IBM MQ file system permissions on Windows

The following information describes the security applied to the files and directories on Windows. In order to ensure the correct operation of IBM® MQ you should not alter the file system permissions as set by IBM MQ.

On Windows, file system permissions are set on the:

Program directory, and
Data directory.

Note: The permissions that are set on the root of each of these directories, are inherited downwards throughout the directory structure.

Data directory

The directories under the data directory (DATADIR) are set with the following permissions, apart from the exceptions detailed in the following text.

Administrators: Full control
mqm group: Full control
SYSTEM: Full control
Everyone: Read and execute

The exceptions are:

DATADIR\errors: Everyone full control
DATADIR\trace: Everyone full control

DATADIR\log

Administrators: Full control
mqm group: Full control
SYSTEM: Full control
Everyone: Read

DATADIR\log\<qmgrname>\active

Administrators: Full control
mqm group: Full control
SYSTEM: Full control

No access granted to Everyone.

Earlier releases of the product

In releases of the product prior to IBM MQ 8.0, the default program and default data directories were co-located.

In any installation that was originally installed before IBM MQ 8.0. and which was installed to the default locations, and then upgraded from that, the data and program directories remain co-located (in C:\Program Files\IBM\WebSphere MQ.

In the case of co-located data and program directories, the preceding information applies only to the directories that belong to the data directory, and not those that are part of the program directory.