Security requirements for Windows systems
Security requirements depend on the administrative task that you want to perform.
The following tables summarize the requirements for administrative tasks. They show what group membership is required if you are using a local security domain that is defined on your local system.
Domain users in a multi-workstation domain, or from domains that are in a Windows transitive trust relationship with the local domain, can also perform these administrative tasks. They need to fulfill the group membership requirements that are specified in the tables. One way to set up this group membership is by adding the domain user to a domain group, that is a member of the local group. For an example of how to set up security by using domain groups, see Security in a Windows domain environment.
Task | Command | Authorization |
---|---|---|
Create an integration node |
|
|
Delete an integration node |
|
|
Migrate an integration node |
|
|
Change an integration node |
|
|
Add or remove an integration node instance |
|
|
Backup or restore an integration node |
|
|
Start an integration node, or verify an integration node |
|
|
Stop an integration node |
|
|
Create an integration server |
|
|
Delete an integration server |
|
|
Start or stop a message flow |
|
|
Create or delete a configurable service |
|
|
List integration nodes |
|
|
Show integration node properties |
mqsireportflowmonitoring command |
|
Change properties |
mqsichangeflowmonitoring command |
|
Set and update passwords |
|
|
List set parameters that are on an integration node |
|
|
Report or update an integration node mode |
|
|
Deploy an object to an integration node |
|
|
Reload an integration node, integration server, or security |
|
|
Trace an integration node |
|
|
Create the mqbrkrs group and add current user. |
|
|
Install, uninstall, or list .NET assemblies in the Global Assembly Cache |
|
|
Global cache administration |
|
|
Run commands that require elevated privileges |
|
|
Set up symbolic links that are needed for coordinated transactions |
|
|
Package a BAR file |
|
|
Create or modify a web user account |
|
|
Change the administration security authorization mode |
|
|
Show the current administration security authorization mode |
|
|
Change file-based permissions |
|
|
Show the current file-based permissions |
|
|
Run an integration node (service user ID)1 |
|
|
Running an integration node (WebSphere MQ fast path on) (service user ID)1 2 |
|
|
- By default, when an integration node is created,
the service user ID is given the required permissions to access relevant
directories of the product directory tree; for example, write access
to the logs directory.
This access is granted even if you set a non-default location, by using the -w flag on the mqsicreatebroker command, or use the -e flag on the mqsicreatebroker command to create a multi-instance integration node. If the access is changed manually, you must ensure that the mqbrkrs group has appropriate access to the directories in the product directory tree.
- Ensure that mqbrkrs has access
to all user-defined queues that you defined for use by your
message flows. You can use the setmqaut command
to set permissions.
- Set the following permissions on all input queues:
setmqaut -m IBNODE -n TEST_INPUT -t queue -g mqbrkrs +get +inq
- Set the following permissions on all output queues:
setmqaut -m IBNODE -n TEST_OUTPUT -t queue -g mqbrkrs +put +inq +setall
- You might also need to add +passid +passall +setid +setall, depending on your requirements.
- Set the following permissions on all input queues:
Integration node security requirements on Windows
On all Windows platforms, there is no requirement
for the service user ID to be a member of the Administrators group.
The only requirement is that the service user ID is a member of the mqbrkrs group. In addition, the LocalSystem
, LocalService
,
or NetworkService
accounts can be used as the service
user ID by using the -i parameter on the mqsicreatebroker command, and
specifying the account name. No password is required for these accounts.