Security requirements depend on the administrative task that you want to perform.
The following tables summarize the requirements for administrative tasks. They show what group membership is required if you are using a local security domain that is defined on your local system.
Domain users in a multi-workstation domain, or from domains that are in a Windows transitive trust relationship with the local domain, can also perform these administrative tasks. They need to fulfill the group membership requirements that are specified in the tables. One way to set up this group membership is by adding the domain user to a domain group, that is a member of the local group. For an example of how to set up security by using domain groups, see Security in a Windows domain environment.
Task | Command | Authorization |
---|---|---|
Create an integration node |
|
|
Delete an integration node |
|
|
Migrate an integration node |
|
|
Change an integration node |
|
|
Add or remove an integration node instance |
|
|
Backup or restore an integration node |
|
|
Start an integration node, or verify an integration node |
|
|
Stop an integration node |
|
|
Create an integration server |
|
|
Delete an integration server |
|
|
Start or stop a message flow |
|
|
Create or delete a configurable service |
|
|
List integration nodes |
|
|
Show integration node properties |
mqsireportflowmonitoring command |
|
Change properties |
mqsichangeflowmonitoring command |
|
Set and update passwords |
|
|
List set parameters that are on an integration node |
|
|
Report or update an integration node mode |
|
|
Deploy an object to an integration node |
|
|
Reload an integration node, integration server, or security |
|
|
Trace an integration node |
|
|
Create the mqbrkrs group and add current user. |
|
|
Install, uninstall, or list .NET assemblies in the Global Assembly Cache |
|
|
Global cache administration |
|
|
Run commands that require elevated privileges |
|
|
Set up symbolic links that are needed for coordinated transactions |
|
|
Package a BAR file |
|
|
Create or modify a web user account |
|
|
Change the administration security authorization mode |
|
|
Show the current administration security authorization mode |
|
|
Change file-based permissions |
|
|
Show the current file-based permissions |
|
|
Run an integration node (service user ID)1 |
|
|
Running an integration node (WebSphere MQ fast path on) (service user ID)1 2 |
|
|
This access is granted even if you set a non-default location, by using the -w flag on the mqsicreatebroker command, or use the -e flag on the mqsicreatebroker command to create a multi-instance integration node. If the access is changed manually, you must ensure that the mqbrkrs group has appropriate access to the directories in the product directory tree.
setmqaut -m IBNODE -n TEST_INPUT -t queue -g mqbrkrs +get +inq
setmqaut -m IBNODE -n TEST_OUTPUT -t queue -g mqbrkrs +put +inq +setall
On all Windows platforms, there is no requirement for the service user ID to be a member of the Administrators group. The only requirement is that the service user ID is a member of the mqbrkrs group. In addition, the LocalSystem, LocalService, or NetworkService accounts can be used as the service user ID by using the -i parameter on the mqsicreatebroker command, and specifying the account name. No password is required for these accounts.