Hello all 

I've some users in AD domain1 asking read only access to use MQ Explorer on their windows workstations. These users belong to AD domain1 and the queue manager is running in another domain: AD domain2. How can I validate, from my queue manager, running with a service user from AD domain1, the users from another AD domain? Does my service used need some special permissions? 

After solving this part of the question, I need to five some accesses to que queue manager queues, and the examples I found suggests to give 

setmqaut -m <qmgr>  -n SYSTEM.ADMIN.COMMAND.QUEUE -t q -g "read_group" +dsp +inq +put

Put to SYSTEM.ADMIN.COMMAND.QUEUE can be a risk, I guess. 

Thanks for your suggestions

Hi Joao,

I presume you are looking at,

https://www.ibm.com/docs/en/ibm-mq/9.4?topic=grar-granting-read-only-access-all-resources-queue-manager

Authority to access an object is still required even if you can put a message on the command queue.

Hello all 

I've some users in AD domain1 asking read only access to use MQ Explorer on their windows workstations. These users belong to AD domain1 and the queue manager is running in another domain: AD domain2. How can I validate, from my queue manager, running with a service user from AD domain1, the users from another AD domain? Does my service used need some special permissions? 

After solving this part of the question, I need to five some accesses to que queue manager queues, and the examples I found suggests to give 

setmqaut -m <qmgr>  -n SYSTEM.ADMIN.COMMAND.QUEUE -t q -g "read_group" +dsp +inq +put

Put to SYSTEM.ADMIN.COMMAND.QUEUE can be a risk, I guess. 

Thanks for your suggestions

Hi Joao,

I presume you are looking at,

https://www.ibm.com/docs/en/ibm-mq/9.4?topic=grar-granting-read-only-access-all-resources-queue-manager

Authority to access an object is still required even if you can put a message on the command queue.

Hello all 

I've some users in AD domain1 asking read only access to use MQ Explorer on their windows workstations. These users belong to AD domain1 and the queue manager is running in another domain: AD domain2. How can I validate, from my queue manager, running with a service user from AD domain1, the users from another AD domain? Does my service used need some special permissions? 

After solving this part of the question, I need to five some accesses to que queue manager queues, and the examples I found suggests to give 

setmqaut -m <qmgr>  -n SYSTEM.ADMIN.COMMAND.QUEUE -t q -g "read_group" +dsp +inq +put

Put to SYSTEM.ADMIN.COMMAND.QUEUE can be a risk, I guess. 

Thanks for your suggestions

Hi Joao,

The user that put the PCF message must have authority to access the objects(s) it is working with. That's why you need the other authorisations listed in the link, for example you wouldn't be able to browse queues without setmqaut -m QMgrName -n ** -t queue -g GroupName +browse +dsp the ** is a special wildcard that applies to all queues.

Hi Joao,

I presume you are looking at,

https://www.ibm.com/docs/en/ibm-mq/9.4?topic=grar-granting-read-only-access-all-resources-queue-manager

Authority to access an object is still required even if you can put a message on the command queue.

Hello all 

I've some users in AD domain1 asking read only access to use MQ Explorer on their windows workstations. These users belong to AD domain1 and the queue manager is running in another domain: AD domain2. How can I validate, from my queue manager, running with a service user from AD domain1, the users from another AD domain? Does my service used need some special permissions? 

After solving this part of the question, I need to five some accesses to que queue manager queues, and the examples I found suggests to give 

setmqaut -m <qmgr>  -n SYSTEM.ADMIN.COMMAND.QUEUE -t q -g "read_group" +dsp +inq +put

Put to SYSTEM.ADMIN.COMMAND.QUEUE can be a risk, I guess. 

Thanks for your suggestions

thanks Martin,

and the user that puts a PCF messages can alter his own access to other queues? For example do, with a PCF, the equivalent to 

setmqaut -m QMgrName -n ** -t queue -g GroupName +browse +get ? 

Hi Joao,

The user that put the PCF message must have authority to access the objects(s) it is working with. That's why you need the other authorisations listed in the link, for example you wouldn't be able to browse queues without setmqaut -m QMgrName -n ** -t queue -g GroupName +browse +dsp the ** is a special wildcard that applies to all queues.

Hi Joao,

I presume you are looking at,

https://www.ibm.com/docs/en/ibm-mq/9.4?topic=grar-granting-read-only-access-all-resources-queue-manager

Authority to access an object is still required even if you can put a message on the command queue.

Hello all 

I've some users in AD domain1 asking read only access to use MQ Explorer on their windows workstations. These users belong to AD domain1 and the queue manager is running in another domain: AD domain2. How can I validate, from my queue manager, running with a service user from AD domain1, the users from another AD domain? Does my service used need some special permissions? 

After solving this part of the question, I need to five some accesses to que queue manager queues, and the examples I found suggests to give 

setmqaut -m <qmgr>  -n SYSTEM.ADMIN.COMMAND.QUEUE -t q -g "read_group" +dsp +inq +put

Put to SYSTEM.ADMIN.COMMAND.QUEUE can be a risk, I guess. 

Thanks for your suggestions

Hi Joao,

The user can only issue setmqaut or the equivalent MQSC SET AUTHREC or PCF SetAuthRec commands if he has authority to do so. This is true for all commands. Just having PUT access to the command server's input queue does not in itself grant you authority to issue commands, you must also the authority for the actual commands as well.

Cheers,
Morag

thanks Martin,

and the user that puts a PCF messages can alter his own access to other queues? For example do, with a PCF, the equivalent to 

setmqaut -m QMgrName -n ** -t queue -g GroupName +browse +get ? 

Hi Joao,

The user that put the PCF message must have authority to access the objects(s) it is working with. That's why you need the other authorisations listed in the link, for example you wouldn't be able to browse queues without setmqaut -m QMgrName -n ** -t queue -g GroupName +browse +dsp the ** is a special wildcard that applies to all queues.

Hi Joao,

I presume you are looking at,

https://www.ibm.com/docs/en/ibm-mq/9.4?topic=grar-granting-read-only-access-all-resources-queue-manager

Authority to access an object is still required even if you can put a message on the command queue.

Hello all 

I've some users in AD domain1 asking read only access to use MQ Explorer on their windows workstations. These users belong to AD domain1 and the queue manager is running in another domain: AD domain2. How can I validate, from my queue manager, running with a service user from AD domain1, the users from another AD domain? Does my service used need some special permissions? 

After solving this part of the question, I need to five some accesses to que queue manager queues, and the examples I found suggests to give 

setmqaut -m <qmgr>  -n SYSTEM.ADMIN.COMMAND.QUEUE -t q -g "read_group" +dsp +inq +put

Put to SYSTEM.ADMIN.COMMAND.QUEUE can be a risk, I guess. 

Thanks for your suggestions