Re: Setting up a user on NT to restrict to a single queue - solve d!
Sid, Just be aware that anyone with PCF access has full administrative access to the QMgr. If all you need to do is get the Queue depth, why not open the queue for inquire? It's a whole lot safer. Of course, that assumes you are either attached to the QMgr locally or are using a client and not sending the PCF commands from a remote node. -- T.Rob -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Sent: Saturday, June 21, 2003 12:14 AMTo: [EMAIL PROTECTED]Subject: Re: Setting up a user on NT to restrict to a single queue - solve d! T.Rob, You have nailled it in one... user had no access to command queue and no put access at all. As I was only intending on them picking up data from a local queue, the PCF commands used were to get the queue depth, but I disabled that method and all worked. So in future if I need to use PCF, the user will need access to additional queues, not just the one I am trying to lock down. Thanks to all who posted me suggestions and questions. Sid -Original Message-From: Wyatt, T. Rob [mailto:[EMAIL PROTECTED]Sent: Saturday, 21 June 2003 12:43 AMTo: [EMAIL PROTECTED]Subject: Re: Setting up a user on NT to restrict to a single queue Sid, PCF messages are put into the SYSTEM.ADMIN.COMMAND.QUEUE. When you say "I have narrowed it down to the PCF API calls", do you mean that you are trying to SET attributes of the queue directly, or that you are trying to send PCF messages to the command server? For the first option, you need to add +set authority to the queue in question. For the second, the user has to have PUT access to the command queue and GET access on the reply-to-queue to read the Command Svr replies. -- T.Rob -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Sent: Friday, June 20, 2003 5:27 AMTo: [EMAIL PROTECTED]Subject: Re: Setting up a user on NT to restrict to a single queue Ok, I have narrowed it down to the PCF API calls, when I take these out of the program it works fine with the restricted security... so what do I need to add to a queue object for PCF access ??? The System Administrators guide does not make this very clear at all. Sid -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Sent: Friday, 20 June 2003 1:27 PMTo: [EMAIL PROTECTED]Subject: Setting up a user on NT to restrict to a single queue Howdy all, I am having trouble setting up a user to just be able to Browse/Inquire and destructively GET from a single queue. I granted +connect on the qmgr and browse, get and inq on the queue but I setup a servercon chanel and tied the MCA to the users login NT account name. However, all I get are 2035 errors when the client connects. C:\>dspmqaut -m QML_MQM -t qmgr -g tsib Entity test_user has the following authorizations for object QML_MQM: connect dsp C:\>dspmqaut -m QML_MQM -n TSIB.data -t q -p tsibEntity tsib has the following authorizations for object TSIB.data: get browse put inq set dsp passid passall setid setall What am I missing ? Sid Young B I.T. (cs dc) AD (cse) DBAIntranet DeveloperAnalyst / Programmer Information Systems Department [EMAIL PROTECTED] QML Pathology Phone: (07) 3840 4941 Fax: Fax??? This is the 21st Century! www.qml.com.au 60 Ferry RdWest End, QLD 4101 <>
Re: Setting up a user on NT to restrict to a single queue - solve d!
You could also use MQINQ to get the current depth of the queue if you are connected to the same queue manager. Regards Tim A [EMAIL PROTECTED] .AU To: [EMAIL PROTECTED] Sent by: MQSeriescc: List Subject: Re: Setting up a user on NT to restrict to a single queue - solve <[EMAIL PROTECTED] d! N.AC.AT> 21/06/2003 14:13 Please respond to MQSeries List T.Rob, You have nailled it in one... user had no access to command queue and no put access at all. As I was only intending on them picking up data from a local queue, the PCF commands used were to get the queue depth, but I disabled that method and all worked. So in future if I need to use PCF, the user will need access to additional queues, not just the one I am trying to lock down. Thanks to all who posted me suggestions and questions. Sid -Original Message- From: Wyatt, T. Rob [mailto:[EMAIL PROTECTED] Sent: Saturday, 21 June 2003 12:43 AM To: [EMAIL PROTECTED] Subject: Re: Setting up a user on NT to restrict to a single queue Sid, PCF messages are put into the SYSTEM.ADMIN.COMMAND.QUEUE. When you say "I have narrowed it down to the PCF API calls", do you mean that you are trying to SET attributes of the queue directly, or that you are trying to send PCF messages to the command server? For the first option, you need to add +set authority to the queue in question. For the second, the user has to have PUT access to the command queue and GET access on the reply-to-queue to read the Command Svr replies. -- T.Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 5:27 AM To: [EMAIL PROTECTED] Subject: Re: Setting up a user on NT to restrict to a single queue Ok, I have narrowed it down to the PCF API calls, when I take these out of the program it works fine with the restricted security... so what do I need to add to a queue object for PCF access ??? The System Administrators guide does not make this very clear at all. Sid -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, 20 June 2003 1:27 PM To: [EMAIL PROTECTED] Subject: Setting up a user on NT to restrict to a single queue Howdy all, I am having trouble setting up a user to just be able to Browse/Inquire and destructively GET from a single queue. I granted +connect on the qmgr and browse, get and inq on the queue but I setup a servercon chanel and tied the MCA to the users login NT account name. However, all I get are 2035 errors when the client connects. C:\>dspmqaut -m QML_MQM -t qmgr -g tsib Entity test_user has the following authorizations for object QML_MQM: connect dsp C:\>dspmqaut -m QML_MQM -n TSIB.data -t q -p tsib Entity tsib has the following authorizations for object TSIB.data: get browse put inq set dsp passid passall setid setall What am I missing ? Sid Young B I.T. (cs dc) AD (cse) DBA Intranet Developer Analyst / Programmer Information Systems Department [EMAIL PROTECTED] QML Pathology Phone: (07) 3840 4941 Fax: Fax??? This is the 21st Century! www.qml.com.au 60 Ferry Rd West End, QLD 4101 Blank Bkgrd.gif has been removed from this note on June 23 2003 by Tim Armstrong Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: Setting up a user on NT to restrict to a single queue - solve d!
T.Rob, You have nailled it in one... user had no access to command queue and no put access at all. As I was only intending on them picking up data from a local queue, the PCF commands used were to get the queue depth, but I disabled that method and all worked. So in future if I need to use PCF, the user will need access to additional queues, not just the one I am trying to lock down. Thanks to all who posted me suggestions and questions. Sid -Original Message-From: Wyatt, T. Rob [mailto:[EMAIL PROTECTED]Sent: Saturday, 21 June 2003 12:43 AMTo: [EMAIL PROTECTED]Subject: Re: Setting up a user on NT to restrict to a single queue Sid, PCF messages are put into the SYSTEM.ADMIN.COMMAND.QUEUE. When you say "I have narrowed it down to the PCF API calls", do you mean that you are trying to SET attributes of the queue directly, or that you are trying to send PCF messages to the command server? For the first option, you need to add +set authority to the queue in question. For the second, the user has to have PUT access to the command queue and GET access on the reply-to-queue to read the Command Svr replies. -- T.Rob -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Sent: Friday, June 20, 2003 5:27 AMTo: [EMAIL PROTECTED]Subject: Re: Setting up a user on NT to restrict to a single queue Ok, I have narrowed it down to the PCF API calls, when I take these out of the program it works fine with the restricted security... so what do I need to add to a queue object for PCF access ??? The System Administrators guide does not make this very clear at all. Sid -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Sent: Friday, 20 June 2003 1:27 PMTo: [EMAIL PROTECTED]Subject: Setting up a user on NT to restrict to a single queue Howdy all, I am having trouble setting up a user to just be able to Browse/Inquire and destructively GET from a single queue. I granted +connect on the qmgr and browse, get and inq on the queue but I setup a servercon chanel and tied the MCA to the users login NT account name. However, all I get are 2035 errors when the client connects. C:\>dspmqaut -m QML_MQM -t qmgr -g tsib Entity test_user has the following authorizations for object QML_MQM: connect dsp C:\>dspmqaut -m QML_MQM -n TSIB.data -t q -p tsibEntity tsib has the following authorizations for object TSIB.data: get browse put inq set dsp passid passall setid setall What am I missing ? Sid Young B I.T. (cs dc) AD (cse) DBAIntranet DeveloperAnalyst / Programmer Information Systems Department [EMAIL PROTECTED] QML Pathology Phone: (07) 3840 4941 Fax: Fax??? This is the 21st Century! www.qml.com.au 60 Ferry RdWest End, QLD 4101 <>