Hi Emanuel,
The error message shows the answer, it says:-
Entity 'kiutbp' has insufficient authority to access object 'KIUTBP'. The following requested permissions are unauthorized: setall
The object is clearly a queue manager object since it has the same name, KIUTBP, as your queue manager.
You have shown us that the user 'kiutbp' was only granted +inq and +connect to the qmgr object.
Now before you go straight ahead and grant the user +setall as well with a command like the following:-
setmqaut -m KIUTBP -t qmgr -p kiutbp +connect +inq +setall
it might be wise to discover why your application needs +setall, as this a high level of authority that allows an application to masquerade as a different user. It's use for standard MQ applications should always be questioned.
Cheers,
Morag
------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website:
https://www.mqgem.com------------------------------
Original Message:
Sent: Thu March 02, 2023 08:48 AM
From: Emanuel Gonzalez
Subject: User Permission in qmgr and queues
Hello, I'm having a problem with a created user.
Every time we create a user we do the following.
1- We create the user on the system with the useradd command, for example useradd john.
2- We assign the corresponding privileges:
setmqaut -m KIUTBP -t qmgr -p kiutbp +connect +inq
We always perform the same procedure but this time the main one cannot be connected for some reason.
In the logs we see this error:
AMQ8077W: Entity 'kiutbp' has insufficient authority to access object 'KIUTBP'.
EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: setall
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.
----- amqzfubx.c : 1605 -------------------------------------------------------
03/02/2023 01:37:23 PM - Process(1593.272) User(mqm) Program(amqzlaa0)
Host(ibm-mq-1a.prod) Installation(Installation1)
VRMF(9.1.0.7) QMgr(KIUTBP)
Time(2023-03-02T13:37:23.089Z)
RemoteHost(10.54.130.234)
CommentInsert1(kiutbp)
CommentInsert2(KIUTBP)
CommentInsert3(setall)
AMQ8077W: Entity 'kiutbp' has insufficient authority to access object 'KIUTBP'.
EXPLANATION:
The specified entity is not authorized to access the required object. The
following requested permissions are unauthorized: setall
ACTION:
Ensure that the correct level of authority has been set for this entity against
the required object, or ensure that the entity is a member of a privileged
group.
----- amqzfubx.c : 1605 -------------------------------------------------------
We've never had to add the user to a group to assign a permission.
The principal has these permissions assigned:
[mqm@ibm-mq-1a ~]$ dspmqaut -m KIUTBP -t qmgr -p kiutbp
La entidad kiutbp tiene las autorizaciones siguientes para el objeto KIUTBP:
inq
connect
[mqm@ibm-mq-1a ~]$ dspmqaut -m KIUTBP -n PROS.TYPEB.OUT -t queue -p kiutbp
La entidad kiutbp tiene las autorizaciones siguientes para el objeto PROS.TYPEB.OUT:
get
browse
put
inq
set
setall
There is some way to remove the main one permanently from the ibm mq database and then create it again??
Any suggestions?
------------------------------
Emanuel Gonzalez
------------------------------