With the new feature in WebSphere MQ V7.1 called Channel Authentication Records (or CHLAUTH for short) there is a lot of talk about privileged users and administrator access. In this post I want to discuss how to create a non-privileged MQ administrator.
Before I begin let me define what I mean by each of those terms.
A privileged user is a user that has authorization to do an operation without being explicitly granted access to do that operation. The users in the mqm group are examples of these privileged users, but of course this does differ a little from platform to platform, so rather than using the term 'mqm user' I will use the term privileged user.
A lot of people use the term 'administrator' to mean a privileged user. In this post, I am using it to mean a person who has a need to issue administrative commands against WebSphere MQ, such as DEFINE QLOCAL or START CHANNEL.
Now let's see how we can put the two together.
Creating a non-privileged MQ Administrator
Here are some simple steps to get you to the point where you have a non-privileged MQ Administrator:
The first thing we need is a user ID on the queue manager machine that is not a privileged user. I will not show the commands to do this here as they are platform dependent. I will use the user ID 'alice' for my example.
Now that we have this user, there is a very quick way to grant this new user authority to issue all MQ admin commands.
Start up the MQ Explorer using a privileged user.
Navigate to the Role Based Wizard from the queue manager -> Object Authorities -> Add Role Based Authorities...
In the wizard panel that pops up, enter the user ID you created in the first step, or if you prefer to work with groups, enter the group name for the user or set of users that you wish to make into non-privileged MQ Administrators.
This wizard can set up two different types of access, read-only access or full administrative access. We want full administrative access for our purposes.
If you want to allow your non-privileged MQ Administrator to be able to browse messages on queues, also select that check box.
Review the commands in the preview panel at the bottom of the wizard. You can cut and paste these commands to build your own scripts. One reason you may prefer to do this with your own script is to reduce the amount of access you give to this user. Perhaps rather than granting access to all objects, you might prefer to only grant access to a certain group of objects. Pressing OK on the wizard will actually issue the commands as they are shown.
We assume the requirement for a non-privileged MQ Administrator is for remote access, so we'll also want to set up some CHLAUTH rules to allow this remote access to use this user ID. We assume that we're running with the recommendations made in CHLAUTH - the back-stop rule and that we just therefore need to add an enabling rule. The rule we create rather depends on how we choose to authenticate our remote MQ Administrators. Here are a couple of possibilities.
So now when someone connects into the admin-channel-name (and matches the CHLAUTH rules) they will be able to issue commands under the user ID 'alice' on the queue manager, and so privileged remote access is not required.
If we are using weak TCP/IP authentication then we might set up a CHLAUTH rule which looks like this:-
DESCR('Admin Channel - Weak TCP/IP authentication')
If we are using SSL authentication then we might set up a CHLAUTH rule which looks like this:-
TYPE(SSLPEERMAP) SSLPEER('CN=Alice') ADDRESS('126.96.36.199')
DESCR('Admin Channel - SSL authentication')