Security requirements for Windows platforms

The following table summarizes the security requirements for the WebSphere Event Broker administrative tasks. It illustrates what group membership is required if you are using a local security domain defined on your local system SALONE, or a primary domain named PRIMARY, or a trusted domain named TRUSTED. The contents of this table assume that you have created both the Configuration Manager and the User Name Server with the same security domain.

User is... Local domain (SALONE) Primary domain (PRIMARY) / Windows Single domain (PRIMARY) Trusted domain (TRUSTED) / Windows Parent/Child domain in domain tree (TRUSTED)
Creating a broker, Configuration Manager, User Name Server, or database (with mqsicreatedb)
  • Must be a user ID defined in SALONE
  • Member of Administrators
  • Must be a user ID defined in PRIMARY
  • Member of SALONE\Administrators
  • Must be a user ID defined in TRUSTED
  • Member of SALONE\Administrators
Changing a broker, Configuration Manager, User Name Server, DatabaseInstanceMgr
  • Must be a user ID defined in SALONE
  • Member of Administrators
  • Must be a user ID defined in PRIMARY
  • Member of SALONE\Administrators
  • Must be a user ID defined in TRUSTED
  • Member of SALONE\Administrators
Deleting a broker, Configuration Manager, User Name Server, or database (with mqsideletedb)
  • Member of Administrators
  • Member of SALONE\Administrators
  • Member of SALONE\Administrators
Starting a broker, Configuration Manager, User Name Server, orDatabaseInstanceMgr
  • Member of Administrators
  • Member of SALONE\Administrators
  • Member of SALONE\Administrators
Listing a broker, Configuration Manager, User Name Server, or DatabaseInstanceMgr
  • Must be a user ID defined in SALONE
  • User ID must have the authority to query the registry values under WebSphereMQIntegrator entry in the registry.
  • Member of mqbrkrs if issuing the command: mqsilist <broker name><execution group name>.
  • Must be a user ID defined in PRIMARY
  • User ID must have the authority to query the registry values under WebSphereMQIntegrator entry in the registry.
  • Member of PRIMARY\Domain mqbrkrs if issuing the command: mqsilist <broker name><execution group name>.
  • Must be a user ID defined in TRUSTED
  • User ID must have the authority to query the registry values under WebSphereMQIntegrator entry in the registry.
  • Member of TRUSTED\Domain mqbrkrs if issuing the command: mqsilist <broker name><execution group name>.
Changing, displaying, retrieving trace information
  • Must be a user ID defined in SALONE
  • Member of mqbrkrs
  • Must be a user ID defined in PRIMARY
  • Member of PRIMARY\Domain mqbrkrs
  • Must be a user ID defined in TRUSTED
  • Member of TRUSTED\Domain mqbrkrs
Running a User Name Server (service user ID)
  • Must be a user ID defined in SALONE
  • Member of mqbrkrs
  • Must be a user ID defined in PRIMARY
  • Member of PRIMARY\Domain mqbrkrs
  • Must be a user ID defined in TRUSTED
  • Member of TRUSTED\Domain mqbrkrs
Running a DatabaseInstanceMgr (service user ID)
  • Must be a user ID defined in SALONE
  • Member of mqbrkrs
  • Must be a user ID defined in PRIMARY
  • Member of PRIMARY\Domain mqbrkrs
  • Must be a user ID defined in TRUSTED
  • Member of TRUSTED\Domain mqbrkrs
Running a Configuration Manager (service user ID)
  • Must be a user ID defined in SALONE
  • Member of mqbrkrs
  • Member of mqm
  • Member of Adminstrators
  • Must be a user ID defined in PRIMARY
  • Member of PRIMARY\Domain mqbrkrs
  • Member of SALONE\mqm (see note 1)
  • Member of SALONE/Adminstrators
  • Must be a user ID defined in TRUSTED
  • Member of TRUSTED\Domain mqbrkrs
  • Member of SALONE\mqm (see note 2)
  • Member of SALONE/Adminstrators
Running a broker (WebSphere MQ fastpath off) (service user ID)
  • Must be a user ID defined in SALONE
  • Member of mqbrkrs
  • Must be a user ID defined in PRIMARY
  • Member of PRIMARY\Domain mqbrkrs
  • Must be a user ID defined in TRUSTED
  • Member of TRUSTED\Domain mqbrkrs
Running a broker (WebSphere MQ fastpath on) (service user ID)
  • Must be a user ID defined in SALONE
  • Member of mqbrkrs
  • Member of mqm
  • Must be a user ID defined in PRIMARY
  • Member of PRIMARY\Domain mqbrkrs
  • Member of SALONE\mqm
  • Must be a user ID defined in TRUSTED
  • Member of TRUSTED\Domain mqbrkrs
  • Member of SALONE\mqm
Clearing, joining, or listing WebSphere MQ Publish/Subscribe brokers
  • Must be a user ID defined in SALONE
  • Member of mqbrkrs
  • Must be a user ID defined in PRIMARY
  • Member of PRIMARY\Domain mqbrkrs
  • Must be a user ID defined in TRUSTED
  • Member of TRUSTED\Domain mqbrkrs
Running a Message Brokers Toolkit (see note 3)
  • Must be a user ID defined in SALONE (see note 4). For example, SALONE\User1 is valid, PRIMARY\User2 and TRUSTED\User3 are not.
  • For both domain awareness enabled and domain awareness disabled, when using Message Brokers Toolkit ACLs, user IDs must be members of any local ACL groups created on SALONE.
  • For both domain awareness enabled and domain awareness disabled, when using Message Brokers Toolkit ACLs, user IDs must be members of any local ACL groups created on SALONE.
Running publish/subscribe applications
  • Must be a user ID defined in SALONE. For example, SALONE\User1 is valid, PRIMARY\User2 and TRUSTED\User3 are not.
  • Must be a user ID defined in PRIMARY. For example, PRIMARY\User2 is valid, SALONE\User1 and TRUSTED\User3 are not.
  • Must be a user ID defined in TRUSTED. For example, TRUSTED\User3 is valid, SALONE\User1 and PRIMARY\User2 are not.
Notes:
  1. If you are running in a primary domain, you can also:
    • Define the user ID in the domain PRIMARY.
    • Add this ID to the group PRIMARY\Domain mqm.
    • Add the PRIMARY\Domain mqm group to the group SALONE\mqm .
  2. If you are running in a trusted domain, you can also:
    • Define the user ID in the domain TRUSTED.
    • Add this ID to the group TRUSTED\Domain mqm.
    • Add the TRUSTED\Domain mqm group to the group SALONE\mqm .
  3. All Message Brokers Toolkit users need read access to the WebSphere MQ java \lib subdirectory of the WebSphere MQ home directory (the default is X:\Program Files \WebSphere MQ , where X: is the operating system disk). This access is restricted to users in the local group mqm by WebSphere MQ. WebSphere Event Broker installation overrides this restriction and gives read access for this subdirectory to all users.
  4. If a valid user ID is defined in the domain used by the Configuration Manager (for example, PRIMARY\User4), an identical user defined in a different domain (for example, DOMAIN2\User4) can access the Message Brokers Toolkit with the authorities of PRIMARY\User4.
  5. Ensure that the service user ID has the required access to relevant directories of the product directory tree; for example, write access to the logs directory. If a workpath other than the default has been set for any component, ensure that the services user ID has appropriate access to this location.
  6. If you are running a Configuration Manager with one user ID and a broker with a different user ID on another computer, you might see an error message when trying to deploy message flows to the broker. To avoid this, do the following:
    • Ensure that the broker's user ID is a member of the mqm and mqbrkrs groups.
    • Define the broker's user ID on the computer where the Configuration Manager is running.
    • Define the Configuration Manager's user ID on the computer where the broker is running.
    • Ensure that all IDs are in lowercase so that they are compatible between computers.

Broker security changes with Windows 2000 and Windows XP

Start of changeOn Windows 2000 and Windows XP, the service user ID must be a member of the mqbrkrs group and optionally a member of the Administrators group. As a member of the Administrators group, the service user ID has permission to access the registry keys of the broker so that it can access broker information. If the service user ID does not belong to the Administrators group, you can edit the Windows registry so that the service user ID can access the registry keys without having Administrators permissions.End of change

Start of changeTo edit the registry on Windows 2000 and Windows XP:End of change

Related concepts
Authorization to access runtime resources
Related tasks
Setting up broker domain security
Enabling topic-based security
Related reference
mqsicreateaclentry command
mqsideleteaclentry command
mqsilistaclentry command