MQ

MQ

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Will the AMS security to even lock out admins work with the Windows Administrators group too?

  • 1.  Will the AMS security to even lock out admins work with the Windows Administrators group too?

    Posted Thu September 06, 2012 07:51 PM
    This is a question from the September 6 webcast "Lessons learned for WebSphere MQ V7.1 and V7.5 security from the upcoming Secure Messaging Scenarios with WebSphere MQ IBM Redbook".

    Will the AMS security to even lock out admins work with the Windows Administrators group too?


  • 2.  Will the AMS security to even lock out admins work with the Windows Administrators group too?

    Posted Tue September 11, 2012 03:44 AM
    Maybe the following from the MQ 7.1 MQSC reference answers the question:

    USERLIST A list of up to 100 user IDs which are banned from use of this channel or set of channels. Use the special value *MQADMIN to mean privileged or administrative users. The definition of this value depends on the operating system, as follows:

    • On Windows, all members of the mqm group, the Administrators group and SYSTEM.



  • 3.  Will the AMS security to even lock out admins work with the Windows Administrators group too?

    Posted Wed September 12, 2012 08:28 AM
    Yes.  The queue manager at V7.5 and above will enforce policy against all users, even administrators.  As noted in the webinar, the admin can create an alias over the queue to bypass this enforcement.  However the queue manager will record this activity if configuration events are enabled.

    Regarding the other reply, the CHLAUTH rules are separate from the AMS policy enforcement and those are enforced at V7.1 and higher.


Related Content