Ruzi -
I think you are on the right track here. A couple of points:
If possible (and this is really desirable) have all queues for a given
application start with the same app code. For example, in our shop, all
queues start with a three char application code followed by a period. For
example: XYZ.THE.QUEUE
On each queue manager server, create a local group for that app code. For
example: MQXYZ
In this group, put the ids for all users and programs (i.e. Service ids,
COM+ Application Ids, etc..) that need access to the queue. This can
include Global Groups from the domain or a trusted domain if desired.
Use setmqaut to grant authorities such that each application group can
access it's queues. For example:
setmqaut -m QM1 -t queue -n XYZ.** -g MQXYZ +mqiall
Note the double asterisk. This indicates that everything is wild at this
point. A single asterisk only wildcards one node. (This is probably why
your test did not work).
One other note. You might find it desirable to create multiple groups with
different accesses. For example:
MQXYZPmgrs +allmqi (give programmers all access)
MQXYZManagers +browse +inq (give managers browse and inquiry access)
- Steve
-Original Message-
From: Ruzi R [mailto:[EMAIL PROTECTED]
Sent: Friday, June 27, 2003 7:10 PM
To: [EMAIL PROTECTED]
Subject: Limiting access authority on Windows
Hi all,
The platform is MQ 5.3 CSD04 on W2000.
In our shop, MQ administrators have been putting in
the "domain mqm" group, anyone who will be involved in
any kind of MQ work ( development, testing etc.).
Obviously, all these people have full access to all
the MQ resources of the company. Some of these people
have MQSeries servers on their workstations (I don't
know why they were given). Even if they did not know
much about MQSeries, it would not take a genius to be
able use the MQ Explorer and do some damage
inadvertently... I would like to limit the access of
these individuals to only the MQI calls on their
related MQ objects. They should not be able to do any
kind of administrative work in the Integration and
User Acceptance environmenta for instance.
So, the following is what I thought I should do, in
order to give userid1 limited access to objects on QM1
on server1 (W2000):
1- Create a group (say, G1)
2- Remove userid userid1 from the domain mqm
3- Sign on to server1
3- Give authority to G1... issuing:
setmqaut -m QM1 -t queue -n HER.QUEUE* -g G1 +mqiall
I may have to do a few more setmqauts to give access
to qmgr object and prcs...
4- Drop userid1 in group G1
I have never done this before. We have just created a
group called G1 and a userid userid1, who is not in
domain mqm. I then signed on to server1 and issued the
above mentioned setmqaut command against QM1. Of
course, it did not work as G1 is not locally
recognized; I got an "entity missing" error. What
should I do or tell our "security" person to do, to
get this working?
Your help would be very much appreciated.
Thanks, and all have a nice weekend.
Ruzi
Instructions for managing your mailing list subscription are provided in the
Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
