Pavel, while it may seem somewhat counterintuitive, it's not terribly uncommon for a user who can change security access to something to not have access to that thing. Yes, they can change the access, but the hope is that this would be caught through some sort of reporting/logging. The other advantage of doing this is that it prevents accidental modification of some critical queue data; if you needed to do those modifications, you would at that time do the setmqaut and then turn it back off when you're done.
This may not be irrelevant here anyway. Since setmqaut sets access at the group level and, I presume, you could set the permissions on setmqaut so that group could not run it while the owner could, it would be possible to stop a user in the mqm group, but is not mqm himself, from running setmqaut to reset permissions. Just my take on this issue, based on doing other security stuff that's not MQ... Rebecca Rebecca Bullock Computer Sciences Corporation MFCoE/Newark CS Team Educational Testing Service Account Princeton, NJ 08541 email: [EMAIL PROTECTED] or [EMAIL PROTECTED] -----Original Message----- From: Pavel Tolkachev [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 09, 2003 11:06 AM To: [EMAIL PROTECTED] Subject: Re: Using setmqaut David, First, I seems to me I tried all those tricks while ago and found mqm is a God. Second, logically mqm is not in the ACLs from the very beginning (check with dspmqaut), so deleting him from there should not change anything (just an educated guess) Third, even assuming mqm could be deleted from .. whatever, why whould s/he be able to add him/herself back .. there.. using that very setmqaut? (another educated guess). All those considerations are valid for Unix and (if I am not mistaken) Windows. I am not sure about other platforms. Hope this will help, Pavel "David C. Partridge" To: [EMAIL PROTECTED] <[EMAIL PROTECTED] cc: RIMEUR.COM> Subject: Re: Using setmqaut Sent by: MQSeries List <[EMAIL PROTECTED] .AC.AT> 07/09/2003 10:17 AM Please respond to MQSeries List Rick, Hmmm... that sounds like it *is* possible, but use at your own risk - can anyone confirm? Thanks David Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive -- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive ************************************************************************** This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited. Thank you for your compliance. Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
