| Author |
Message
|
| Blaaberg |
 Posted: Tue Oct 25, 2011 5:34 am Post subject: Remove group authorisations from qmgr |
 |
|
Novice
Joined: 14 Oct 2011
Posts: 12
|
On a windows server I have granted a group 'mca_test' some autorisations to qmgr:
setmqaut -t qmgr -g mca_test +inq +connect
If I try to remove the group typing the following an error appears:
setmqaut -t qmgr -g mca_test -inq -connect -remove
AMQ7097: You gave an authorization specification that is not valid.
From the System Administration manual on the usage of setmqaut:
Remove profile
+/-remove
Removes a profile. The authorizations associated
with the profile no longer apply to WebSphere MQ
objects with names that match the profile name
specified.
This option cannot be used with the option -t qmgr.
So its documented that it isnt possible to use the remove command to remove a group from qmgr
BUT...
How can I then remove the group with a command? |
|
| Back to top |
|
 |
| exerk |
| Posted: Tue Oct 25, 2011 5:42 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Try: setmqaut -t qmgr -g mca_test -all
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Oct 25, 2011 5:57 am Post subject: Re: Remove group authorisations from qmgr |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Blaaberg wrote: |
| How can I then remove the group with a command? |
Don't specify -t as it says?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Blaaberg |
| Posted: Tue Oct 25, 2011 6:12 am Post subject: |
|
|
Novice
Joined: 14 Oct 2011
Posts: 12
|
| exerk wrote: |
| Try: setmqaut -t qmgr -g mca_test -all |
It removes 'inq' and 'connect' authorisations but it doesnt delete the group in QMGRs authority records. Isnt that possible? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Oct 25, 2011 6:40 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20768
Location: LI,NY
|
Looks to me that you were trying to remove an authorization that did not exist: -inq -connect... Set were +inq +connect...
Did you try using remove on the authorizations that were actually set? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Blaaberg |
| Posted: Wed Oct 26, 2011 12:07 am Post subject: |
|
|
Novice
Joined: 14 Oct 2011
Posts: 12
|
Ok, I try this instead.
If I want to remove group 'mca_test' from queue 'TEST' I run this command:
setmqaut -t queue -n TEST -g mca_test -remove
The setmqaut command completed successfully.
The same way I want to remove group 'mca_test' from qmgr:
setmqaut -t qmgr -g mca_test -remove
AMQ7097: You gave an authorization specification that is not valid.
But it wont allow it on qmgr with 'remove' |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Wed Oct 26, 2011 6:34 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
My recent experiments with removing entities from MQ OAM profiles on Windows with MQ 7.0.1.5 found that:
- Can't use +remove on qmgr object and its not possible to completely remove the entity's profile for qmgr object, so use -all. This leaves behind a qmgr profile with +none for that entity.
- Can't completely remove @CLASS profiles (that contain the +crt authority), so just use -crt. This leaves behind an @CLASS profile with +none for that entity.
I stand to be corrected if anyone can clarify...
_________________
Glenn |
|
| Back to top |
|
|
| Blaaberg |
| Posted: Wed Oct 26, 2011 10:35 pm Post subject: |
|
|
Novice
Joined: 14 Oct 2011
Posts: 12
|
Thats also my understanding of qmgr but im not happy with it leaving something behind 
Another thing... Can you explain what the @CLASS profile is and what it is used for? |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Sun Oct 30, 2011 2:36 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| Blaaberg wrote: |
| Another thing... Can you explain what the @CLASS profile is and what it is used for? |
The @CLASS profile is used to store the +crt authority. This authority applies to an object type in general, not any particular named instance of it. eg. If you setmqaut +crt authority on any local queue name, it will allow that entity to create new local queues of any name.
For convenience, MS03 saveqmgr and amqoamd presents the +crt authority on the SYTEM.DEF.xxxxx object for each object type, and presents +crt on the qmgr object.
_________________
Glenn |
|
| Back to top |
|
|
| sachinshah |
| Posted: Wed Nov 16, 2011 3:38 pm Post subject: |
|
|
Newbie
Joined: 22 May 2008
Posts: 4
|
Interestingly, if you open the queue manager authority records using MQ Explorer on a windows machine, it provides a "Delete" button. By using that I was able to remove the record completely.
This is for MQ V7.0.0.2. So apparently there is a way. But maybe not through the command line (that will be a first). |
|
| Back to top |
|
|
|
|
