INPUT, object type: queue Unfortunately this is output to stderr, so you cannot immediately pipe this into grep or other commands. It has been in MQ since MQ 7. It allows you to ask what permissions a userid or group has to a specific resource.
Silly me — I missed the quotes off from around the userid dis entauth principal testuser objtype queue objname CP 3 : dis entauth principal testuser objtype queue objname CP AMQE: Entity, principal or group not known. Dump mq configuration You can use the dmpmqcfg command to dump out the authrec records. My basic queries Is this user authorised to use this queue? A, type queue not found. Or which profiles gave a user access to the queue? This is a tricky one. For example to see the members of a group.
Another tricky one. Take each group name, and extract the members of the group. If there is a better way I would love to hear it. All rights reserved. This program and the accompanying materials are made available under the terms of the Eclipse Public License v1. Like this: Like Loading Published by colin paice.
Published May 6, June 2, Next Post It took me a while to partially understand setmqaut and dspmqaut — and your security may be a mess. Thank you.. I did so much testing — I may have slipped up I feel a blog post coming on about this and the implications of it. Leave a Reply Cancel reply Enter your comment here Fill in your details below or click an icon to log in:. Email required Address never made public. Name required.
Follow Following. ColinPaice Join 62 other followers. I'm going to try this. Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. The Overflow Blog. Podcast Making Agile work for data science. Stack Gives Back Featured on Meta. New post summary designs on greatest hits now, everywhere else eventually. Related 1. For Object type of Queue, there is a profile for object CP The profile applies to group mqm.
It has lots of access. That was pretty self explanatory. This is just like the first section, except I had defined it for principal userid testuser — not a group. I wanted to test out context security, and did not want my application to be able to set certain fields in the MQMD. If the userid had permissions, put and setall, my application was able to set the application name. I was still able to set the certain fields in the MQMD.
Hidden away in the documentation is a line. If a principal is a member of more than one user group, the principal effectively has the combined authorities of all those user groups. If a userid is in the mqm group, then it looks like there are no other checks. I had to use the runmqsc command refresh security command to get the queue manager to pick up the change.
I used. I retired, and keep my hand in with MQ, by playing with it! View all posts by colin paice. Like Like. It is tough when you have to experiment to understand the words. Having a group that is named the same as the user is not any sort of standard. Some distributions may do this by default.
I didnt know about that option. Is the documentation missing something. For example setmqauth. I agree — one group for staff is bad… you need to follow the guideline that people need enough access to do their job — but no more. If you have two business applications then you need at least two groups. The option only impacts the behavior of new permissions set with -p. You are commenting using your WordPress. You are commenting using your Google account. You are commenting using your Twitter account.
You are commenting using your Facebook account.
0コメント