Security requirements for Windows systems

Security requirements depend on the administrative task that you want to perform.

The following tables summarize the requirements for administrative tasks. They show what group membership is required if you are using a local security domain that is defined on your local system.

Note: If you have enabled administration security, you must also set the permissions that are detailed in Tasks and authorizations for administration security.

Domain users in a multi-workstation domain, or from domains that are in a Windows transitive trust relationship with the local domain, can also perform these administrative tasks. They need to fulfill the group membership requirements that are specified in the tables. One way to set up this group membership is by adding the domain user to a domain group, that is a member of the local group. For an example of how to set up security by using domain groups, see Security in a Windows domain environment.

Task Command Authorization
Create an integration node

mqsicreatebroker command
  • Member of mqbrkrs.
  • If administration security is made active, and if the authorization mode is mq, the user ID that runs this command must be a member of the mqm group. If you do not want to run with mqm authority, you must work with your WebSphere® MQ administrator to create or delete the appropriate authority queue prior to running the command. For information about creating the system queues, see Creating the default IBM Integration Bus queues on a WebSphere MQ queue manager.
  • If you use the mqsicreatebroker command with the -d parameter (to configure the integration node to start and stop with the queue manager that is associated with the integration node), the user ID that runs the command must be a member of the mqm group.
Delete an integration node

mqsideletebroker command
  • Member of mqbrkrs.
Migrate an integration node

mqsimigratecomponents command
  • Member of mqbrkrs.
Change an integration node

mqsichangebroker command
  • Member of mqbrkrs.
  • If administration security is made active, and if the authorization mode is mq, the user ID that runs this command must be a member of the mqm group. If you do not want to run with mqm authority, you must work with your WebSphere MQ administrator to create or delete the appropriate authority queue prior to running the command. For information about creating the system queues, see Creating the default IBM Integration Bus queues on a WebSphere MQ queue manager.
Add or remove an integration node instance

mqsiaddbrokerinstance command

mqsiremovebrokerinstance command
  • Member of mqbrkrs.
Backup or restore an integration node

mqsibackupbroker command

mqsirestorebroker command
  • Member of mqbrkrs.
Start an integration node, or verify an integration node

mqsistart command

mqsicvp command
  • Member of mqbrkrs.
Stop an integration node

mqsistop command
  • Member of mqbrkrs.
Create an integration server

mqsicreateexecutiongroup command
  • Member of mqbrkrs.
  • If administration security is active, and if the authorization mode is mq, the user ID that the integration node runs under must be a member of the group mqm. If you do not want your integration node to run with mqm authority, you must work with your WebSphere MQ administrator to create or delete the appropriate authority queue when you create or delete an integration server.
Delete an integration server

mqsideleteexecutiongroup command
  • Member of mqbrkrs.
Start or stop a message flow

mqsistartmsgflow command

mqsistopmsgflow command
  • Member of mqbrkrs.
Create or delete a configurable service

mqsicreateconfigurableservice command

mqsideleteconfigurableservice command
  • Member of mqbrkrs.
List integration nodes

mqsilist command
  • Member of mqbrkrs to run the command with integration node and integration server specified: 
    mqsilist integrationNodeName integration_server_name
Show integration node properties

mqsireportbroker command

mqsireportproperties command

mqsireportflowmonitoring command

mqsireportflowstats command

mqsireportflowuserexits command

mqsireportresourcestats command
  • Member of mqbrkrs.
Change properties

mqsichangeproperties command

mqsichangeflowmonitoring command

mqsichangeflowstats command

mqsichangeflowuserexits command

mqsichangeresourcestats command
  • Member of mqbrkrs.
Set and update passwords

mqsisetdbparms command
  • Member of mqbrkrs.
List set parameters that are on an integration node

mqsireportdbparms command
  • Member of mqbrkrs.
Report or update an integration node mode

mqsimode command
  • Member of mqbrkrs.
Deploy an object to an integration node

mqsideploy command
  • Member of mqbrkrs.
Reload an integration node, integration server, or security

mqsireload command

mqsireloadsecurity command
  • Member of mqbrkrs.
Trace an integration node

mqsichangetrace command

mqsireporttrace command

mqsireadlog command

mqsiformatlog command
  • Member of mqbrkrs.
Create the mqbrkrs group and add current user.

mqsisetsecurity command
  • Member of Administrators.
  • On Windows systems, this command must be run from a command prompt with elevated privileges. For more information, see mqsicommandconsole command.
Install, uninstall, or list .NET assemblies in the Global Assembly Cache

mqsiAssemblyInstall command
  • Member of Administrators.
  • On Windows systems, this command must be run from a command prompt with elevated privileges. For more information, see mqsicommandconsole command.
Global cache administration

mqsicacheadmin command
  • Member of mqbrkrs.
Run commands that require elevated privileges

mqsicommandconsole command
  • Member of Administrators.
Set up symbolic links that are needed for coordinated transactions

mqsimanagexalinks command
  • Member of mqbrkrs.
  • The user ID must have write access to the MQ_installation_directory\exits and MQ_installation_directory\exits64 directories.
Package a BAR file

mqsipackagebar command
  • Member of mqbrkrs.
  • The user ID must have write access to the -w (root location), -a (BAR file location), and -v (trace file location) directories.
Create or modify a web user account

mqsiwebuseradmin command
  • Member of mqbrkrs.
Change the administration security authorization mode

mqsichangeauthmode command
  • Member of mqbrkrs.
  • If administration security is made active, and if the authorization mode is mq, the user ID that runs this command must be a member of the mqm group. If you do not want to run with mqm authority, you must work with your WebSphere MQ administrator to create or delete the appropriate authority queue prior to running the command. For information about creating the system queues, see Creating the default IBM Integration Bus queues on a WebSphere MQ queue manager.
Show the current administration security authorization mode

mqsireportauthmode command
  • Member of mqbrkrs.
Change file-based permissions

mqsichangefileauth command
  • Member of mqbrkrs.
Show the current file-based permissions

mqsireportfileauth command
  • Member of mqbrkrs.
Run an integration node (service user ID)1
  • Not applicable
  • Member of mqbrkrs.
  • The integration node service user ID must have the Logon as a service privilege in the Windows Local Security Policy.
Running an integration node (WebSphere MQ fast path on) (service user ID)1 2
  • Not applicable
  • Member of mqbrkrs.
  • Member of mqm.
  • The integration node service user ID must have the Logon as a service privilege in the Windows Local Security Policy.
Notes:
  1. By default, when an integration node is created, the service user ID is given the required permissions to access relevant directories of the product directory tree; for example, write access to the logs directory.

    This access is granted even if you set a non-default location, by using the -w flag on the mqsicreatebroker command, or use the -e flag on the mqsicreatebroker command to create a multi-instance integration node. If the access is changed manually, you must ensure that the mqbrkrs group has appropriate access to the directories in the product directory tree.

  2. Ensure that mqbrkrs has access to all user-defined queues that you defined for use by your message flows. You can use the setmqaut command to set permissions.
    • Set the following permissions on all input queues:
      setmqaut -m IBNODE -n TEST_INPUT -t queue -g mqbrkrs  +get +inq
    • Set the following permissions on all output queues:
      setmqaut -m IBNODE -n TEST_OUTPUT -t queue -g mqbrkrs +put +inq +setall
    • You might also need to add +passid +passall +setid +setall, depending on your requirements.

Integration node security requirements on Windows

On all Windows platforms, there is no requirement for the service user ID to be a member of the Administrators group. The only requirement is that the service user ID is a member of the mqbrkrs group. In addition, the LocalSystem, LocalService, or NetworkService accounts can be used as the service user ID by using the -i parameter on the mqsicreatebroker command, and specifying the account name. No password is required for these accounts.