By default, any MQe application can administer managed resources. The application can be running as a local application to the queue manager that is being managed, or it can be running on a different queue manager. It is important that the administration actions are secure, otherwise there is potential for the system to be misused. MQe provides the basic facilities for securing administration using queue-based security, as described in this information center.
If you use synchronous security, you can secure the administration queue by setting security characteristics on the queue. For example, you can set an authenticator so that the user must be authenticated to the operating system (Windows NT® or UNIX®) before they can perform administration actions. This can be extended so that only a specific user can perform administration.
The administration queue does not allow applications direct access to messages on the queue, the messages are processed internally. This means that messages put to the queue that have been secured with message level security cannot be unwrapped using the normal mechanism of providing an attribute on a get or browse request. However, a queue rule class can be applied to the administration queue to unwrap any secured messages so that they can be processed by the administration queue. The queue rule browseMessage() must be coded to perform this unwrap and allow administration to take place.