First let me say that I'm a newbie admin to the MQ world and have been charged with setting up OAM security rules for MQ objects to be used in our internal trusted network of clustered QM's. I work in the iSeries world, which from what I can tell, is not widely discussed here on this forum. I've read T.Rob's 'Websphere MQ Security Heats up' article and have a few questions concerning security setup. Most of our apps will be ran in bindings mode, local on host where a clustered QM resides.
I don't want our end users running apps under the mqm authority, so I understand the need to put a MCAUSER (i.e. mqmmca )on the clusrcvr chl's either statically or via exit pgm yet to be determined. I also understand the need to lock down the default SYSTEM.* chl's with 'nobody' in the MCAUSER. By using this authority schema, I'm assuming this allows the QM's clusrcvr chl's to talk back and forth and put to the appropriate queue's defined within the cluster.
My concern is a group id (group profile in my world) to assign to my end users for the application specific MQ object access when running the application. I'm looking for a good starting point to establish a rule set to assign to the MQ objects as each application specific objects are created. Does the 'mqmmqi' group id authorities defined in this article provide that starting point? I don't see topic's included here, but I did find that added in another article. We will not be asserting any id in the user apps, but going by the end user group id (group profile assigned in my case) running the app. I'd like to keep the authority management fairly manageable, grouping end users as either application users or developers.
Thanks for any thoughts and/or suggestions in advance.