Security requirements for Linux and AIX systems

View a summary of the authorizations in a Linux® and AIX® environment.

You must add the required user IDs to the appropriate group to enable them to complete the relevant tasks.

Note: If you have enabled administration security, you must also set the permissions that are detailed in Tasks and authorizations for administration security.

Task	Command	Authorization
Create an integration node.	mqsicreatebroker command	Member of mqbrkrs. If administration security is made active, and if the authorization mode is mq, the user ID that runs this command must be a member of the mqm group. If you do not want to run with mqm authority, you must work with your IBM® MQ administrator to create or delete the appropriate authority queue before you run the command. For more information about creating the system queues, see Creating the default system queues on an IBM MQ queue manager. If you use the mqsicreatebroker command with the -d parameter, the integration node is configured to start and stop with the queue manager that is associated with the integration node. To use the -d parameter, the user ID that runs the command must be a member of the mqm group.
Delete an integration node.	mqsideletebroker command	Member of mqbrkrs.
Add or remove an integration node instance.	mqsiaddbrokerinstance command mqsiremovebrokerinstance command	Member of mqbrkrs. Make the `uid` and `gid` for this user ID the same on all the systems. The user ID needs to be the same one that created the first instance of the multi-instance integration node, by using the mqsicreatebroker command. Change the `uid` and `gid` with caution, as it affects the permission levels of files on the system. Changing a `uid` or `gid` causes the ownership of all the files that were previously owned by that user or group to change to the integer of the previous owner of the file. Therefore, you must ensure that your system administrator manually restores the ownerships of the affected files and directories.
Backup or restore an integration node.	mqsibackupbroker command mqsirestorebroker command	Member of mqbrkrs.
Start an integration node, or verify an integration node	mqsistart command mqsicvp command	Member of mqbrkrs.
Stop an integration node.	mqsistop command	Member of mqbrkrs. However, the root user ID can stop an integration node without membership of mqbrkrs. The user ID must be the same as the user ID that started the integration node.
Create an integration server.	mqsicreateexecutiongroup command	Member of mqbrkrs. If administration security is active, and if the authorization mode is mq, the user ID that the integration node runs under must be a member of the group mqm. If you do not want your integration node to run with mqm authority, work with your IBM MQ administrator. You must create or delete the appropriate authority queue when you create or delete an integration server.
Delete an integration server.	mqsideleteexecutiongroup command	Member of mqbrkrs.
Start or stop a message flow.	mqsistartmsgflow command mqsistopmsgflow command	Member of mqbrkrs.
List integration nodes	mqsilist command	Member of mqbrkrs.
Show integration node properties	mqsireportproperties command mqsireportflowmonitoring command mqsireportflowstats command mqsireportflowuserexits command mqsireportresourcestats command	Member of mqbrkrs.
Change properties	mqsichangeproperties command mqsichangeflowmonitoring command mqsichangeflowstats command mqsichangeflowuserexits command mqsichangeresourcestats command	Member of mqbrkrs.
Create, update, retrieve, or delete security credentials	mqsicredentials command	Member of mqbrkrs.
Create or destroy a vault, change or verify a vault key, retrieve credentials from the vault	mqsivault command	Member of mqbrkrs.
Set and update passwords	mqsisetdbparms command	Member of mqbrkrs.
List set parameters that are on an integration node.	mqsireportdbparms command	Member of mqbrkrs.
Report or update an integration node mode.	mqsimode command	Member of mqbrkrs.
Deploy an object to an integration node.	mqsideploy command	Member of mqbrkrs.
Reload an integration node, integration servers, or security.	mqsireload command mqsireloadsecurity command	Member of mqbrkrs.
Trace an integration node.	mqsichangetrace command	Member of mqbrkrs.
Set up symbolic links that are needed for coordinated transactions.	mqsimanagexalinks command	Root user. The user ID must have write access to the `MQ_installation_directory`/exits and `MQ_installation_directory`/exits64 directories.
Add the mqbrkrs group.	mqsisetsecurity command	Root user.
Global cache administration	mqsicacheadmin command	Member of mqbrkrs.
Package a BAR file	mqsipackagebar command	Member of mqbrkrs. The user ID must have WRITE access to the -w (root location), -a (BAR file location), and -v (trace file location) directories.
Create or modify a web user account.	mqsiwebuseradmin command	Member of mqbrkrs.
Change the administration security authorization mode.	mqsichangeauthmode command	Member of mqbrkrs If administration security is made active, and if the authorization mode is mq, the user ID that runs this command must be a member of the mqm group. If you do not want to run with mqm authority, you must work with your IBM MQ administrator to create or delete the appropriate authority queue before you run the command. For more information about creating the system queues, see Creating the default system queues on an IBM MQ queue manager.
Show the current administration security authorization mode.	mqsireportauthmode command	Member of mqbrkrs.
Change file-based permissions.	mqsichangefileauth command	Member of mqbrkrs.
Show the current file-based permissions.	mqsireportfileauth command	Member of mqbrkrs.

User is...	Command Used	Local domain (WORKSTATION)
Running an integration node (IBM MQ non-trusted application) (login ID).	Not applicable	Member of mqbrkrs. The integration node runs under the login ID that started it.
Running an integration node (IBM MQ trusted application) (login ID).	Not applicable	Login ID must be mqm. mqm must be a member of mqbrkrs.
Running an integration node (IBM MQ fast path on) (service user ID)	Not applicable	Member of mqbrkrs. Member of mqm.

Ensure that mqbrkrs can access all the user-defined queues that you defined for use by your message flows.

If you are using file-based administration security, use the mqsichangefileauth command to set permissions. If you are using queue-based security, you can use the setmqaut command.

If you are using queue-based security, complete the following steps:

Set the following permissions on all input queues:

setmqaut -m INODE -n TEST_INPUT -t queue -g mqbrkrs  +get +inq

Set the following permissions on all output queues:

setmqaut -m INODE -n TEST_OUTPUT -t queue -g mqbrkrs +put +inq +setall

You might also need to add +passid +passall +setid +setall, depending on your requirements.