Almost!
The client attach facility 'ignores' the RESLEVEL of the MCAUSER id. It
honours the RESLEVEL of the CHINIT userid. If the CHINIT has ALTER to
RESLEVEL no checking of clients will be done.
John
John M Hammond - Middleware Support Team
Household International
100 Mittel Drive
Wood Dale, IL 60191
Phone: (630) 521-4339; Pager: (866) 237-0985
"Miller, Dennis"
<[EMAIL PROTECTED]> To: [EMAIL PROTECTED]
Sent by: MQSeries cc:
List Subject: Re: Mainframe Security
<[EMAIL PROTECTED]
.AT>
01/10/2003 10:52 AM
Please respond to
MQSeries List
To paraphrase, you're saying that the client attach feature basically
ignores RESLEVEL. That's what I didn't understand. I do now. Thanks.
> -----Original Message-----
> From: John M Hammond [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, January 09, 2003 2:21 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Mainframe Security
>
> Dennis,
>
> The problem I'm having is not to do with the actual userid being used for
> the security checks. The problem is that when a user has RESLEVEL
access,
> their MQ authority is different when they are connected as a client when
> compared to them connected as batch. It sounds like there is no easy way
> around that problem :-( I'll just have to make updates to the RACF
> profiles and grant explicit access to all of the queues (I'll probably
> revoke the RESLEVEL access at the same time).
>
> John
>
> John M Hammond - Middleware Support Team
> Household International
> 100 Mittel Drive
> Wood Dale, IL 60191
> Phone: (630) 521-4339; Pager: (866) 237-0985
>
>
>
> "Miller, Dennis"
> <[EMAIL PROTECTED]> To:
[EMAIL PROTECTED]
> Sent by: MQSeries cc:
> List Subject: Re: Mainframe
Security
> <[EMAIL PROTECTED]
> .AT>
>
>
> 01/09/2003 10:57 AM
> Please respond to
> MQSeries List
>
>
>
>
>
>
> What version of the client are you using? I think about V5.1 they made a
> change so that the userid BOB at the client is used for the attachment to
> the qmgr if you set MCAUSER to blanks.
>
> > -----Original Message-----
> > From: John M Hammond [SMTP:[EMAIL PROTECTED]]
> > Sent: Wednesday, January 08, 2003 12:46 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Mainframe Security
> >
> > I have a userid, say BOB. BOB has ALTER access to the ssid.RESLEVEL
> > profile, so after BOB's (batch) connect, BOB can access any queues
> without
> > needing to be granted access to any more profiles (with the exception
of
> > the csqorexx and csqutil queues). This is cool, because BOB is often
> > debugging problems and needs to look at the data in queues. This
allows
> > him to do so without the burden of defining explicit access to all of
the
> > profiles in the MQQUEUE class.
> >
> > If BOB connects as a client, then he does not have this access to
queues.
> > I presume this is because the adapter within the CHINIT is managing the
> > connection to the queue manager and there is no real connect done BOBs
> > behalf. I could grant RESLEVEL access to the CHINIT userid to get
around
> > this, but this would affect all MQ access through the chinit which is
> bad.
> >
> > I'm looking for a way to allow BOB to client connect and access all
> queues
> > without needing to grant access to every profile in the MQQUEUE class.
> In
> > ACF2 it is possible to define a generic rule that allows BOB to access
> > anything, but I can't find a way of doing the same through RACF. At
the
> > end of the day, I'm just being lazy and trying to give my
administrators
> > access to all of the data without needing to define the access manually
> in
> > the profiles.
> >
> > John
> >
> > John M Hammond - Middleware Support Team
> > Household International
> > 100 Mittel Drive
> > Wood Dale, IL 60191
> > Phone: (630) 521-4339; Pager: (866) 237-0985
> >
> >
> >
> > "Miller, Dennis"
> > <[EMAIL PROTECTED]> To:
> [EMAIL PROTECTED]
> > Sent by: MQSeries cc:
> > List Subject: Re: Mainframe
> Security
> > <[EMAIL PROTECTED]
> > .AT>
> >
> >
> > 01/08/2003 01:29 PM
> > Please respond to>
> > MQSeries List
> >
> >
> >
> >
> >
> >
> > What do you mean by RESLEVEL does not extend to connected clients?
> >
> > > -----Original Message-----
> > > From: John M Hammond [SMTP:[EMAIL PROTECTED]]
> > > Sent: Wednesday, January 08, 2003 9:18 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: Mainframe Security
> > >
> > > I think I know the answer to this, but I'll ask anyway.....
> > >
> > > My MQ admin RACF group has been given RESLEVEL access. This was done
> to
> > > ensure we can always access queues, as well as making the RACF
> > definitions
> > > somewhat cleaner. This is working very well for us.
> > >
> > > Now a few of the group have started using MO71 to access mainframe
> > queues,
> > > and are having problems as RESLEVEL access doesn't extend to
connected
> > > clients. Is there a clever trick I can use to give a user access to
> all
> > > queues when connected as a client? I'm not going to give RESLEVEL
> access
> > > to the CHINIT address space as this will affect everybody, but I also
> > don't
> > > want to go through all the queue profiles and give access to the
group
> if
> > I
> > > can help it. Is there a RACF option that could allow this? (I know
I
> > had
> > > done something similar in the past with ACF2)
> > >
> > > Any suggestions appreciated,
> > > John
> > >
> > > John M Hammond - Middleware Support Team
> > > Household International
> > > 100 Mittel Drive
> > > Wood Dale, IL 60191
> > > Phone: (630) 521-4339; Pager: (866) 237-0985
> > >
> > > Instructions for managing your mailing list subscription are provided
> in
> > > the Listserv General Users Guide available at http://www.lsoft.com>
> > > Archive: http://vm.akh-wien.ac.at/MQSeries.archive
> >
> > Instructions for managing your mailing list subscription are provided
in
> > the Listserv General Users Guide available at http://www.lsoft.com
> > Archive: http://vm.akh-wien.ac.at/MQSeries.archive
> >
> > Instructions for managing your mailing list subscription are provided
in
> > the Listserv General Users Guide available at http://www.lsoft.com
> > Archive: http://vm.akh-wien.ac.at/MQSeries.archive
>
> Instructions for managing your mailing list subscription are provided in
> the Listserv General Users Guide available at http://www.lsoft.com
> Archive: http://vm.akh-wien.ac.at/MQSeries.archive
>
> Instructions for managing your mailing list subscription are provided in
> the Listserv General Users Guide available at http://www.lsoft.com
> Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
