Hi Paul, Ah, sometimes I don't full explain myself. :(
As Joan has pointed out, what I meant to say was: "If I was one of the 80+ developers that Joan was giving MO71 to, then here is how I would circumvent her security measures." In other words, be a hacker or bad boy and not follow the rules and gain full access to any QMgr. Also, I FULLY agree with your comments below about reducing the menu items or things the user can do assuming that the QMgr can trust the incoming UserId. Without a security mechanism at the QMgr, you really cannot trust the incoming UserId that an application is sending to a QMgr. Note: I have several clients who are happily using MO71 and MQAUSX to do their "trusted" MQ work. MO71 is the Admin tool and MQAUSX is the security mechanism that authenticates the UserID and password. Regards, Roger Lacroix Capitalware Inc. http://www.capitalware.biz On Mon, 13 Nov 2006 09:14:32 +0000, Paul Clarke <[EMAIL PROTECTED]> wrote: > Roger, > > Can you explain why you would suggest deleting the MQMON.aut file ? > > The aut file, as it explains in the manual, neither add additional > security > nor provides a bypass around any MQ security. However, what it does do is > allow the administrator to tailor MO71 appearance for users. You can say > "show the queue browse" dialog but not the "channel" dialogs etc. This can > be useful to prevent users from seeing 'too complicated' an application or > being tempted to press something they shouldn't. It can also reduce the > risk of accidentally pressing the wrong button. Besides if you've set the > MQ securities so that the user is not allowed to delete channels, define > queues etc etc then what's the point of presenting the user an application > which 'looks' like you can ? > > Paul G Clarke > WebSphere Messaging Clients > IBM Hursley > email : [EMAIL PROTECTED] > Tel : External +44 (1962) 818201 > > > > > > Roger Lacroix > <[EMAIL PROTECTED] > PITALWARE.BIZ> To > Sent by: MQSeries [email protected] > List cc > <[EMAIL PROTECTED] > V.MEDUNIWIEN.AC.A Subject > T> Re: Authorities and m071 > > > 12/11/2006 21:12 > > > Please respond to > MQSeries List > <[EMAIL PROTECTED] > V.MEDUNIWIEN.AC.A > T> > > > > > > > Hi Joan, > > As others have noted, your plan will not provide security for your queue > managers. > > Reason: > > - The first thing I would do is delete your MQMON.aut file. > - Second if my UserId is in the mqm group then I can do whatever I want, > whenever I want. > - Third, if my UserId is not in the mqm group then I would simply use MO71 > with the dummy client exit list here: > http://www.mqseries.net/phpBB2/viewtopic.php?t=21782 > (This gives me 'mqm' UserId access.) > > There are 3 solutions in the market place that will properly protect your > MQ Environment: > - Capitalware's MQ Authenticate User Security Exit > http://www.capitalware.biz/mqausx_overview.html > - IBM's WebSphere MQ Extended Security Edition > - IBM Tivoli's TAMBI > > > Regards, > Roger Lacroix > Capitalware Inc. > > > At 03:05 PM 11/9/2006, you wrote: > > Connecting M071 via a client. > > > > We are trying to roll out M071 to our developers, limiting their > authorities via a MQMON.aut file. Our problem is not with > limiting > their authorities within the M071, that works great. Our problem > is > getting them connected to the queue manager. The only way I have > been successful is by adding their individual id's to the mqm group. > A nested group did not work. > > I have to find another way as this would be a maintenance nightmare > having to manage these mqm groups on multiple servers with 80+ > developers. > > I have included a copy of my mqmon.aut file. Did I miss something > in there? Anyone have any thoughts. > > Thanks in advance. > > > > > > Joan Hughes > IT Technical Specialist > IBM Certified System Administrator - WebSphere MQ, v5.3 > 608-827-3523 > > > List Archive - Manage Your List Settings - Unsubscribe > > > Instructions for managing your mailing list subscription are provided in > the Listserv General Users Guide available at http://www.lsoft.com > > To unsubscribe, write to [EMAIL PROTECTED] and, > in the message body (not the subject), write: SIGNOFF MQSERIES > Instructions for managing your mailing list subscription are provided in > the Listserv General Users Guide available at http://www.lsoft.com > Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html To unsubscribe, write to [EMAIL PROTECTED] and, in the message body (not the subject), write: SIGNOFF MQSERIES Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
