Considering security for a Configuration Manager

During this task you consider the group membership that is required for:
  • Users that execute Configuration Manager commands
  • Service IDs
  • Access to the Configuration Manager's queues.

An ACL is associated with the Configuration Manager itself. Users or groups that have full-control membership of the Configuration Manager's ACL implicitly have full-control membership of all other ACLs. Full-control membership of the Configuration Manager's ACL also allows users or groups to modify the ACLs for any object, including the Configuration Manager.

Read the appropriate sections in this list:

  1. Deciding which user accounts can execute Configuration Manager commands
  2. Deciding which user account to use for the Configuration Manager service ID
  3. Setting security on the Configuration Manager's queues
  4. Running the Configuration Manager in a domain environment

Deciding which user accounts can execute Configuration Manager commands

During this task you decide what permissions are required for the user IDs that:
  • Create, change, list, delete, start, and stop a Configuration Manager
  • Display, retrieve, and change trace information.

Answer the following questions:

  1. Are you executing Configuration Manager commands under a Windows local account?
    1. No: Go to the next question.
    2. Yes: Assume that your local account is on a computer named, for example, WKSTN1. When you create a Configuration Manager, ensure that your user ID is defined in your local domain. When you create or start a Configuration Manager, ensure that your user ID is a member of WKSTN1\Administrators.

      Go to Deciding which user account to use for the Configuration Manager service ID

  2. Are you executing Configuration Manager commands under a Windows domain account?
    1. Yes: Assume that your computer named, for example, WKSTN1, is a member of a domain named DOMAIN1. When you create a Configuration Manager using, for example, DOMAIN1\user1, ensure that DOMAIN1\user1 is a member of WKSTN1\Administrators.

      Go to Deciding which user account to use for the Configuration Manager service ID

Deciding which user account to use for the Configuration Manager service ID

When you set the service ID with the -i option on the mqsicreateconfigmgr or mqsichangeconfigmgr command, you determine the user ID under which the Configuration Manager component process runs.

Answer the following questions:

  1. Do you want your Configuration Manager to run under a Windows local account?
    1. No: Go to the next question.
    2. Start of changeYes: Ensure that your user ID has the following characteristics:
      • It is defined in your local domain.
      • It is a member of mqbrkrs.
      • It is a member of mqm.
      • It is a member of Administrators.

      Go to Setting security on the Configuration Manager's queues.

      End of change
  2. Do you want your Configuration Manager to run under a Windows domain account?
    1. Yes: Assume that your computer named, for example, WKSTN1, is a member of a domain named DOMAIN1. When you run a Configuration Manager using, for example, DOMAIN1\user1, ensure that:
      1. DOMAIN1\user1 is a member of DOMAIN1\Domain mqbrkrs.
      2. DOMAIN1\user1 is a member of WKSTN1\mqm.
      3. DOMAIN1\Domain mqbrkrs is a member of WKSTN1\mqbrkrs.
      4. Start of changeDOMAIN1\user1 is a member of WKSTN1\Administrators.End of change

      Alternatively, complete the following steps:

      1. Define user1 in DOMAIN1.
      2. Add user1 to the DOMAIN1\Domain mqm group.
      3. Start of changeAdd user1 to the DOMAIN1\Domain mqbrkrs group.End of change
      4. Add the DOMAIN1\Domain mqm group to the WKSTN1\mqm group.
      5. Add the DOMAIN1\Domain mqbrkrs group to the WKSTN1\mqbrkrs group.
      6. Start of changeAdd user1 to the WKSTN1\Administrators group.End of change

      Go to Setting security on the Configuration Manager's queues.

Setting security on the Configuration Manager's queues

When you run the command, the mqbrkrs group gets access authority to the following queues:
  • SYSTEM.BROKER.CONFIG.QUEUE
  • SYSTEM.BROKER.CONFIG.REPLY
  • SYSTEM.BROKER.ADMIN.REPLY
  • SYSTEM.BROKER.SECURITY.QUEUE
  • SYSTEM.BROKER.MODEL.QUEUE.
The broker and the User Name Server require access to the Configuration Manager's queues.
Each group or user for which you create access control lists (ACLs), gets access authority to the following queues:
  • SYSTEM.BROKER.CONFIG.QUEUE
  • SYSTEM.BROKER.CONFIG.REPLY.

Running the Configuration Manager in a domain environment