Consider several factors when you are deciding which users can execute broker commands, and which users can control security for other broker resources.
Although most security for the broker and broker resources is optional, you might find it appropriate to restrict the tasks that some user IDs can perform. You can then apply greater control to monitor changes.
You can control all broker administration tasks by enabling broker administration security when you create a broker. You can also change existing brokers to enable administration security. This option is described in Setting up administration security, and is independent of the options described in this section.
When you are deciding which users are to perform the different tasks, consider the following steps:
On a Linux or UNIX operating system, when you run the mqsistart command with a user ID that is a member of the mqm and mqbrkrs groups, the user ID under which you run the mqsistart command becomes the user ID under which the broker component process runs.
On the Windows platform the broker runs under a service user account. To decide which user ID to use for the broker service ID answer the following questions:
Note that for cases one and two above, the user ID chosen must be granted the Logon as a service privilege.
This is normally done automatically by the mqsichangebroker command or the mqsichangeproperties command when a service user ID is specified that does not have this privilege.
However, if you want to do this manually before running these commands, you can do this by using the Local Security Policy tool in Windows, which you can access by selecting .
When you run the mqsicreatebroker command, the local mqbrkrs group is granted access to internal queues whose names begin with the characters SYSTEM.BROKER.
Broker operation depends on the information in the broker registry, which you must secure to guard against accidental corruption. The broker registry is stored on the file system. Set your operating system security options so that only user IDs that are members of the group mqbrkrs can read from or write to brokername/CurrentVersion and all subkeys.