Set up the required security configuration
in a Windows domain environment.
You can use Windows domain
groups to organize different levels of authorization to selective WebSphere® Message
Broker resources across your domain.
To design and implement this domain group topology, add each domain
group to the relevant local security groups on the domain workstations.
You can now manage authorities by adding domain user accounts to the
appropriate domain groups. For
information about the group membership required to administer WebSphere Message
Broker resources, see Security requirements for Windows systems.
- Design your authorization group categories, and define
domain groups on the domain controller system that correspond to these
authorization categories, by using Windows security. For example, suppose you have a single domain containing
three distinct sets of systems, used in development, testing, and
production. Within your organization, various user roles require different
levels of authorization to WebSphere MQ and WebSphere Message
Broker resources on those systems.
Here
is an example of how those authorization categories could map to domain
groups:
Domain group |
Description |
ADM-MQprd |
WebSphere MQ administrator
authorities on production machines |
ADM-MQuat |
WebSphere MQ administrator
authorities on test machines |
ADM-MQdev |
WebSphere MQ administrator
authorities on development machines |
ADM-MBprd |
WebSphere Message
Broker administrator
authorities on production machines |
ADM-MBuat |
WebSphere Message
Broker administrator
authorities on test machines |
ADM-MBdev |
WebSphere Message
Broker administrator
authorities on development machines |
- Define and configure domain user accounts on the domain
controller, by using Windows security. Add each user account to one or more domain groups to determine
the authorizations granted that account. For example:
Table 1. Domain user account |
Role |
Group membership |
MQadmPRD |
WebSphere MQ administrator
for production systems |
ADM-MQprd |
MQadmUAT |
WebSphere MQ administrator
for test systems |
ADM-MQuat |
MQadmDEV |
WebSphere MQ administrator
for development systems |
ADM-MQdev |
MBadmPRD |
WebSphere Message
Broker administrator
for production systems |
ADM-MBprd |
MBadmUAT |
WebSphere Message
Broker administrator
for test systems |
ADM-MBuat |
MBadmDEV |
WebSphere Message
Broker administrator
for development systems |
ADM-MBdev |
john.smith |
WebSphere MQ and WebSphere Message
Broker administrator for production
environments |
ADM-MQprd, ADM-MBprd |
- Install and configure WebSphere Message
Broker on
domain workstations.
- Install WebSphere Message
Broker on
the workstation.
- Add your domain groups to local groups mqm or mqbrkrs as
appropriate. In our example, if a particular workstation
is to serve as a development machine, add domain group ADM-MQdev to
local group mqm, and domain group ADM-MBdev to
local group mqbrkrs.