Removing users authorized to access WebSphere MQ
SrihariKulkarni 120000KKWK Visits (5402)
Take a situation where you have user ids on a system who have been given access to WebSphere MQ - either as being included in the mqm group or individually through authorization commands such as setmqaut. What would happen if you delete one such user id from the system ? Will WeebSphere MQ remove the authorizations when the user id is deleted ? Or will they remain ? What happens if the same user id is created again on the same system - will the 'new' user id have the same set of authorizations to WebSphere MQ queue managers and objects as did the user id before it was deleted ? These are some of the questions this post will attempt to address.
Whenever a queue manager or a queue manager object (such as queue, topic etc.) is created, all users in the mqm group are given access to it by default. You can further fine tune access by use of the authorization commands (setmqaut, dmpmqaut, dspmqaut). On Windows, the authorization entries for each object are mapped to the security identifier (SID) of the user rather than the user name or the user id. So, when a user id is deleted from the system and WebSphere MQ is not 'informed' of thisdeletion, the entries mapping the SID to its relecant authorization will remain causing orphan entries in the authorization table. Such entries are generally harmless to the functioning of the queue manager or the security of the system. However, they can be a real headache for system administrators in figuring out who was ranted access, when and why. This is potentially a problem during auditing as well.
Another problem of having orphan entries is during the migration from WebSphere MQ v6 to v7. When the command to start a broker (strmqbrk) is run in WebSphere MQ v7, it attempts to migrate all the publish-subscribe objects and their authorizations to v7 (this is because v7 doesn't need a broker and the pubsub engine is within the queue manager). These orphan entries can cause the migration to report several errors corresponding to each 'missing' user.
How do we delete these entries later ?
Unfortunately, it is not possible to delete these entries from the authorization table. It is therefore recommended that all authorizations for a particular user be removed before deleteing the user id from the system. This article in the WebSphere MQ Infocenter has more information.