Security requirements depend on the administrative task that you want to perform.
The following tables summarize the requirements for administrative tasks. They show what group membership is required if you are using a local security domain defined on your local system.
Domain users in a multi-workstation domain, or from domains that are in a Windows transitive trust relationship with the local domain, can also perform these administrative tasks. They need to fulfill the group membership requirements specified in the tables. One way to set up this group membership is by adding the domain user to a domain group which in turn is a member of the local group. For an example of how to set up security by using domain groups, see Security in a Windows domain environment.
Task | Command | Authorization |
---|---|---|
Create, delete or migrate a broker | mqsicreatebroker mqsideletebroker mqsimigratecomponents |
|
Change a broker | mqsichangebroker |
|
Add or remove a broker instance | mqsiaddbrokerinstance mqsiremovebrokerinstance |
|
Backup or restore a broker | mqsibackupbroker mqsirestorebroker |
|
Start a broker, or verify a broker | mqsistart mqsicvp |
|
Stop a broker | mqsistop |
|
Create or delete an integration server | mqsicreateexecutiongroup mqsideleteexecutiongroup |
|
Start or stop a message flow | mqsistartmsgflow mqsistopmsgflow |
|
Create or delete a configurable service | mqsicreateconfigurableservice mqsideleteconfigurableservice |
|
List brokers | mqsilist |
|
Show broker properties | mqsireportbroker mqsireportproperties mqsireportflowmonitoring mqsireportflowstats mqsireportflowuserexits mqsireportresourcestats |
|
Change properties | mqsichangeproperties mqsichangeflowmonitoring mqsichangeflowstats mqsichangeflowuserexits mqsichangeresourcestats |
|
Set and update passwords | mqsisetdbparms |
|
List set parameters that are on a broker | mqsireportdbparms |
|
Report or update a broker mode | mqsimode |
|
Deploy an object to a broker | mqsideploy |
|
Reload a broker, integration servers or security | mqsireload mqsireloadsecurity |
|
Trace a broker | mqsichangetrace mqsireporttrace mqsireadlog mqsiformatlog |
|
Add the mqbrkrs group | mqsisetsecurity |
|
Install, uninstall, or list .NET assemblies in the Global Assembly Cache | mqsiAssemblyInstall |
|
Global cache administration | mqsicacheadmin |
|
Run commands that require elevated privileges | mqsicommandconsole |
|
Set up symbolic links needed for coordinated transactions | mqsimanagexalinks |
|
Package a BAR file | mqsipackagebar |
|
Create or modify a web user account | mqsiwebuseradmin |
|
User is...1 | Command Used | Local domain (WORKSTATION) |
---|---|---|
Running a broker (WebSphere MQ fast path off) (service user ID)2 |
|
|
Running a broker (WebSphere MQ fast path on) (service user ID)2 |
|
|
Running an IBM® Integration Toolkit3 |
|
|
This happens even if you set a location that is not the default, with the –w flag on the mqsicreatebroker command, or use the –e flag on the mqsicreatebroker command to create a multi-instance broker. If these permissions are changed manually, you must always ensure that the mqbrkrs group has appropriate access to these locations.
setmqaut -m IB9NODE -n TEST_INPUT -t queue -g mqbrkrs +get +inq
setmqaut -m IB9NODE -n TEST_OUTPUT -t queue -g mqbrkrs +put +inq +setall
On all Windows platforms, there is no longer any requirement for the service user ID to be a member of the Administrators group.
The only requirement is that the service user ID is a member of the mqbrkrs group. In addition, the LocalSystem account can be used as the service user ID by specifying LocalSystem for the –i parameter on the mqsicreatebroker command.
In this case you must enter the –a (password) parameter on the command line, but the value entered is ignored.