Potkay, Peter M (CTO Architecture + Engineering)
2013-07-03 12:29:30 UTC
Broker Admin Security is enabled for the Broker. The Broker has 10 execution groups, EG1, EG2, ..... EG10.
GroupA is meant for users who only need limited access to EG1. No need for any access to EG2 thru EG10.
GroupA is granted an appropriate level of access to SYSTEM.BROKER.AUTH.
setmqaut -m BROKER1 -n 'SYSTEM.BROKER.AUTH' -t queue -g groupa -all +inq
And to SYSTEM.BROKER.AUTH.EG1.
setmqaut -m BROKER1 -n 'SYSTEM.BROKER.AUTH.EG1' -t queue -g groupa -all +inq +put +set
While the table at the following link doesn't call it out (feedback raised via the InfoCenter to correct this gap), the following commands were also run.
http://publib.boulder.ibm.com/infocenter/wmbhelp/v8r0m0/topic/com.ibm.etools.mft.doc/bp43530_.htm
setmqaut -m BROKER1 -t qmgr -g groupa -all +connect +inq
setmqaut -m BROKER1 -n 'SYSTEM.BROKER.DEPLOY.QUEUE' -t queue -g groupa -all +put
setmqaut -m BROKER1 -n 'SYSTEM.BROKER.DEPLOY.REPLY' -t queue -g groupa -all +put +get
And all works as intended. Users in groupa have access to to see / do what we intend, and nothing else.
Here's the problem. When a user in this group opens their toolkit and connects to this broker, and does nothing else in the toolkit, we get a flurry of authority event messages in the Queue Manager's SYSTEM.ADMIN.QMGR.EVENT queue. These messages are flagging the lack of +ing access to the 'SYSTEM.BROKER.DC.AUTH' queue, and each of the 'SYSTEM.BROKER.AUTH.*' queues for all the other Execution Groups.
So the user did nothing wrong, yet we have to deal with all the authority event messages. And its going to happen every time any user connects to the toolkit. Apparently the toolkit is trying to do a bunch of stuff under the covers as soon as it connects.
Anyway around all this noise? Could it be considered a defect that the toolkit is trying to do all this extra stuff without a user asking it to?
I do not want to cheese out and grant +inq to all those other queues.
Peter Potkay
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
GroupA is meant for users who only need limited access to EG1. No need for any access to EG2 thru EG10.
GroupA is granted an appropriate level of access to SYSTEM.BROKER.AUTH.
setmqaut -m BROKER1 -n 'SYSTEM.BROKER.AUTH' -t queue -g groupa -all +inq
And to SYSTEM.BROKER.AUTH.EG1.
setmqaut -m BROKER1 -n 'SYSTEM.BROKER.AUTH.EG1' -t queue -g groupa -all +inq +put +set
While the table at the following link doesn't call it out (feedback raised via the InfoCenter to correct this gap), the following commands were also run.
http://publib.boulder.ibm.com/infocenter/wmbhelp/v8r0m0/topic/com.ibm.etools.mft.doc/bp43530_.htm
setmqaut -m BROKER1 -t qmgr -g groupa -all +connect +inq
setmqaut -m BROKER1 -n 'SYSTEM.BROKER.DEPLOY.QUEUE' -t queue -g groupa -all +put
setmqaut -m BROKER1 -n 'SYSTEM.BROKER.DEPLOY.REPLY' -t queue -g groupa -all +put +get
And all works as intended. Users in groupa have access to to see / do what we intend, and nothing else.
Here's the problem. When a user in this group opens their toolkit and connects to this broker, and does nothing else in the toolkit, we get a flurry of authority event messages in the Queue Manager's SYSTEM.ADMIN.QMGR.EVENT queue. These messages are flagging the lack of +ing access to the 'SYSTEM.BROKER.DC.AUTH' queue, and each of the 'SYSTEM.BROKER.AUTH.*' queues for all the other Execution Groups.
So the user did nothing wrong, yet we have to deal with all the authority event messages. And its going to happen every time any user connects to the toolkit. Apparently the toolkit is trying to do a bunch of stuff under the covers as soon as it connects.
Anyway around all this noise? Could it be considered a defect that the toolkit is trying to do all this extra stuff without a user asking it to?
I do not want to cheese out and grant +inq to all those other queues.
Peter Potkay
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html