Almost! The client attach facility 'ignores' the RESLEVEL of the MCAUSER id. It honours the RESLEVEL of the CHINIT userid. If the CHINIT has ALTER to RESLEVEL no checking of clients will be done.
John John M Hammond - Middleware Support Team Household International 100 Mittel Drive Wood Dale, IL 60191 Phone: (630) 521-4339; Pager: (866) 237-0985 "Miller, Dennis" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Sent by: MQSeries cc: List Subject: Re: Mainframe Security <[EMAIL PROTECTED] .AT> 01/10/2003 10:52 AM Please respond to MQSeries List To paraphrase, you're saying that the client attach feature basically ignores RESLEVEL. That's what I didn't understand. I do now. Thanks. > -----Original Message----- > From: John M Hammond [SMTP:[EMAIL PROTECTED]] > Sent: Thursday, January 09, 2003 2:21 PM > To: [EMAIL PROTECTED] > Subject: Re: Mainframe Security > > Dennis, > > The problem I'm having is not to do with the actual userid being used for > the security checks. The problem is that when a user has RESLEVEL access, > their MQ authority is different when they are connected as a client when > compared to them connected as batch. It sounds like there is no easy way > around that problem :-( I'll just have to make updates to the RACF > profiles and grant explicit access to all of the queues (I'll probably > revoke the RESLEVEL access at the same time). > > John > > John M Hammond - Middleware Support Team > Household International > 100 Mittel Drive > Wood Dale, IL 60191 > Phone: (630) 521-4339; Pager: (866) 237-0985 > > > > "Miller, Dennis" > <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] > Sent by: MQSeries cc: > List Subject: Re: Mainframe Security > <[EMAIL PROTECTED] > .AT> > > > 01/09/2003 10:57 AM > Please respond to > MQSeries List > > > > > > > What version of the client are you using? I think about V5.1 they made a > change so that the userid BOB at the client is used for the attachment to > the qmgr if you set MCAUSER to blanks. > > > -----Original Message----- > > From: John M Hammond [SMTP:[EMAIL PROTECTED]] > > Sent: Wednesday, January 08, 2003 12:46 PM > > To: [EMAIL PROTECTED] > > Subject: Re: Mainframe Security > > > > I have a userid, say BOB. BOB has ALTER access to the ssid.RESLEVEL > > profile, so after BOB's (batch) connect, BOB can access any queues > without > > needing to be granted access to any more profiles (with the exception of > > the csqorexx and csqutil queues). This is cool, because BOB is often > > debugging problems and needs to look at the data in queues. This allows > > him to do so without the burden of defining explicit access to all of the > > profiles in the MQQUEUE class. > > > > If BOB connects as a client, then he does not have this access to queues. > > I presume this is because the adapter within the CHINIT is managing the > > connection to the queue manager and there is no real connect done BOBs > > behalf. I could grant RESLEVEL access to the CHINIT userid to get around > > this, but this would affect all MQ access through the chinit which is > bad. > > > > I'm looking for a way to allow BOB to client connect and access all > queues > > without needing to grant access to every profile in the MQQUEUE class. > In > > ACF2 it is possible to define a generic rule that allows BOB to access > > anything, but I can't find a way of doing the same through RACF. At the > > end of the day, I'm just being lazy and trying to give my administrators > > access to all of the data without needing to define the access manually > in > > the profiles. > > > > John > > > > John M Hammond - Middleware Support Team > > Household International > > 100 Mittel Drive > > Wood Dale, IL 60191 > > Phone: (630) 521-4339; Pager: (866) 237-0985 > > > > > > > > "Miller, Dennis" > > <[EMAIL PROTECTED]> To: > [EMAIL PROTECTED] > > Sent by: MQSeries cc: > > List Subject: Re: Mainframe > Security > > <[EMAIL PROTECTED] > > .AT> > > > > > > 01/08/2003 01:29 PM > > Please respond to> > > MQSeries List > > > > > > > > > > > > > > What do you mean by RESLEVEL does not extend to connected clients? > > > > > -----Original Message----- > > > From: John M Hammond [SMTP:[EMAIL PROTECTED]] > > > Sent: Wednesday, January 08, 2003 9:18 AM > > > To: [EMAIL PROTECTED] > > > Subject: Mainframe Security > > > > > > I think I know the answer to this, but I'll ask anyway..... > > > > > > My MQ admin RACF group has been given RESLEVEL access. This was done > to > > > ensure we can always access queues, as well as making the RACF > > definitions > > > somewhat cleaner. This is working very well for us. > > > > > > Now a few of the group have started using MO71 to access mainframe > > queues, > > > and are having problems as RESLEVEL access doesn't extend to connected > > > clients. Is there a clever trick I can use to give a user access to > all > > > queues when connected as a client? I'm not going to give RESLEVEL > access > > > to the CHINIT address space as this will affect everybody, but I also > > don't > > > want to go through all the queue profiles and give access to the group > if > > I > > > can help it. Is there a RACF option that could allow this? (I know I > > had > > > done something similar in the past with ACF2) > > > > > > Any suggestions appreciated, > > > John > > > > > > John M Hammond - Middleware Support Team > > > Household International > > > 100 Mittel Drive > > > Wood Dale, IL 60191 > > > Phone: (630) 521-4339; Pager: (866) 237-0985 > > > > > > Instructions for managing your mailing list subscription are provided > in > > > the Listserv General Users Guide available at http://www.lsoft.com> > > > Archive: http://vm.akh-wien.ac.at/MQSeries.archive > > > > Instructions for managing your mailing list subscription are provided in > > the Listserv General Users Guide available at http://www.lsoft.com > > Archive: http://vm.akh-wien.ac.at/MQSeries.archive > > > > Instructions for managing your mailing list subscription are provided in > > the Listserv General Users Guide available at http://www.lsoft.com > > Archive: http://vm.akh-wien.ac.at/MQSeries.archive > > Instructions for managing your mailing list subscription are provided in > the Listserv General Users Guide available at http://www.lsoft.com > Archive: http://vm.akh-wien.ac.at/MQSeries.archive > > Instructions for managing your mailing list subscription are provided in > the Listserv General Users Guide available at http://www.lsoft.com > Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive