{"id":138,"date":"2019-08-17T18:38:56","date_gmt":"2019-08-17T18:38:56","guid":{"rendered":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/?p=138"},"modified":"2024-07-05T11:40:39","modified_gmt":"2024-07-05T10:40:39","slug":"ibm-mq-basics-security-part-3-object-permissions","status":"publish","type":"post","link":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/2019\/08\/17\/ibm-mq-basics-security-part-3-object-permissions\/","title":{"rendered":"<span class=\"caps\">IBM<\/span> <span class=\"caps\">MQ<\/span> basics: security \u2014 part 3: object permissions"},"content":{"rendered":"<p>This time, I\u2019ll be writ\u00ading about object per\u00admis\u00adsions&nbsp;only.<\/p>\n<p>Object per\u00admis\u00adsions allow for fine-grained access con\u00adtrol to <span class=\"caps\">MQ<\/span> objects (queues, top\u00adics, etc.). One can con\u00adfig\u00adure an user to only be able to read from one spe\u00adcif\u00adic queue and only write to another.<\/p>\n<p>They can also be used to set\u00adup groups of peo\u00adple act\u00ading as <span class=\"caps\">MQ<\/span> admin\u00adis\u00adtra\u00adtors, <span class=\"caps\">MQ<\/span> oper\u00ada\u00adtors,&nbsp;etc.<\/p>\n<p><!--more--><\/p>\n<p>Object per\u00admis\u00adsions, called autho\u00adriza\u00adtions in <span class=\"caps\">MQ<\/span> par\u00adlance, are very impor\u00adtant in <span class=\"caps\">MQ<\/span> appli\u00adca\u00adtion secu\u00adri\u00adty because it can pre\u00advent a user or appli\u00adca\u00adtion with bad inten\u00adtions to do&nbsp;harm.<\/p>\n<p>With autho\u00adriza\u00adtions you&nbsp;can:<\/p>\n<ul>\n<li>Allow\u00ading only admin\u00adis\u00adtra\u00adtors to issue com\u00admands to man\u00adage <span class=\"caps\">MQ<\/span> resources<\/li>\n<li>Allow\u00ading an appli\u00adca\u00adtion user to \u201csee\u201d and use only the queues it needs access to.<\/li>\n<li>Lim\u00adit\u00ading the oper\u00ada\u00adtions an appli\u00adca\u00adtion can do on a queue, for exam\u00adple, one appli\u00adca\u00adtion needs only to put mes\u00adsages to a queue and not read&nbsp;them.<\/li>\n<\/ul>\n<p>Pri\u00ador to <span class=\"caps\">IBM<\/span> <span class=\"caps\">MQ<\/span> 7.1, on <span class=\"caps\">UNIX<\/span> (at the time it was called <span class=\"caps\">IBM<\/span> Web\u00adSphere <span class=\"caps\">MQ<\/span> 7.1), one could only con\u00adfig\u00adure object per\u00admis\u00adsions based on Unix groups.<\/p>\n<p>Autho\u00adriza\u00adtions can be con\u00adfig\u00adured using the <span style=\"font-family: 'andale mono', monospace;\">set\u00admqaut<\/span> <span class=\"caps\">UNIX<\/span><sup>\u00ae<\/sup> com\u00admand or the <span style=\"font-family: 'andale mono', monospace;\"><span class=\"caps\">SET<\/span> <span class=\"caps\">AUTHREC<\/span><\/span> <span class=\"caps\">MQSC<\/span> command.<\/p>\n<p>The fol\u00adlow\u00ading com\u00admand grants <span style=\"font-family: 'andale mono', monospace;\">dsp<\/span> (dis\u00adplay) author\u00adi\u00adty to user <span style=\"font-family: 'andale mono', monospace;\">mqapp<\/span> to the queue <span style=\"font-family: 'andale mono', monospace;\"><span class=\"caps\">Q1<\/span>.R<\/span> in the queue man\u00adag\u00ader <span style=\"font-family: 'andale mono', monospace;\"><span class=\"caps\">MQ01<\/span><\/span>:<\/p>\n<p class=\"code-example\">set\u00admqaut \u2011m <span class=\"caps\">MQ01<\/span> \u2011t queue \u2011n <span class=\"caps\">Q1<\/span>.R \u2011p mqapp +dsp<\/p>\n<p>You can achieve the same with the fol\u00adlow\u00ading <span class=\"caps\">MQSC<\/span> command:<\/p>\n<p class=\"code-example\"><span class=\"caps\">SET<\/span> <span class=\"caps\">AUTHREC<\/span> <span class=\"caps\">OBJTYPE<\/span>(<span class=\"caps\">QUEUE<\/span>) <span class=\"caps\">PROFILE<\/span>(<span class=\"caps\">Q1<\/span>.R) <span class=\"caps\">PROFILE<\/span>(\u2018mqapp\u2019) <span class=\"caps\">AUTHADD<\/span>(<span class=\"caps\">DSP<\/span>)<\/p>\n<p>The most com\u00admon\u00adly used autho\u00adriza\u00adtions for queues are list\u00aded in the fol\u00adlow\u00ading table (<span class=\"caps\">MQI<\/span> are <span class=\"caps\">MQ<\/span> <span class=\"caps\">API<\/span>&nbsp;calls):<\/p>\n<table style=\"border-collapse: collapse; width: 100.174%;\">\n<tbody>\n<tr>\n<td style=\"width: 24.0625%;\">Autho\u00adriza\u00adtion<\/td>\n<td style=\"width: 57.1576%;\">Descrip\u00adtion<\/td>\n<td style=\"width: 19.0925%;\">Type<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 24.0625%;\"><span class=\"caps\">CONNECT<\/span><\/td>\n<td style=\"width: 57.1576%;\">Allow issu\u00ading <span class=\"caps\">MQCONN<\/span> and <span class=\"caps\">MQCONNX<\/span> calls (con\u00adnect to queue manager)<\/td>\n<td style=\"width: 19.0925%;\"><span class=\"caps\">MQI<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 24.0625%;\"><span class=\"caps\">GET<\/span><\/td>\n<td style=\"width: 57.1576%;\">Allow to issue <span class=\"caps\">MQGET<\/span> calls (read from&nbsp;queue)<\/td>\n<td style=\"width: 19.0925%;\"><span class=\"caps\">MQI<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 24.0625%;\"><span class=\"caps\">PUT<\/span><\/td>\n<td style=\"width: 57.1576%;\">Allow to issue <span class=\"caps\">MQPUT<\/span> calls (write to&nbsp;queue)<\/td>\n<td style=\"width: 19.0925%;\"><span class=\"caps\">MQI<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 24.0625%;\"><span class=\"caps\">INQ<\/span><\/td>\n<td style=\"width: 57.1576%;\">Allow to issue <span class=\"caps\">MQINQ<\/span> calls (get queue attributes)<\/td>\n<td style=\"width: 19.0925%;\"><span class=\"caps\">MQI<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 24.0625%;\"><span class=\"caps\">BROWSE<\/span><\/td>\n<td style=\"width: 57.1576%;\">Allow to issue <span class=\"caps\">MQGET<\/span> calls with <span class=\"caps\">BROWSE<\/span> option<\/td>\n<td style=\"width: 19.0925%;\"><span class=\"caps\">MQI<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 24.0625%;\"><span class=\"caps\">DSP<\/span><\/td>\n<td style=\"width: 57.1576%;\">Allow&nbsp; <span class=\"caps\">DISPLAY<\/span> <span class=\"caps\">MQSC<\/span> com\u00admand (view object definitions)<\/td>\n<td style=\"width: 19.0925%;\">Admin\u00adis\u00adtra\u00adtion<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 24.0625%;\"><span class=\"caps\">CRL<\/span><\/td>\n<td style=\"width: 57.1576%;\">Allow clear\u00ading a queue or&nbsp;topic<\/td>\n<td style=\"width: 19.0925%;\">Admin\u00adis\u00adtra\u00adtion<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 24.0625%;\"><span class=\"caps\">CRT<\/span><\/td>\n<td style=\"width: 57.1576%;\">Allow cre\u00adat\u00ading <span class=\"caps\">MQ<\/span> objects<\/td>\n<td style=\"width: 19.0925%;\">Admin\u00adis\u00adtra\u00adtion<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 24.0625%;\"><span class=\"caps\">DLT<\/span><\/td>\n<td style=\"width: 57.1576%;\">Allow delet\u00ading <span class=\"caps\">MQ<\/span> object<\/td>\n<td style=\"width: 19.0925%;\">Admin\u00adis\u00adtra\u00adtion<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 24.0625%;\"><span class=\"caps\">SYSTEM<\/span><\/td>\n<td style=\"width: 57.1576%;\">Allow using the queue man\u00adag\u00ader for inter\u00adnal sys\u00adtem operations<\/td>\n<td style=\"width: 19.0925%;\">Admin\u00adis\u00adtra\u00adtion<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>There are sev\u00ader\u00adal oth\u00ader autho\u00adriza\u00adtions, but I\u2019ll leave it up to you to fig\u00adure them&nbsp;out.<\/p>\n<p>In addi\u00adtion to indi\u00advid\u00adual autho\u00adriza\u00adtions, there are also the <span style=\"font-family: 'andale mono', monospace;\">all<\/span>, <span style=\"font-family: 'andale mono', monospace;\">allmqi<\/span> and <span style=\"font-family: 'andale mono', monospace;\">alladm<\/span> authorizations.<\/p>\n<p>The <span style=\"font-family: 'andale mono', monospace;\">all<\/span> autho\u00adriza\u00adtion, as the name implies, includes all autho\u00adriza\u00adtions; the <span style=\"font-family: 'andale mono', monospace;\">allmqi<\/span> includes all <span class=\"caps\">MQ<\/span> <span class=\"caps\">API<\/span> autho\u00adriza\u00adtions and, final\u00adly, the <span style=\"font-family: 'andale mono', monospace;\">alladm<\/span> includes all admin\u00adis\u00adtra\u00adtion authorizations.<\/p>\n<p>The <span class=\"caps\">SET<\/span> <span class=\"caps\">AUTHREC<\/span> <span class=\"caps\">MQSC<\/span> com\u00admand can be used to add sev\u00ader\u00adal autho\u00adriza\u00adtions at the same&nbsp;time:<\/p>\n<p class=\"code-example\"><span class=\"caps\">SET<\/span> <span class=\"caps\">AUTHREC<\/span> <span class=\"caps\">OBJTYPE<\/span>(<span class=\"caps\">QUEUE<\/span>) <span class=\"caps\">PROFILE<\/span>(<span class=\"caps\">LOCALQ1<\/span>) <span class=\"caps\">PRINCIPAL<\/span>(\u2018mqapp\u2019) <span class=\"caps\">AUTHADD<\/span>(<span class=\"caps\">GET<\/span>,<span class=\"caps\">PUT<\/span>,<span class=\"caps\">BROWSE<\/span>)<\/p>\n<p>To remove autho\u00adriza\u00adtions use the <span class=\"caps\">AUTHRMV<\/span> direc\u00adtive of the <span class=\"caps\">SET<\/span> <span class=\"caps\">AUTHREC<\/span> <span class=\"caps\">MQSC<\/span> com\u00admand instead of <span class=\"caps\">AUTHADD<\/span>:<\/p>\n<p class=\"code-example\"><span class=\"caps\">SET<\/span> <span class=\"caps\">AUTHREC<\/span> <span class=\"caps\">OBJTYPE<\/span>(<span class=\"caps\">QUEUE<\/span>) <span class=\"caps\">PROFILE<\/span>(<span class=\"caps\">LOCALQ1<\/span>) <span class=\"caps\">PRINCIPAL<\/span>(\u2018mqapp\u2019) <span class=\"caps\">AUTHRMV<\/span>(<span class=\"caps\">GET<\/span>,<span class=\"caps\">PUT<\/span>,<span class=\"caps\">BROWSE<\/span>)<\/p>\n<p>The above two autho\u00adriza\u00adtions can also be con\u00adfig\u00adured from the <span class=\"caps\">UNIX<\/span> com\u00admand&nbsp;line:<\/p>\n<p class=\"code-example\">set\u00admqaut \u2011m <span class=\"caps\">MQ01<\/span> \u2011t queue \u2011n <span class=\"caps\">LOCALQ1<\/span> \u2011p mqapp +get +put +browse<\/p>\n<p>and<\/p>\n<p class=\"code-example\">set\u00admqaut \u2011m <span class=\"caps\">MQ01<\/span> \u2011t queue \u2011n <span class=\"caps\">LOCALQ1<\/span> \u2011p mqapp \u2011get \u2011put \u2011browse<\/p>\n<p>To check which autho\u00adriza\u00adtions a user or group has on a spe\u00adcif\u00adic <span class=\"caps\">MQ<\/span> object, for exam\u00adple, the queue <span class=\"caps\">LOCALQ1<\/span>, just run the fol\u00adlow\u00ading command:<\/p>\n<p class=\"code-example\">dsp\u00admqaut \u2011m <span class=\"caps\">MQ01<\/span> \u2011t queue \u2011n <span class=\"caps\">LOCALQ1<\/span> \u2011p&nbsp;mqapp<\/p>\n<p>The out\u00adput could be some\u00adthing&nbsp;like:<\/p>\n<p class=\"code-example\">Enti\u00adty mqapp has the fol\u00adlow\u00ading autho\u00adriza\u00adtions for object <span class=\"caps\">LOCALQ1<\/span>:<br>\nget<br>\nbrowse<br>\nput<\/p>\n<p>&nbsp;The equiv\u00ada\u00adlent <span class=\"caps\">MQSC<\/span> com\u00admand to the above&nbsp;is<\/p>\n<p class=\"code-example\"><span class=\"caps\">DISPLAY<\/span> <span class=\"caps\">AUTHREC<\/span> <span class=\"caps\">OBJTYPE<\/span>(<span class=\"caps\">QUEUE<\/span>) <span class=\"caps\">PRINCIPAL<\/span>(\u2018mqapp\u2019) <span class=\"caps\">PROFILE<\/span>(<span class=\"caps\">LOCALQ1<\/span>)<br>\n4 : <span class=\"caps\">DISPLAY<\/span> <span class=\"caps\">AUTHREC<\/span> <span class=\"caps\">OBJTYPE<\/span>(<span class=\"caps\">QUEUE<\/span>) <span class=\"caps\">PRINCIPAL<\/span>(\u2018mqapp\u2019) <span class=\"caps\">PROFILE<\/span>(<span class=\"caps\">LOCALQ1<\/span>)<br>\n<span class=\"caps\">AMQ8864I<\/span>: Dis\u00adplay author\u00adi\u00adty record details.<br>\n<span class=\"caps\">PROFILE<\/span>(<span class=\"caps\">LOCALQ1<\/span>) <span class=\"caps\">ENTITY<\/span>(mqm)<br>\n<span class=\"caps\">ENTTYPE<\/span>(<span class=\"caps\">GROUP<\/span>) <span class=\"caps\">OBJTYPE<\/span>(<span class=\"caps\">QUEUE<\/span>)<br>\n<span class=\"caps\">AUTHLIST<\/span>(<span class=\"caps\">BROWSE<\/span>,<span class=\"caps\">CHG<\/span>,<span class=\"caps\">CLR<\/span>,<span class=\"caps\">DLT<\/span>,<span class=\"caps\">DSP<\/span>,<span class=\"caps\">GET<\/span>,<span class=\"caps\">INQ<\/span>,<span class=\"caps\">PUT<\/span>,<span class=\"caps\">PASSALL<\/span>,<span class=\"caps\">PASSID<\/span>,<span class=\"caps\">SET<\/span>,<span class=\"caps\">SETALL<\/span>,<span class=\"caps\">SETID<\/span>)<br>\n<span class=\"caps\">AMQ8864I<\/span>: Dis\u00adplay author\u00adi\u00adty record details.<br>\n<span class=\"caps\">PROFILE<\/span>(<span class=\"caps\">LOCALQ1<\/span>) <span class=\"caps\">ENTITY<\/span>(trindade)<br>\n<span class=\"caps\">ENTTYPE<\/span>(<span class=\"caps\">GROUP<\/span>) <span class=\"caps\">OBJTYPE<\/span>(<span class=\"caps\">QUEUE<\/span>)<br>\n<span class=\"caps\">AUTHLIST<\/span>(<span class=\"caps\">BROWSE<\/span>,<span class=\"caps\">GET<\/span>,<span class=\"caps\">INQ<\/span>,<span class=\"caps\">PUT<\/span>,<span class=\"caps\">PASSALL<\/span>,<span class=\"caps\">PASSID<\/span>,<span class=\"caps\">SET<\/span>,<span class=\"caps\">SETALL<\/span>,<span class=\"caps\">SETID<\/span>)<\/p>\n<p>It\u2019s also pos\u00adsi\u00adble to dump all autho\u00adriza\u00adtions with the <span style=\"font-family: andale mono, monospace;\">dmp\u00admqaut<\/span> command.<\/p>\n<p class=\"code-example\">dmp\u00admqaut \u2011m&nbsp;<span class=\"caps\">MQ01<\/span><\/p>\n<p>With the <span style=\"font-family: andale mono, monospace;\">dmp\u00admqaut<\/span> com\u00admand it is also pos\u00adsi\u00adble to dump only autho\u00adriza\u00adtions spe\u00adcif\u00adic to one object type, one user or user group or a spe\u00adcif\u00adic <span class=\"caps\">MQ<\/span> object. For that just use the <span style=\"font-family: andale mono, monospace;\">-t<\/span>, <span style=\"font-family: andale mono, monospace;\">-p<span style=\"font-family: georgia, palatino, serif;\"> or<\/span><\/span> <span style=\"font-family: andale mono, monospace;\">-g<\/span> and <span style=\"font-family: andale mono, monospace;\">-n<\/span> com\u00admand line options, respectively.<\/p>\n<p>For exam\u00adple, to list all autho\u00adriza\u00adtions for queues in the <span class=\"caps\">MQ01<\/span> queue man\u00adag\u00ader applied to user mquser, just use the command:<\/p>\n<p class=\"code-example\">dmp\u00admqaut \u2011m <span class=\"caps\">MQ01<\/span> \u2011t queue \u2011n <span class=\"caps\">LOCALQ1<\/span><\/p>\n<p>There are oth\u00ader autho\u00adriza\u00adtion types for oth\u00ader object types (for, exam\u00adple, top\u00adics have the <span class=\"caps\">PUB<\/span> autho\u00adriza\u00adtion that is need\u00aded for \u201cwrit\u00ading\u201d \u2013 pub\u00adlish\u00ading \u2013 to a top\u00adic). Per\u00adhaps some oth\u00ader article\u2026<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This time, I\u2019ll be writ\u00ading about object per\u00admis\u00adsions&nbsp;only. Object per\u00admis\u00adsions allow for fine-grained access con\u00adtrol to <span class=\"caps\">MQ<\/span> objects (queues, top\u00adics, etc.). One can con\u00adfig\u00adure an user to only be able to read from one spe\u00adcif\u00adic queue and only write to \u2026 <a href=\"https:\/\/trindade.myphotos.cc\/lazysysadmin\/2019\/08\/17\/ibm-mq-basics-security-part-3-object-permissions\/\">Con\u00adtin\u00adue read\u00ading <span class=\"meta-nav\">\u2192<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[20,2,3,21],"tags":[5,10,12,9,4,8,6,13],"class_list":["post-138","post","type-post","status-publish","format-standard","hentry","category-basics","category-middleware","category-mq","category-security","tag-ibm","tag-ibm-mq","tag-ibmmq","tag-middleware","tag-mq","tag-mqseries","tag-websphere-mq","tag-webspheremq"],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Ant\u00f3nio Trindade","author_link":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/author\/trindade\/"},"_links":{"self":[{"href":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/wp-json\/wp\/v2\/posts\/138","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/wp-json\/wp\/v2\/comments?post=138"}],"version-history":[{"count":12,"href":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/wp-json\/wp\/v2\/posts\/138\/revisions"}],"predecessor-version":[{"id":379,"href":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/wp-json\/wp\/v2\/posts\/138\/revisions\/379"}],"wp:attachment":[{"href":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/wp-json\/wp\/v2\/media?parent=138"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/wp-json\/wp\/v2\/categories?post=138"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trindade.myphotos.cc\/lazysysadmin\/wp-json\/wp\/v2\/tags?post=138"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}