Security requirements for Windows systems
Security requirements depend on the administrative task that you want to run.
The following tables summarize the requirements for administrative tasks. They show what group membership is required if you are using a local security domain that is defined on your local system.
Domain users in a multi-workstation domain, or from domains that are in a Windows transitive trust relationship with the local domain, can also run these administrative tasks. They need to fulfill the group membership requirements that are specified in the tables. One way to set up this group membership is by adding the domain user to a domain group that is a member of the local group. For an example of how to set up security by using domain groups, see Security in a Windows domain environment.
Task | Command | Authorization |
---|---|---|
Create an integration node. |
|
|
Delete an integration node. |
|
|
Add or remove an integration node instance. |
|
|
Back up an integration node |
|
|
Restore an integration node. |
|
|
Start an integration node, or verify an integration node |
|
|
Stop an integration node. |
|
|
Create an integration server. |
|
|
Delete an integration server. |
|
|
Start or stop a message flow. |
|
|
List integration nodes |
|
|
Show integration node properties |
|
|
Change properties |
mqsichangeflowmonitoring command |
|
Create, update, retrieve, or delete security credentials |
|
|
Create or destroy a vault, change or verify a vault key, retrieve credentials from the vault |
|
|
Set and update passwords |
|
|
List set parameters that are on an integration node. |
|
|
Report or update an integration node mode. |
|
|
Deploy an object to an integration node. |
|
|
Reload an integration node, integration server, or security. |
|
|
Trace an integration node. |
|
|
Create the mqbrkrs group and add current user. |
|
|
Install, uninstall, or list .NET assemblies in the Global Assembly Cache. |
|
|
Global cache administration |
|
|
Run commands that require elevated privileges. |
|
|
Set up symbolic links that are needed for coordinated transactions. |
|
|
Package a BAR file |
|
|
Create or modify a web user account. |
|
|
Change the administration security authorization mode. |
|
|
Show the current administration security authorization mode. |
|
|
Change file-based permissions. |
|
|
Show the current file-based permissions. |
|
|
Run an integration node (service user ID)1 |
|
|
- By default, when an integration node is created, the service user ID is given the
required permissions to access relevant directories of the product directory tree. For example,
write access to the logs directory.
This access is granted even if you set a non-default location, by using the -w flag on the mqsicreatebroker command. If the access is changed manually, you must ensure that the mqbrkrs group has appropriate access to the directories in the product directory tree.
- Ensure that mqbrkrs can access all user-defined
queues that you defined for use by your message flows. You can use the setmqaut
command to set permissions.
- Set the following permissions on all input
queues:
setmqaut -m INODE -n TEST_INPUT -t queue -g mqbrkrs +get +inq
- Set the following permissions on all output
queues:
setmqaut -m INODE -n TEST_OUTPUT -t queue -g mqbrkrs +put +inq +setall
- You might also need to add +passid +passall +setid +setall, depending on your requirements.
- Set the following permissions on all input
queues:
Integration node security requirements on Windows
On all Windows platforms, there is no requirement
for the service user ID to be a member of the Administrators group.
The only requirement is that the service user ID is a member of the mqbrkrs group. In addition, the LocalSystem
, LocalService
,
or NetworkService
accounts can be used as the service
user ID by using the -i parameter on the mqsicreatebroker command, and
specifying the account name. No password is required for these accounts.