Considering security for the workbench

During this task you consider the factors for deciding which users can take actions within the workbench.

Consider the following:

  1. Are you running with domain awareness enabled?
  2. Are you running with domain awareness disabled?
  3. Securing the channel between the workbench and the Configuration Manager

Ensure that the IDs of the users who will run the workbench are not more than eight characters long.

Are you running with domain awareness enabled?

It is recommended that you run with domain awareness enabled. With this option, the domain information for a workbench user is flowed with the userid to the Configuration Manager for increased security. Assume that you are running the Configuration Manager on a computer named WKSTN1, which is a member of a domain named DOMAIN1. Users from DOMAIN2 also want to use the workbench. Perform the following steps:

  1. When you are using the User Definition role model, add the domain user IDs, for example DOMAIN1\user1 and DOMAIN2\user2, to the local groups: WKSTN1\mqbrasgn, WKSTN1\mqbrdevt, WKSTN1\mqbrops, and WKSTN1\mqbrtpic. You can nest group membership. For example, add DOMAIN1\user1 to global group DOMAIN1\authusers, then add DOMAIN1\authusers to WKSTN1\mqbrops.

    When you are using the Object level model and you are using ACL security, add any domain users/groups to the local group names that you will be using in your ACLs.

  2. When you create the Configuration Manager:
    1. Do not set the -d option. The Configuration Manager will check the local groups for user group membership.
    2. Set the -l option to 2. This indicates domain awareness.

When you start the workbench, it automatically sends the domain information for your user ID to the Configuration Manager. Enable domain awareness in the Configuration Manager to access domain information.

Note: If you are running a Configuration Manager with one user ID and a broker with a different user ID on another computer, you might see an error message when trying to deploy message flows and message sets to the broker. To avoid this, do the following:
  • Ensure that the broker's user ID is a member of the mqm and mqbrkrs groups.
  • Define the broker's user ID on the computer where the Configuration Manager is running.
  • Define the Configuration Manager's user ID on the computer where the broker is running.
  • Ensure that all IDs are in lowercase so that they are compatible between computers.

Are you running with domain awareness disabled?

You can set domain awareness to disabled, but running with this option means that the domain information for the workbench user is not flowed with the userid information, thus reducing security. It is therefore recommended that you run with domain awareness enabled.

To set domain awareness to disabled, answer the following questions:

  1. Are your workbench users drawn from a local domain?
    1. No: Go to the next question.
    2. Yes: You can either omit the -d option from the mqsicreateconfigmgr command, or set the option to the name of the local computer. You should also set the -l option to 2.

      For the User Definition role model, ensure that workbench users are members of the local groups: mqbrasgn, mqbrdevt, mqbrops, and mqbrtpic.

      With the Object level model, if you are using ACL security, you must add any users to the local groups that you will be using in your ACLs.

      Go to Securing the channel between the workbench and the Configuration Manager.

  2. Are your workbench users drawn from another domain?
    1. Yes: Ensure that you set the-d option on the mqsicreateconfigmgr command to determine the domain that the Configuration Manager uses to obtain user group membership. Also set the -l option to 2.
      With the User Definition role model, the tasks that a user can perform depend on that user's membership of the global groups:
      • domain mqbrasgn
      • domain mqbrdevt
      • domain mqbrops
      • domain mqbrtpic.
      For more information about the authorizations that membership of these groups confers, refer to Security requirements for Windows platforms.

      With the Object level model, if you are using ACL security, add any domain users/groups to the local groups that you will be using in your ACLs.

For additional security, run with both domain awareness and security exits enabled. For more information about security exits, refer to Security exits.

Start of changeTurning off the toolkit domain awarenessEnd of change

Start of changeThe toolkit sends the user and domain name to the Configuration Manager queue manager, regardless of the domain awareness setting on the Configuration Manager. This can cause problems connecting to the queue manager because of the security required to connect, put or get messages. End of change

Start of changeTo turn off the domain awareness on the toolkit, run the toolkit in the following way:
  1. Change to the <install_wbimb_dir>\eclipse directory.
  2. Run the toolkit using the command mqsistudio -vmargs -DDomainAware=0.
Alternatively, modify the shortcut that runs the toolkit and add on -vmargs -DDomainAware=0.End of change

Go to Securing the channel between the workbench and the Configuration Manager

Securing the channel between the workbench and the Configuration Manager

Create and enable a pair of security exits to run at the workbench and Configuration Manager ends of the connection. Use these exits to verify workbench users with the Windows security manager on the Configuration Manager computer.
For more information about creating and enabling security exits, refer to Security exits.
Related tasks
Using security exits