Re: OAM and Security Related Question
All, On Unix, the MQ security checking is 'group based' but on Windows you can give MQ privileges at the 'user level' (I don't recommend this). Secondly, on Unix if you apply the MQ security to a user then MQ will resolve backwards to the user's 'primary' group. MQ will apply the MQ security to that primary group (this may or may not be what you want.) So, for all distributed plaforms it is better to create user groups, put users in those groups and assign the MQ security at the group level. If you have a user called 'mquser' then create a group called: 'mqgrp1' and put the user in it. Now do your MQ security commands as follows: setmqaut -m MyQMgrName -t qmgr -g mqgrp1 +connect +inq +dsp setmqaut -m MyQMgrName -t queue -g mqgrp1 -n ABC.** +allmqi +dsp setmqaut -m MyQMgrName -t queue -g mqgrp1 -n TEST.** +allmqi +dsp This will allow anyone in the group connect to the queue manager and access any queue that begins with either 'ABC' or 'TEST'. If you are not concerned about which queue they access, but just restrict them from the ADMIN commands then you can give them access to all queues by issuing the following commands: setmqaut -m MyQMgrName -t qmgr -g mqgrp1 +connect +inq +dsp setmqaut -m MyQMgrName -t queue -g mqgrp1 -n *.** +allmqi +dsp Please read the manual on the differences between wildcarding - in particular, the differences between '*' and '**'. Hope that helps. Regards, Roger Lacroix Capitalware Inc. http://www.capitalware.biz Quoting Bill Anderson <[EMAIL PROTECTED]>: > MQSeries security is group based. If you add any user to the mqm group, > they essentially are mqm... not good. > > also if you have three separate principles (user ids) that all belong to > one group, and you alter just one of the trees privileges, you have just > changed all three. That's because authorization checks are at the group > level. > > Bill Anderson > SITA Atlanta, GA > Standard Messaging Engineering > WebSphere MQ Service Owner > 770-303-3503 (office) > 404-915-3190 (cell) > > This e-mail contains information which is SITA - Company Confidential > > All sita.int addresses have changed to sita.aero > [EMAIL PROTECTED] > http://www.mconnect.aero/ > > > > Driscoll Tom - > Princeton To: > [EMAIL PROTECTED] > <[EMAIL PROTECTED]cc: > OM> Subject: OAM and Security > Related Question > Sent by: MQSeries > List > <[EMAIL PROTECTED] > N.AC.AT> > > > 10/22/2004 02:02 > PM > Please respond to > MQSeries List > > > > > > > Environment is MQSeries 5.3 on HP-UX 11.11. > > > I wanted to know if the following will work. I want to add an mq user with > all MQ read, write, etc.. permissions but without admin rights. > > > If I add a userid called mquser to group mqm, can I then use the OAM > facility to turn the admin permissions off on userid mquser using setmqaut > -alladm ? > > > Does adding a userid to group mqm give that userid all mqm privileges no > matter what I later try to turn off through OAM ? > > > I appreciate any clarification. > > > Thanks > > Instructions for managing your mailing list subscription are provided in > the Listserv General Users Guide available at http://www.lsoft.com > Archive: http://vm.akh-wien.ac.at/MQSeries.archive > Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: OAM and Security Related Question
A better approach, especially with UNIX and Linux is to create a group such as mqusers, create mquser and put him in the mqusers group. Then you can enable only the permissions you want. you still have to grant permissions to the objects you want accessed. The assumption is that the new group can't access anything. You can add from there. For any function you can use setmqaut +all -alladm if that's what you want to do. Better to explicitly add permissions though. Use scripts, this will make it easier to document and track what you are granting and why. Rex Ballard - Certified IT Architect 908-578-6803, [EMAIL PROTECTED] Driscoll Tom - Princeton <[EMAIL PROTECTED]> Sent by: MQSeries List <[EMAIL PROTECTED]> 10/22/2004 02:02 PM Please respond to MQSeries List To [EMAIL PROTECTED] cc Subject OAM and Security Related Question Environment is MQSeries 5.3 on HP-UX 11.11. I wanted to know if the following will work. I want to add an mq user with all MQ read, write, etc.. permissions but without admin rights. If I add a userid called mquser to group mqm, can I then use the OAM facility to turn the admin permissions off on userid mquser using setmqaut -alladm ? Does adding a userid to group mqm give that userid all mqm privileges no matter what I later try to turn off through OAM ? I appreciate any clarification. Thanks
Re: OAM and Security Related Question
no, you need to create a separate group for the mquser userid. whenever you grant authority to an individual user, all members in the same group get that same authority. And, yes any member of the mqm group gets the full authority of the mqm group... Driscoll Tom - PrincetonTo: [EMAIL PROTECTED] <[EMAIL PROTECTED]cc: OM> Subject: OAM and Security Related Question Sent by: MQSeries List <[EMAIL PROTECTED] n.ac.at> 10/22/2004 02:02 PM Please respond to MQSeries List Environment is MQSeries 5.3 on HP-UX 11.11. I wanted to know if the following will work. I want to add an mq user with all MQ read, write, etc.. permissions but without admin rights. If I add a userid called mquser to group mqm, can I then use the OAM facility to turn the admin permissions off on userid mquser using setmqaut -alladm ? Does adding a userid to group mqm give that userid all mqm privileges no matter what I later try to turn off through OAM ? I appreciate any clarification. Thanks Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: OAM and Security Related Question
MQSeries security is group based. If you add any user to the mqm group, they essentially are mqm... not good. also if you have three separate principles (user ids) that all belong to one group, and you alter just one of the trees privileges, you have just changed all three. That's because authorization checks are at the group level. Bill Anderson SITA Atlanta, GA Standard Messaging Engineering WebSphere MQ Service Owner 770-303-3503 (office) 404-915-3190 (cell) This e-mail contains information which is SITA - Company Confidential All sita.int addresses have changed to sita.aero [EMAIL PROTECTED] http://www.mconnect.aero/ Driscoll Tom - PrincetonTo: [EMAIL PROTECTED] <[EMAIL PROTECTED]cc: OM> Subject: OAM and Security Related Question Sent by: MQSeries List <[EMAIL PROTECTED] N.AC.AT> 10/22/2004 02:02 PM Please respond to MQSeries List Environment is MQSeries 5.3 on HP-UX 11.11. I wanted to know if the following will work. I want to add an mq user with all MQ read, write, etc.. permissions but without admin rights. If I add a userid called mquser to group mqm, can I then use the OAM facility to turn the admin permissions off on userid mquser using setmqaut -alladm ? Does adding a userid to group mqm give that userid all mqm privileges no matter what I later try to turn off through OAM ? I appreciate any clarification. Thanks Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: OAM and Security Related Question
Title: OAM and Security Related Question memebers of mqm have all authority, and you cannot alter that. -Original Message-From: MQSeries List [mailto:[EMAIL PROTECTED]On Behalf Of Driscoll Tom - PrincetonSent: Friday, October 22, 2004 2:03 PMTo: [EMAIL PROTECTED]Subject: OAM and Security Related Question Environment is MQSeries 5.3 on HP-UX 11.11. I wanted to know if the following will work. I want to add an mq user with all MQ read, write, etc.. permissions but without admin rights. If I add a userid called mquser to group mqm, can I then use the OAM facility to turn the admin permissions off on userid mquser using setmqaut -alladm ? Does adding a userid to group mqm give that userid all mqm privileges no matter what I later try to turn off through OAM ? I appreciate any clarification. Thanks This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return email and delete this communication and destroy all copies.
OAM and Security Related Question
Title: OAM and Security Related Question Environment is MQSeries 5.3 on HP-UX 11.11. I wanted to know if the following will work. I want to add an mq user with all MQ read, write, etc.. permissions but without admin rights. If I add a userid called mquser to group mqm, can I then use the OAM facility to turn the admin permissions off on userid mquser using setmqaut -alladm ? Does adding a userid to group mqm give that userid all mqm privileges no matter what I later try to turn off through OAM ? I appreciate any clarification. Thanks
