Several factors must be considered when you are deciding which users can execute broker commands and which users can control security for other broker resources.
When you are deciding which users are to perform the different tasks, consider the following steps:
Answer the following questions:
When you run the mqsistart command
with a user ID that is a member of the mqm and mqbrkrs groups, the user ID under which
you run the mqsistart command
becomes the user ID under which the broker component process will
run.
Answer the following questions:
When you run the mqsicreatebroker command, the local mqbrkrs group is granted access to internal queues whose names begin with the characters SYSTEM.BROKER. Do no change this ACL because it is required for the broker to function correctly.
The Configuration Manager controlling the broker puts messages to SYSTEM.BROKER.ADMIN.QUEUE. If your Configuration Manager is on the same computer as your broker, its service ID will be in the mqbrkrs group, therefore no further action is required. If the Configuration Manager is on a different computer, ensure that its service ID is defined to the computer that is running the broker, and ensure that it has WebSphere® MQ access to put messages to SYSTEM.BROKER.ADMIN.QUEUE.
If you use collectives for publish/subscribe, other brokers in your domain must put messages to SYSTEM.BROKER.INTERBROKER.QUEUE. Therefore their service IDs require authority to put messages to that queue.
Perform this task by responding to the following question: