All, On Unix, the MQ security checking is 'group based' but on Windows you can give MQ privileges at the 'user level' (I don't recommend this). Secondly, on Unix if you apply the MQ security to a user then MQ will resolve backwards to the user's 'primary' group. MQ will apply the MQ security to that primary group (this may or may not be what you want.)
So, for all distributed plaforms it is better to create user groups, put users in those groups and assign the MQ security at the group level. If you have a user called 'mquser' then create a group called: 'mqgrp1' and put the user in it. Now do your MQ security commands as follows: setmqaut -m MyQMgrName -t qmgr -g mqgrp1 +connect +inq +dsp setmqaut -m MyQMgrName -t queue -g mqgrp1 -n ABC.** +allmqi +dsp setmqaut -m MyQMgrName -t queue -g mqgrp1 -n TEST.** +allmqi +dsp This will allow anyone in the group connect to the queue manager and access any queue that begins with either 'ABC' or 'TEST'. If you are not concerned about which queue they access, but just restrict them from the ADMIN commands then you can give them access to all queues by issuing the following commands: setmqaut -m MyQMgrName -t qmgr -g mqgrp1 +connect +inq +dsp setmqaut -m MyQMgrName -t queue -g mqgrp1 -n *.** +allmqi +dsp Please read the manual on the differences between wildcarding - in particular, the differences between '*' and '**'. Hope that helps. Regards, Roger Lacroix Capitalware Inc. http://www.capitalware.biz Quoting Bill Anderson <[EMAIL PROTECTED]>: > MQSeries security is group based. If you add any user to the mqm group, > they essentially are mqm... not good. > > also if you have three separate principles (user ids) that all belong to > one group, and you alter just one of the trees privileges, you have just > changed all three. That's because authorization checks are at the group > level. > > Bill Anderson > SITA Atlanta, GA > Standard Messaging Engineering > WebSphere MQ Service Owner > 770-303-3503 (office) > 404-915-3190 (cell) > > This e-mail contains information which is SITA - Company Confidential > > All sita.int addresses have changed to sita.aero > [EMAIL PROTECTED] > http://www.mconnect.aero/ > > > > Driscoll Tom - > Princeton To: > [EMAIL PROTECTED] > <[EMAIL PROTECTED] cc: > OM> Subject: OAM and Security > Related Question > Sent by: MQSeries > List > <[EMAIL PROTECTED] > N.AC.AT> > > > 10/22/2004 02:02 > PM > Please respond to > MQSeries List > > > > > > > Environment is MQSeries 5.3 on HP-UX 11.11. > > > I wanted to know if the following will work. I want to add an mq user with > all MQ read, write, etc.. permissions but without admin rights. > > > If I add a userid called mquser to group mqm, can I then use the OAM > facility to turn the admin permissions off on userid mquser using setmqaut > -alladm ? > > > Does adding a userid to group mqm give that userid all mqm privileges no > matter what I later try to turn off through OAM ? > > > I appreciate any clarification. > > > Thanks > > Instructions for managing your mailing list subscription are provided in > the Listserv General Users Guide available at http://www.lsoft.com > Archive: http://vm.akh-wien.ac.at/MQSeries.archive > Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
