Unauthorized users in WMQ can browse messages if MSGACCESS(DATA) is used

Technote (troubleshooting)


Problem(Abstract)

According to the MQ agent documentation, using MSGACCESS(DATA), TEP user ID will be used when accessing WebSphere MQ data. The problem is that all TEP users can access MQ messages information even if they are not authorized within WMQ security itself.

Symptom

All TEP user IDs can access MQ messages information even if they are not authorized within WebSphere MQ security itself.


Cause

The problem is caused by the RESLEVEL profile. As per the WebSphere MQ manual (WebSphere MQ System Setup Guide), if the user ID has the CONTROL or higher access level to the RESLEVEL profile, then the resource checking for batch connections will be bypassed.

Resolving the problem

The problem can be solved by assigning a lower RESLEVEL to CANSMQ than its group.

After that is done, you need to refresh the MQ security by issuing REFRESH SECURITY MQSC command and finally restart the MQ Agent started task.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Tivoli OMEGAMON XE for Messaging for z/OS
OMEGAMON XE WEBSPHERE MQ 390

Software version:

7.0, 7.0.1, 7.1.0

Operating system(s):

z/OS

Reference #:

1381495

Modified date:

2014-01-08

Translate my page

Machine Translation

Content navigation