Solved: IBM MQ Plugin - permissions

MAkimov · ‎09 Oct 2019

Hello

I try implement IBM MQ ActiveGate Plugin

I have question about permissions.

In doc says that the user must have at least the following permissions: connect,display,browse,put,inquire

For what objects do you need to give these permissions?

Must we have permissions of for each queue ?

diego_morales · ‎09 Oct 2019

Hi Mikhail,

The user needs those permissions for queues, channels, listener and queue managers.

I don't believe you need to specify it for each individual queue. You can apply it to all queues of the queue manager using wildcards.

You need these permissions because the plugin runs these PCF commands:
MQCMD_INQUIRE_Q_MGR_STATUS
MQCMD_INQUIRE_Q_NAMES
MQCMD_INQUIRE_Q
MQCMD_INQUIRE_Q_STATUS
MQCMD_INQUIRE_CHANNEL_STATUS
MQCMD_INQUIRE_LISTENER_STATUS
MQCMD_RESET_Q_STATS (if you collect Enqueue and Dequeue counts, you will also need the CHG permission on queues)

+put is required because it puts messages in command and audit queues when running those PCF commands.

Thanks,

Diego

MAkimov · ‎17 Dec 2019

Hello @Diego M.

Could you please tell us for which commands and queues we should give put permission to the plugin ?

That's right I understand that's enough SYSTEM.ADMIN.COMMAND.QUEUE

MAkimov · ‎22 Dec 2019

Hello @Diego M.

The security service of the Bank asks what permissions are required for the plugin. They cannot allow put permissions for all queues (there are several hundred of them)

diego_morales · ‎24 Dec 2019

Hi Mikhail,

You're correct, the SYSTEM.ADMIN.COMMAND.QUEUE needs put permission and also the SYSTEM audit queues.

According to IBM:
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.adm.doc/q020060_.htm

You need:

+dsp permissions to all objects (queue manager, queues, channels, listeners, namelists)
+put permissions to the queues I mentioned above.
+chg to queues you want to get enqueue/dequeue rate.
+ctrl if you want to ping a queue manager to get whether it is responsive.
+connect

With the above, make sure you can connect, inquire all objects.

Hope this helps,

Thanks,

Diego

fstekelenburg · ‎30 Oct 2023

@diego_morales can you tell me, what would happen if the PUT permission is NOT granted (on SYSTEM.ADMIN.COMMAND.QUEUE)?

What is the impact, would break/not be possible, using the extension?

Kind regards, Frans Stekelenburg Certified Dynatrace Associate | measure.works, Dynatrace Partner

diego_morales · ‎30 Oct 2023

Indeed. Nothing would work. All the INQUIRE commands about queue manager status, queue status, channels, topics, clusters, etc. get PUT into that SYSTEM.ADMIN.COMMAND.QUEUE. IBM MQ then processes all those inquire commands and responds to them. Without that, it would never get metrics. That is the way IBM MQ operates with PCF commands (all those INQUIRE commands are PCF commands).

fstekelenburg · ‎30 Oct 2023

Thank you for the (swift) answer and confirming clarification, @diego_morales.

One other question; I read somewhere that the activeGate polls every minute (perhaps also the oneagents extension)? If the connection is not possible between AG and MQ, do we miss datapoints, or is data for the missing period als collected, once re-established?

Kind regards, Frans Stekelenburg Certified Dynatrace Associate | measure.works, Dynatrace Partner

diego_morales · ‎30 Oct 2023

No prob!. You lose on those datapoints since it cannot connect to it and IBM MQ does not keep history of any of that. IBM MQ only reports values as they are right now. The extension collects those minute-to-minute snapshots when it connects to it.