MQ

 View Only
  • 1.  dspmqaut and dmpmqaut

    Posted Fri February 16, 2024 05:11 AM

    Hello 

    I've this situation and I need to understand why or what can be the origin. For the same queue dspmqaut and dmpmqaut gave different results (I've modified some name in what I'm posting here. MQ is v9.1 Windows. 

    D:\admintools>dmpmqaut -m QMGR_A -t queue -n Q_OUT -p user_ide -x
    profile:     Q_OUT
    object type: queue
    entity:      user_ide@ad_domain
    entity type: principal
    authority:   get browse put inq dsp
    
    D:\admintools>dspmqaut -m QMGR_A -t queue -n Q_OUT -p user_ide
    Entity user_ide has the following authorizations for object Q_OUT:
            get
            browse
            put
            inq
            set
            crt
            dlt
            chg
            dsp
            passid
            passall
            setid
            setall
            clr


    ------------------------------
    Joao Ramires
    ------------------------------


  • 2.  RE: dspmqaut and dmpmqaut

    IBM Champion
    Posted Fri February 16, 2024 06:23 AM

    And what authorisations do the groups it is a member of have granted to them?

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 3.  RE: dspmqaut and dmpmqaut

    Posted Fri February 16, 2024 06:52 AM

    Hi Morag

    User "user_ide" is an AD domain user, belongs only to "Global Group memberships  *Domain Users" , doesn't belong to any other group. I did a test: creating a new Domain user, give permissions to the same queue and for this new user dspmqaut and dmpmqaut gave the same results.  

    I'm afraid I didn't understand the question...



    ------------------------------
    Joao Ramires
    ------------------------------



  • 4.  RE: dspmqaut and dmpmqaut

    IBM Champion
    Posted Fri February 16, 2024 04:00 PM

    As noted in the description of the dspmqaut command:

    If a user ID is a member of more than one group, this command displays the combined authorizations of all the groups.

    I was wondering whether the additional authorities were coming from those granted to the group rather than the principal?

    What do you see if you use the -e parameter on your dmpmqaut command?

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 5.  RE: dspmqaut and dmpmqaut

    Posted Mon February 19, 2024 10:02 AM

    There is no difference with "-e", maybe this is consequence from an old access the user had? 

    D:\admintools>dmpmqaut  -m QMGR_A -t queue -n QOUT -p user_ide
    profile:     QOUT
    object type: queue
    entity:      user_ide@ADdomain
    entity type: principal
    authority:   get browse put inq dsp
    
    D:\admintools>dmpmqaut  -m QMGR_A -t queue -n QOUT -p user_ide -e
    profile:     QOUT
    object type: queue
    entity:      user_ide@ADdomain
    entity type: principal
    authority:   get browse put inq dsp



    ------------------------------
    Joao Ramires
    ------------------------------