MQ

 View Only

  • 1.  dspmqaut and dmpmqaut

    Posted Fri February 16, 2024 05:11 AM

    Hello 

    I've this situation and I need to understand why or what can be the origin. For the same queue dspmqaut and dmpmqaut gave different results (I've modified some name in what I'm posting here. MQ is v9.1 Windows. 

    D:\admintools>dmpmqaut -m QMGR_A -t queue -n Q_OUT -p user_ide -x
profile:     Q_OUT
object type: queue
entity:      user_ide@ad_domain
entity type: principal
authority:   get browse put inq dsp

D:\admintools>dspmqaut -m QMGR_A -t queue -n Q_OUT -p user_ide
Entity user_ide has the following authorizations for object Q_OUT:
        get
        browse
        put
        inq
        set
        crt
        dlt
        chg
        dsp
        passid
        passall
        setid
        setall
        clr


    ------------------------------
    Joao Ramires
    ------------------------------


  • 2.  RE: dspmqaut and dmpmqaut

    IBM Champion
    Posted Fri February 16, 2024 06:23 AM

    And what authorisations do the groups it is a member of have granted to them?

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------

    Original Message


  • 3.  RE: dspmqaut and dmpmqaut

    Posted Fri February 16, 2024 06:52 AM

    Hi Morag

    User "user_ide" is an AD domain user, belongs only to "Global Group memberships  *Domain Users" , doesn't belong to any other group. I did a test: creating a new Domain user, give permissions to the same queue and for this new user dspmqaut and dmpmqaut gave the same results.  

    I'm afraid I didn't understand the question...



    ------------------------------
    Joao Ramires
    ------------------------------

    Original Message


  • 4.  RE: dspmqaut and dmpmqaut

    IBM Champion
    Posted Fri February 16, 2024 04:00 PM

    As noted in the description of the dspmqaut command:

    If a user ID is a member of more than one group, this command displays the combined authorizations of all the groups.

    I was wondering whether the additional authorities were coming from those granted to the group rather than the principal?

    What do you see if you use the -e parameter on your dmpmqaut command?

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------

    Original Message


  • 5.  RE: dspmqaut and dmpmqaut

    Posted Mon February 19, 2024 10:02 AM

    There is no difference with "-e", maybe this is consequence from an old access the user had? 

    D:\admintools>dmpmqaut  -m QMGR_A -t queue -n QOUT -p user_ide
profile:     QOUT
object type: queue
entity:      user_ide@ADdomain
entity type: principal
authority:   get browse put inq dsp

D:\admintools>dmpmqaut  -m QMGR_A -t queue -n QOUT -p user_ide -e
profile:     QOUT
object type: queue
entity:      user_ide@ADdomain
entity type: principal
authority:   get browse put inq dsp



    ------------------------------
    Joao Ramires
    ------------------------------

    Original Message