Integration


This is an IBM Automation portal for Integration products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.


Add a new idea Subscribe
Status Not under consideration
Workspace App Connect
Created by Guest
Created on May 13, 2024

RELATED IDEAS

Allow mqsilist to be used by accounts not in the mqbrkrs group

As of ACE 12.0.12.1, IBM ships ACE with the mqsilist file/program having permissions that allow 'world' to read mqsilist, but not to execute it. A user has to be a member of the mqbrkrs group to execute mqsilist.  A Case with IBM confirmed this and advised against modifying the permissions to give 'world' permission to execute.

Given that mqslist can only read and not change, delete, add, stop or start anything it would be desirable to allow anyone to call mqsilist, and then let subsequent mq-based or file-based ACE Administration authorities determine what the user can or cannot list with mqsilist.

The primary use case for this RFE for us is to allow our CMDB Discovery tools to be given read only access to allow them to use mqsilist to find all ACE Execution Groups ('servers'), Applications and Message Flows plus relevant properties for each (short and long description). Today I would have to give that team 100% full admin access to ACE by placing their service account into the mqbrkrs group, just to run read only mqsilist.

Note that IBM MQ had this same issue with runmqsc, requiring the user to be a member of the mqm super group. In MQ 8.0, they lifted this restriction, let anyone execute runmqsc, and then relied on subsequent MQ authority records to determine what the user could successfully do with runmqsc access. I gave our CMDB team read only access via runmqsc.  We would like ACE to do the same for mqsilist.

Idea priority Medium
  • Admin
    Ben Thompson
    Reply
    |     May 20, 2024

    Idea Review. Thank you for taking the time to raise this enhancement request but unfortunately on this occasion we will not be taking this suggestion forward. For third party applications wanting to get access to information about integration nodes, integration servers and deployed applications/flows etc., the best approach is to use our public administration API as opposed to running a local mqsilist command and then scraping the responses from the command. Providing features to circumvent the use of mqbrkrs group membership for local commands results in a more complex user administration for the product as a whole and makes it harder to maintain consistency in approach across commands. Under the covers, the mqsilist command and other interfaces (Toolkit, web ui etc.) are now aligned to utilize our public administration API. The public admin API has a better defined interface, so would result in more maintainable code in the long run which is not susceptible to breakage should the output wording or behaviour of mqsilist were to change in future.

    https://www.ibm.com/docs/en/app-connect/12.0?topic=mrbuara-administering-applications-rest-apis-integration-services-by-using-administration-rest-api

    https://www.ibm.com/docs/en/app-connect/12.0?topic=mrbuara-administering-message-flows-by-using-administration-rest-api

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.