups on Windows MQSrv objects |
« View previous topic :: View next topic » |
| Author |
Message
|
| dakoroni |
 Posted: Wed Oct 21, 2020 7:11 am Post subject: Authorizing access to Domain Groups on Windows MQSrv objects |
 |
|
Acolyte
Joined: 10 Jan 2020
Posts: 50
|
Dear MQ security forum users,Â
I would appreciate if you could advise on the correct domain group name format in order to grant the proper access on MQ objects.
I have a Windows DEV MQÂ Server v9.1.5 (host name : V000080117) joined domain NBGIT.
I need to grant numerous developers that they belong to AD domain groups (such as: NBGIT\Domain Users, NBGIT\Domain Computers) but not on mqm group -since they should not have MQ Admin rights-with specific MQ authorities.
Using IBM MQ explorer, i am capable to grant access to individual domain users IDs(principals) on that MQ Server objects (Queue Manager, Queues, Chasnels), for instance : exxxxx@NBGIT or fullname@NBGIT, BUT
I am not capable of adding domain group in the object access list.Â
For example, I am able to add the mqm group in the (QM) access list -> mqm@V000080117 and
Users@BUILTIN
where "Users" is local group on that Windows 2019 Server including NBGIT\Domain Users & NBGIT\Domain Computers.Â
But when trying to add Domain Users@NBGIT in the (QM) access list, I am receiving the error msg: AMQ4808: Unknown Group 'Domain Users@NBGIT'.
But the domain group name is valid since it exists on Active Driectory..
In the MQ server error log it appears the AMQ8075W: Authorization failed because the SID for entity 'domain_users@nbgit' cannot be obtained.
I have read that the correct Group name format is the following:
GroupName@domain domain_name\group_name
So, I am very skeptical about what might be wrong..
I have read also in IBM MQ 9.2 KnowledgeCenter that "For IBM MQ authorizations, names of user IDs and groups must be no longer than 64 characters (spaces are not allowed)."
Do you think that spaces in Domain Group names might be the root cause?
Any advise will be much appreciated.
Cheers Nick. |
|
| Back to top |
|
 |
| gbaddeley |
| Posted: Wed Oct 21, 2020 2:39 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
I haven't encountered that issue, but we don't use spaces in AD group names. We use hyphen (-) or (_) when separators are needed. This is actually an enterprise standard for all AD groups in our company, for MQ or other uses. I don't know the reasons or its origins.
_________________
Glenn |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Oct 21, 2020 8:17 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
you may need to remember that you're only allowed 1 level below the group name. So if your group domain Users@nbgit only contains users you are fine.
Should that group also contain subgroups, they will not be authorized... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| dakoroni |
| Posted: Wed Oct 21, 2020 11:50 pm Post subject: Authorizing access to Domain Groups on Windows MQSrv objects |
|
|
Acolyte
Joined: 10 Jan 2020
Posts: 50
|
Dear all,
Thanks for your responses.
The problem was resolved by updating the qm.ini with security stanza setting -> GroupModel=GlobalGroups, so that OAM checks global groups membership.
Cheers Nick. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
