setmqaut on unix
Does anyone know if IBM recognise the fact that setmqaut on unix doesn't work for principals ( if you apply an authority setting to a principal, the auth actually applies to the principal's primary group ) as a bug? If not has anyone ever raised a PMR about this? thanks tim * Emails aren't always secure, and they may be intercepted or changed after they've been sent. Abbey doesn't accept liability if this happens. If you think someone may have interfered with this email, please get in touch with the sender another way. This message doesn't create or change any contract. Abbey doesn't accept responsibility for damage caused by any viruses contained in this email or its attachments. Emails may be monitored. If you've received this email by mistake, please let the sender know at once that it's gone to the wrong person and then destroy it without copying, using, or telling anyone about its contents. Abbey National Treasury Services plc Reg. No. 2338548, Cater Allen International Ltd Reg. No. 2572704, and Inscape Investments Limited Reg. No. 3839455 are registered in England and have their Registered Offices at: Abbey National House, 2 Triton Square, Regent's Place, London, NW1 3AN. Cater Allen International Ltd is a subsidiary of Abbey National Treasury Services plc. Abbey National Treasury Services plc and Cater Allen International Ltd are Members of The London Stock Exchange. Abbey National Asset Managers Ltd. Reg. No. 106669. Registered Office: Abbey National House, 301 St Vincent Street, Glasgow, G2 5HN. Registered in Scotland. Abbey National Asset Managers Ltd and Inscape Investments Limited are members of the Abbey Marketing Group and provide OEICS, PEPS, and ISAs. Abbey National Treasury Services plc, Cater Allen International Ltd, Inscape Investments Limited, and Abbey National Asset Managers Ltd are authorised and regulated by the Financial Services Authority. Abbey Financial Markets is the brand name for Abbey National Treasury Services plc. Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: setmqaut on unix
Think of it as a documented feature: System Administration Guide, Chapter 4, Section: Authority to work with WebSphere MQ objects, Sub-Section: Identifying the user ID Principals and groups Principals can belong to groups. You can grant access to a particular resource to groups rather than to individuals, to reduce the amount of administration required. For example, you might define a group consisting of users who want to run a particular application. Other users can be given access to all the resources they require simply by adding their user ID to the appropriate group. This is described in Creating and managing groups. A principal can belong to more than one group (its group set) and has the aggregate of all the authorities granted to each group in its group set. These authorities are cached, so any changes you make to the principal's group membership are not recognized until the queue manager is restarted, unless you issue the MQSC command REFRESH SECURITY (or the PCF equivalent). UNIX systems All ACLs are based on groups. When a user is granted access to a particular resource, the user ID's primary group is included in the ACL, not the individual user ID, and authority is granted to all members of that group. Because of this, be aware that you could inadvertently change the authority of a principal by changing the authority of another principal in the same group. All users are nominally assigned to the default user group nobody and by default, no authorizations are given to this group. You can change the authorization in the nobody group to grant access to WebSphere MQ resources to users without specific authorizations. Dave -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of Wright, Tim (AFM) Sent: 29 September 2004 15:15 To: [EMAIL PROTECTED] Subject: setmqaut on unix Does anyone know if IBM recognise the fact that setmqaut on unix doesn't work for principals ( if you apply an authority setting to a principal, the auth actually applies to the principal's primary group ) as a bug? If not has anyone ever raised a PMR about this? thanks tim * Emails aren't always secure, and they may be intercepted or changed after they've been sent. Abbey doesn't accept liability if this happens. If you think someone may have interfered with this email, please get in touch with the sender another way. This message doesn't create or change any contract. Abbey doesn't accept responsibility for damage caused by any viruses contained in this email or its attachments. Emails may be monitored. If you've received this email by mistake, please let the sender know at once that it's gone to the wrong person and then destroy it without copying, using, or telling anyone about its contents. Abbey National Treasury Services plc Reg. No. 2338548, Cater Allen International Ltd Reg. No. 2572704, and Inscape Investments Limited Reg. No. 3839455 are registered in England and have their Registered Offices at: Abbey National House, 2 Triton Square, Regent's Place, London, NW1 3AN. Cater Allen International Ltd is a subsidiary of Abbey National Treasury Services plc. Abbey National Treasury Services plc and Cater Allen International Ltd are Members of The London Stock Exchange. Abbey National Asset Managers Ltd. Reg. No. 106669. Registered Office: Abbey National House, 301 St Vincent Street, Glasgow, G2 5HN. Registered in Scotland. Abbey National Asset Managers Ltd and Inscape Investments Limited are members of the Abbey Marketing Group and provide OEICS, PEPS, and ISAs. Abbey National Treasury Services plc, Cater Allen International Ltd, Inscape Investments Limited, and Abbey National Asset Managers Ltd are authorised and regulated by the Financial Services Authority. Abbey Financial Markets is the brand name for Abbey National Treasury Services plc. Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: setmqaut on unix
It's always worked that way, and it's always been documented that it works that way. So I think it's extremely unlikely that IBM would consider it to be a bug. "Wright, Tim (AFM)" <[EMAIL PROTECTED]> Sent by: MQSeries List <[EMAIL PROTECTED]> 09/29/2004 09:15 AM Please respond to MQSeries List <[EMAIL PROTECTED]> To [EMAIL PROTECTED] cc Subject setmqaut on unix Does anyone know if IBM recognise the fact that setmqaut on unix doesn't work for principals ( if you apply an authority setting to a principal, the auth actually applies to the principal's primary group ) as a bug? If not has anyone ever raised a PMR about this? thanks tim * Emails aren't always secure, and they may be intercepted or changed after they've been sent. Abbey doesn't accept liability if this happens. If you think someone may have interfered with this email, please get in touch with the sender another way. This message doesn't create or change any contract. Abbey doesn't accept responsibility for damage caused by any viruses contained in this email or its attachments. Emails may be monitored. If you've received this email by mistake, please let the sender know at once that it's gone to the wrong person and then destroy it without copying, using, or telling anyone about its contents. Abbey National Treasury Services plc Reg. No. 2338548, Cater Allen International Ltd Reg. No. 2572704, and Inscape Investments Limited Reg. No. 3839455 are registered in England and have their Registered Offices at: Abbey National House, 2 Triton Square, Regent's Place, London, NW1 3AN. Cater Allen International Ltd is a subsidiary of Abbey National Treasury Services plc. Abbey National Treasury Services plc and Cater Allen International Ltd are Members of The London Stock Exchange. Abbey National Asset Managers Ltd. Reg. No. 106669. Registered Office: Abbey National House, 301 St Vincent Street, Glasgow, G2 5HN. Registered in Scotland. Abbey National Asset Managers Ltd and Inscape Investments Limited are members of the Abbey Marketing Group and provide OEICS, PEPS, and ISAs. Abbey National Treasury Services plc, Cater Allen International Ltd, Inscape Investments Limited, and Abbey National Asset Managers Ltd are authorised and regulated by the Financial Services Authority. Abbey Financial Markets is the brand name for Abbey National Treasury Services plc. Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: setmqaut on unix
Chapter 17 of the Sys Admin guide gives the following note, which implies it is working as designed: In WebSphere MQ for UNIX systems, if you specify a set of authorizations for a principal, the same authorizations are given to all principals in the same primary group. It also says the following about UNIX platforms: All ACLs are based on groups. When a user is granted access to a particular resource, the user ID's primary group is included in the ACL, not the individual user ID, and authority is granted to all members of that group. Because of this, be aware that you could inadvertently change the authority of a principal by changing the authority of another principal in the same group. Therefore, you won't be able to open a PMR for it as it is working as designed. You could try raising a change request however... Regards John Scott IBM Certified Specialist - MQSeries Argos Ltd. -Original Message- From: Wright, Tim (AFM) [mailto:[EMAIL PROTECTED] Sent: 29 September 2004 15:15 To: [EMAIL PROTECTED] Subject: setmqaut on unix Does anyone know if IBM recognise the fact that setmqaut on unix doesn't work for principals ( if you apply an authority setting to a principal, the auth actually applies to the principal's primary group ) as a bug? If not has anyone ever raised a PMR about this? thanks tim * Emails aren't always secure, and they may be intercepted or changed after they've been sent. Abbey doesn't accept liability if this happens. If you think someone may have interfered with this email, please get in touch with the sender another way. This message doesn't create or change any contract. Abbey doesn't accept responsibility for damage caused by any viruses contained in this email or its attachments. Emails may be monitored. If you've received this email by mistake, please let the sender know at once that it's gone to the wrong person and then destroy it without copying, using, or telling anyone about its contents. Abbey National Treasury Services plc Reg. No. 2338548, Cater Allen International Ltd Reg. No. 2572704, and Inscape Investments Limited Reg. No. 3839455 are registered in England and have their Registered Offices at: Abbey National House, 2 Triton Square, Regent's Place, London, NW1 3AN. Cater Allen International Ltd is a subsidiary of Abbey National Treasury Services plc. Abbey National Treasury Services plc and Cater Allen International Ltd are Members of The London Stock Exchange. Abbey National Asset Managers Ltd. Reg. No. 106669. Registered Office: Abbey National House, 301 St Vincent Street, Glasgow, G2 5HN. Registered in Scotland. Abbey National Asset Managers Ltd and Inscape Investments Limited are members of the Abbey Marketing Group and provide OEICS, PEPS, and ISAs. Abbey National Treasury Services plc, Cater Allen International Ltd, Inscape Investments Limited, and Abbey National Asset Managers Ltd are authorised and regulated by the Financial Services Authority. Abbey Financial Markets is the brand name for Abbey National Treasury Services plc. Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive ** Check our latest prices and full range at http://www.argos.co.uk The information contained in this message or any of its attachments may be privileged and/or confidential, and is intended exclusively for the addressee. Unauthorised disclosure, copying or distribution of the contents is strictly prohibited. The views expressed may not be official policy, but the personal views of the originator. If you have received this message in error, please advise the sender by using the reply facility in your e-mail software. All messages sent and received by Argos Ltd are monitored for viruses, high-risk file extensions, and inappropriate content. Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: setmqaut on unix
This is working as designed and documented: http://publibfp.boulder.ibm.com/epubs/html/csqzas01/csqzas010y.htm#HDRSP1WOUNWI "The OAM maintains an access control list (ACL) for each WebSphere MQ object it is controlling access to. On UNIX systems, only group IDs can appear in an ACL. This means that all members of a group have the same authorities. On OS/400 and on Windows systems, both user IDs and group IDs can appear in an ACL. This means that authorities can be granted to individual users as well as to groups." -- T.Rob -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of Wright, Tim (AFM) Sent: Wednesday, September 29, 2004 10:15 AM To: [EMAIL PROTECTED] Subject: setmqaut on unix Does anyone know if IBM recognise the fact that setmqaut on unix doesn't work for principals ( if you apply an authority setting to a principal, the auth actually applies to the principal's primary group ) as a bug? If not has anyone ever raised a PMR about this? thanks tim Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
