Security requirements for Windows platforms

The following table summarizes the security requirements for the WebSphere Business Integration Message Broker administrative tasks. It illustrates what group membership is required if you are using a local security domain defined on your local system SALONE, or a primary domain named PRIMARY, or a trusted domain named TRUSTED. The contents of this table assume that you have created both the Configuration Manager and the User Name Server with the same security domain.

User is... Local domain (SALONE) Primary domain (PRIMARY) / Windows Single domain (PRIMARY) Trusted domain (TRUSTED) / Windows Parent/Child domain in domain tree (TRUSTED)
Creating broker, Configuration Manager, User Name Server
  • Must be a user ID defined in SALONE
  • Member of Administrators
  • Must be a user ID defined in PRIMARY
  • Member of SALONE\Administrators
  • Must be a user ID defined in TRUSTED
  • Member of SALONE\Administrators
Changing broker, Configuration Manager, User Name Server
  • Must be a user ID defined in SALONE
  • Member of Administrators
  • Must be a user ID defined in PRIMARY
  • Member of SALONE\Administrators
  • Must be a user ID defined in TRUSTED
  • Member of SALONE\Administrators
Deleting broker, Configuration Manager, User Name Server
  • Member of Administrators
  • Member of SALONE\Administrators
  • Member of SALONE\Administrators
Starting broker, Configuration Manager, User Name Server
  • Member of Administrators
  • Member of SALONE\Administrators
  • Member of SALONE\Administrators
Listing broker, Configuration Manager, User Name Server
  • Must be a user ID defined in SALONE
  • Member of mqbrkrs
  • Must be a user ID defined in PRIMARY
  • Member of PRIMARY\Domain mqbrkrs
  • Must be a user ID defined in TRUSTED
  • Member of TRUSTED\Domain mqbrkrs
Changing, displaying, retrieving trace information
  • Must be a user ID defined in SALONE
  • Member of mqbrkrs
  • Must be a user ID defined in PRIMARY
  • Member of PRIMARY\Domain mqbrkrs
  • Must be a user ID defined in TRUSTED
  • Member of TRUSTED\Domain mqbrkrs
Running User Name Server(service user ID)
  • Must be a user ID defined in SALONE
  • Member of mqbrkrs
  • Must be a user ID defined in PRIMARY
  • Member of PRIMARY\Domain mqbrkrs
  • Must be a user ID defined in TRUSTED
  • Member of TRUSTED\Domain mqbrkrs
Running Configuration Manager (service user ID)
  • Must be a user ID defined in SALONE
  • Member of mqbrkrs
  • Member of mqm
  • Must be a user ID defined in PRIMARY
  • Member of PRIMARY\Domain mqbrkrs
  • Member of SALONE\mqm (see note 1)
  • Must be a user ID defined in TRUSTED
  • Member of TRUSTED\Domain mqbrkrs
  • Member of SALONE\mqm (see note 2)
Running broker (WebSphere MQ fastpath off) (service user ID)
  • Must be a user ID defined in SALONE
  • Member of mqbrkrs
  • Must be a user ID defined in PRIMARY
  • Member of PRIMARY\Domain mqbrkrs
  • Must be a user ID defined in TRUSTED
  • Member of TRUSTED\Domain mqbrkrs
Running broker (WebSphere MQ fastpath on) (service user ID)
  • Must be a user ID defined in SALONE
  • Member of mqbrkrs
  • Member of mqm
  • Must be a user ID defined in PRIMARY
  • Member of PRIMARY\Domain mqbrkrs
  • Member of SALONE\mqm
  • Must be a user ID defined in TRUSTED
  • Member of TRUSTED\Domain mqbrkrs
  • Member of SALONE\mqm
Clearing, joining, listing WebSphere MQ Publish/Subscribebrokers
  • Must be a user ID defined in SALONE
  • Member of mqbrkrs
  • Must be a user ID defined in PRIMARY
  • Member of PRIMARY\Domain mqbrkrs
  • Must be a user ID defined in TRUSTED
  • Member of TRUSTED\Domain mqbrkrs
Running Message Brokers Toolkit for WebSphere Studio (see note 3)
  • Must be a user ID defined in SALONE (see note 4). For example, SALONE\User1 is valid, PRIMARY\User2 and TRUSTED\User3 are not.
  • Member of one or more of mqbrasgn, mqbrdevt, mqbrops, mqbrtpic
Domain awareness not enabled:
  • Must be a user ID defined in PRIMARY (see note 4). For example, PRIMARY\User2 is valid, SALONE\User1 and TRUSTED\User3 are not.
  • Member of one or more of PRIMARY\Domain mqbrasgn, PRIMARY\Domain mqbrdevt, and so on.
Domain awareness enabled:
  • Can be a domain user ID from any trusted domain, or for Windows 2000 a domain that has a transitive trust relationship with a peer domain.
  • Must be a member of SALONE/mqbrasgn, SALONE/mqbrdevt, and so on.)
See note 5 below.
Domain awareness not enabled:
  • Must be a user ID defined in TRUSTED (see note 4). For example, TRUSTED\User3 is valid, SALONE\User1 and PRIMARY\User2 are not.
  • Member of one or more of TRUSTED\Domain Domain mqbrasgn, TRUSTED\Domain mqbrdevt, and so on.
Domain awareness enabled:
  • Can be a domain user ID from any trusted domain, or for Windows 2000 a domain that has a transitive trust relationship with a peer domain.
  • Must be a member of SALONE/mqbrasgn, SALONE/mqbrdevt, and so on.)
See note 5 below.
Running publish/subscribe applications
  • Must be a user ID defined in SALONE. For example, SALONE\User1 is valid, PRIMARY\User2 and TRUSTED\User3 are not.
  • Must be a user ID defined in PRIMARY. For example, PRIMARY\User2 is valid, SALONE\User1 and TRUSTED\User3 are not.
  • Must be a user ID defined in TRUSTED. For example, TRUSTED\User3 is valid, SALONE\User1 and PRIMARY\User2 are not.
Notes:
  1. If you are running in a primary domain, you can also:
    • Define the user ID in the domain PRIMARY.
    • Add this ID to the group PRIMARY\Domain mqm.
    • Add the PRIMARY\Domain mqm group to the group SALONE\mqm .
  2. If you are running in a trusted domain, you can also:
    • Define the user ID in the domain TRUSTED.
    • Add this ID to the group TRUSTED\Domain mqm.
    • Add the TRUSTED\Domain mqm group to the group SALONE\mqm .
  3. All Message Brokers Toolkit for WebSphere Studio users need read access to the WebSphere MQ java \lib subdirectory of the WebSphere MQ home directory (the default is X:\Program Files \WebSphere MQ , where X: is the operating system disk). This access is restricted to users in the local group mqm by WebSphere MQ. WebSphere Business Integration Message Broker installation overrides this restriction and gives read access for this subdirectory to all users.
  4. If a valid user ID is defined in the domain used by the Configuration Manager (for example, PRIMARY\User4), an identical user defined in a different domain (for example, DOMAIN2\User4) can access the Message Brokers Toolkit for WebSphere Studio with the authorities of PRIMARY\User4.
  5. For both domain awareness enabled and domain awareness disabled, if Message Brokers Toolkit for WebSphere Studio ACLs are used, user IDs must be members of any local ACL groups created on SALONE,
  6. Ensure that the service user ID has the required access to relevant directories of the product directory tree; for example, write access to the logs directory. If a workpath other than the default has been set for any component, ensure that the services user ID has appropriate access to this location.

Related concepts
Security for runtime resources

Related tasks
Setting up broker domain security
Enabling topic-based security

Related reference
mqsicreateaclgroup command
mqsideleteaclgroup command
mqsilistaclgroup command