• Subject: RE: MQ and adopted authority
  • From: "McCallion, Martin" <MccalliM@xxxxxxxxxxxxxxxx>
  • Date: Wed, 2 May 2001 09:52:54 +0100

Evan Harris said:

> I have a client running V4R5 who just upgraded MQ from V4R2M1 to V5R2.
> 
> Some processes that previously worked now seem to exhibit 
> some different 
> behaviour and I'm wondering if MQ 5.2 treats adopted authorities any 
> differently.

I'm not sure about adoption, but the whole authority structure _is_
handled differently from V5R1 of MQSeries onwards.  The way we've been
treating it, in our development environment, is that any user that
wishes to use MQSeries has to be a member of the QMQMADM group.  This
can be either as their group profile or as a supplemental group.  It
looks like there are other ways to approach it, though.

I have a downloaded PDF from IBM called "Migrating to MQSeries for
AS/40, V5.1" which you (or your client) might want to read.  I don't
have the URL for it to hand, but I don't think we'll be violating any
licences if you contact me off-list and I email it to you.  In the
meantime here's a quick quote:

Chapter 7. Security

Security for MQSeries for AS/400 changes significantly with V5.1.
Security with
V5.1 is implemented using the MQSeries Object Authority Manager (OAM).

The OAM manages users' authorizations to manipulate MQSeries objects,
including
queues and process definitions. It also provides a command interface
through
which you can grant or revoke access authority to an object for a
specific group of
users. The decision to allow access to a resource is made by the OAM,
and the
queue manager follows that decision. If the OAM cannot make a decision,
the
queue manager prevents access to that resource.

With the OAM, you are able to control access to MQSeries objects through
the
MQI. When an application program attempts to access an object, the OAM
checks
that the user profile making the request has the authorization for the
operation
requested. This enables different groups of users different kinds of
access
authority to the same object. For example, for a specific queue, one
group may be
allowed to perform both put and get operations, while another group may
be
allowed only to browse the queue.
During installation the following user profiles are created:

QMQM
Primarily used for internal product-only function

QMQMADM
Intended to be used as a group profile for administrators of MQSeries,
giving
access to CL commands and MQSeries resources

Cheers,

Martin. 

--                                                                     
Martin McCallion                 
Midas-Kapiti International
Work:  mccallim@midas-kapiti.com
Home: martin.mccallion@ukonline.co.uk

Apologies for the length of this sig, but company policy says:
This email message is intended for the named recipient only.  It may be
privileged and/or confidential.  If you are not the intended named
recipient of this email then you should not copy it or use it for any
purpose, nor disclose its contents to any other person.  You should
contact Midas-Kapiti International as shown below so that we can take
appropriate action at no cost to yourself.

Midas-Kapiti International Ltd, 1 St George's Road, Wimbledon, London,
SW19 4DR, UK
Email: Postmaster@midas-kapiti.com Tel: +44 (0)208 879 1188 Fax: +44
(0)208 947 3373
Midas-Kapiti International Ltd is registered in England and Wales under
company no. 971479 
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.