The “isusedby” attribute name, is in reality “member”, which I feel is very confusing, as member implies membership, and there is no membership involved. The cn=ibmuser is associated with the three groups, and those three groups are used for access checking. When NESTGRP(YES) is specified MQ then queries all groups that have cn=mqstatic2,ou=groups,o=your Company, and does another query for dn: cn=mqstatic,ou=groups,o=your CompanyĪnd gets the response dn: cn=mega,ou=groups,o=your Company.
dn: cn=mqstatic,ou=groups,o=your Company.dn: cn=mqstatic2,ou=groups,o=your Company.Member: cn=mqstatic,ou=groups,o=your CompanyĪs part of the userid to group mapping, MQ issues the query What groups have member: cn=ibmuser,o=your Company. There is another group, which refers to the mqstatic group. On my system the userid ibmuser is a “member” of two groups mqstatic and mqstatic2ĭn: cn=mqstatic2,ou=groups,o=your Company YES The group list is searched recursively to enumerate all the groups to which a user belongs.There is an MQ AUTHINFO parameter NESTGRP. Note: The group attribute does not exist in LDAP, you have to use a different one ( I used the st attribute). Specify the group name as part of the user’s record, this is known as a dynamic group.įor this you retrieve the “group” attributes from the record. To retrieve the groups for a user, you issue a query for all groups which have the given member data.Ģ. Define a group record, and list the members of the group. There are two ways of defining groups in LDAP.ġ. The model of this is a tree where a group high up in the tree incorporates the groups lower down the tree. The GRHR group could include both of these. You can take this further, and have a group GRHR_GR1, and GRHR_GR2 which give access to a subset of HR queues. If you define a HR queue, you just give GRHR access to it, and the MQ Administration team get access to it “for free”. Or you say the GRMQADMIN is the super set and includes a reference to GRPAYROLL, GRHR, and GRFINANCE.
You could give GRMQADMIN access to the Payroll queues, HR queues, and Finance queues. The MQ system programmers can manage any queue. Imagine the payroll queues are managed by the GRPAYROLL access group, the HR queues managed by the GRHR access group, and the Finance queue managed by the GRFINANCE access group. For example if an application uses 10 queues, and a new person joins the team you can either connect the new id to one group, or give the id access to the 10 queues. It is good practice to grant authority to access resources using groups, rather than giving access to individual userids. Nested groups can be used to simplify administration This blog post follows on from Using LDAP with multi platform.
0 kommentar(er)
