FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IBM MQ Plugin - permissions

Go to solution
MAkimov
Mentor

‎09 Oct 2019 12:25 AM - last edited on ‎31 Aug 2022 04:08 AM by Community Team

Hello

I try implement IBM MQ ActiveGate Plugin

I have question about permissions.

In doc says that the user must have at least the following permissions: connect,display,browse,put,inquire

For what objects do you need to give these permissions?

Must we have permissions of for each queue ?

 

 

Reply
4 REPLIES 4

Go to solution
diego_morales
Dynatrace Advisor
Dynatrace Advisor

‎09 Oct 2019 07:55 AM

Hi Mikhail,

The user needs those permissions for queues, channels, listener and queue managers.

I don't believe you need to specify it for each individual queue. You can apply it to all queues of the queue manager using wildcards.

You need these permissions because the plugin runs these PCF commands:
MQCMD_INQUIRE_Q_MGR_STATUS
MQCMD_INQUIRE_Q_NAMES
MQCMD_INQUIRE_Q
MQCMD_INQUIRE_Q_STATUS
MQCMD_INQUIRE_CHANNEL_STATUS
MQCMD_INQUIRE_LISTENER_STATUS
MQCMD_RESET_Q_STATS (if you collect Enqueue and Dequeue counts, you will also need the CHG permission on queues)

+put is required because it puts messages in command and audit queues when running those PCF commands.

Thanks,

Diego


Reply

Go to solution
MAkimov
Mentor
In response to diego_morales

‎17 Dec 2019 09:37 AM

Hello @Diego M.

Could you please tell us for which commands and queues we should give put permission to the plugin ?


That's right I understand that's enough SYSTEM.ADMIN.COMMAND.QUEUE


0 Kudos
Reply

Go to solution
MAkimov
Mentor
In response to diego_morales

‎22 Dec 2019 01:56 AM

Hello @Diego M.

The security service of the Bank asks what permissions are required for the plugin. They cannot allow put permissions for all queues (there are several hundred of them)


0 Kudos
Reply

Go to solution
diego_morales
Dynatrace Advisor
Dynatrace Advisor
In response to MAkimov

‎24 Dec 2019 08:00 AM

Hi Mikhail,

You're correct, the SYSTEM.ADMIN.COMMAND.QUEUE needs put permission and also the SYSTEM audit queues.

According to IBM:
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.adm.doc/q020060_.htm

You need:

+dsp permissions to all objects (queue manager, queues, channels, listeners, namelists)
+put permissions to the queues I mentioned above.
+chg to queues you want to get enqueue/dequeue rate.
+ctrl if you want to ping a queue manager to get whether it is responsive.
+connect

With the above, make sure you can connect, inquire all objects.


Hope this helps,


Thanks,

Diego


0 Kudos
Reply
Ask a question

Featured Posts