Security requirements for Windows systems

Security requirements depend on the administrative task that you want to run.

The following tables summarize the requirements for administrative tasks. They show what group membership is required if you are using a local security domain that is defined on your local system.

Note: If you have enabled administration security, you must also set the permissions that are detailed in Tasks and authorizations for administration security.

Domain users in a multi-workstation domain, or from domains that are in a Windows transitive trust relationship with the local domain, can also run these administrative tasks. They need to fulfill the group membership requirements that are specified in the tables. One way to set up this group membership is by adding the domain user to a domain group that is a member of the local group. For an example of how to set up security by using domain groups, see Security in a Windows domain environment.

Task	Command	Authorization
Create an integration node.	mqsicreatebroker command	Member of mqbrkrs. If administration security is made active, and if the authorization mode is mq, the user ID that runs this command must be a member of the mqm group. If you do not want to run with mqm authority, you must work with your IBM MQ administrator to create or delete the appropriate authority queue before you run the command. For more information about creating the system queues, see Creating the default system queues on an IBM MQ queue manager. If you use the mqsicreatebroker command with the -d parameter, the integration node is configured to start and stop with the queue manager that is associated with the integration node. To use the -d parameter, the user ID that runs the command must be a member of the mqm group.
Delete an integration node.	mqsideletebroker command	Member of mqbrkrs.
Add or remove an integration node instance.	mqsiaddbrokerinstance command mqsiremovebrokerinstance command	Member of mqbrkrs.
Back up an integration node	mqsibackupbroker command	Member of mqbrkrs.
Restore an integration node.	mqsirestorebroker command	Member of mqbrkrs.
Start an integration node, or verify an integration node	mqsistart command mqsicvp command	Member of mqbrkrs.
Stop an integration node.	mqsistop command	Member of mqbrkrs.
Create an integration server.	mqsicreateexecutiongroup command	Member of mqbrkrs. If administration security is active, and if the authorization mode is mq, the user ID that the integration node runs under must be a member of the group mqm. If you do not want your integration node to run with mqm authority, you must work with your IBM MQ administrator. You must create or delete the appropriate authority queue when you create or delete an integration server.
Delete an integration server.	mqsideleteexecutiongroup command	Member of mqbrkrs.
Start or stop a message flow.	mqsistartmsgflow command mqsistopmsgflow command	Member of mqbrkrs.
List integration nodes	mqsilist command	Member of mqbrkrs to run the command with integration node and integration server specified: `mqsilist integrationNodeName integration_server_name`
Show integration node properties	mqsireportproperties command mqsireportflowmonitoring command mqsireportflowstats command mqsireportflowuserexits command	Member of mqbrkrs.
Change properties	mqsichangeproperties command mqsichangeflowmonitoring command mqsichangeflowstats command mqsichangeflowuserexits command mqsichangeresourcestats command	Member of mqbrkrs.
Create, update, retrieve, or delete security credentials	mqsicredentials command	Member of mqbrkrs.
Create or destroy a vault, change or verify a vault key, retrieve credentials from the vault	mqsivault command	Member of mqbrkrs.
Set and update passwords	mqsisetdbparms command	Member of mqbrkrs.
List set parameters that are on an integration node.	mqsireportdbparms command	Member of mqbrkrs.
Report or update an integration node mode.	mqsimode command	Member of mqbrkrs.
Deploy an object to an integration node.	mqsideploy command	Member of mqbrkrs.
Reload an integration node, integration server, or security.	mqsireload command mqsireloadsecurity command	Member of mqbrkrs.
Trace an integration node.	mqsichangetrace command	Member of mqbrkrs.
Create the mqbrkrs group and add current user.	mqsisetsecurity command	Member of Administrators. On Windows systems, this command must be run from a command prompt with elevated privileges.
Install, uninstall, or list .NET assemblies in the Global Assembly Cache.	mqsiAssemblyInstall command	Member of Administrators. On Windows systems, this command must be run from a command prompt with elevated privileges.
Global cache administration	mqsicacheadmin command	Member of mqbrkrs.
Run commands that require elevated privileges.	mqsicommandconsole command	Member of Administrators.
Set up symbolic links that are needed for coordinated transactions.	mqsimanagexalinks command	Member of mqbrkrs. The user ID must have write access to the `MQ_installation_directory`\exits and `MQ_installation_directory`\exits64 directories.
Package a BAR file	mqsipackagebar command	Member of mqbrkrs. The user ID must have write access to the -w (root location), -a (BAR file location), and -v (trace file location) directories.
Create or modify a web user account.	mqsiwebuseradmin command	Member of mqbrkrs.
Change the administration security authorization mode.	mqsichangeauthmode command	Member of mqbrkrs. If administration security is made active, and if the authorization mode is mq, the user ID that runs this command must be a member of the mqm group. If you do not want to run with mqm authority, you must work with your IBM MQ administrator to create or delete the appropriate authority queue before you run the command. For more information about creating the system queues, see Creating the default system queues on an IBM MQ queue manager.
Show the current administration security authorization mode.	mqsireportauthmode command	Member of mqbrkrs.
Change file-based permissions.	mqsichangefileauth command	Member of mqbrkrs.
Show the current file-based permissions.	mqsireportfileauth command	Member of mqbrkrs.
Run an integration node (service user ID)¹	Not applicable	Member of mqbrkrs. The integration node service user ID must have the `Logon as a service` privilege in the Windows Local Security Policy.

Notes:

By default, when an integration node is created, the service user ID is given the required permissions to access relevant directories of the product directory tree. For example, write access to the logs directory.
This access is granted even if you set a non-default location, by using the -w flag on the mqsicreatebroker command. If the access is changed manually, you must ensure that the mqbrkrs group has appropriate access to the directories in the product directory tree.
Ensure that mqbrkrs can access all user-defined queues that you defined for use by your message flows. You can use the setmqaut command to set permissions.
- Set the following permissions on all input queues:
```
setmqaut -m INODE -n TEST_INPUT -t queue -g mqbrkrs  +get +inq
```
- Set the following permissions on all output queues:
```
setmqaut -m INODE -n TEST_OUTPUT -t queue -g mqbrkrs +put +inq +setall
```
- You might also need to add +passid +passall +setid +setall, depending on your requirements.

Integration node security requirements on Windows

On all Windows platforms, there is no requirement for the service user ID to be a member of the Administrators group. The only requirement is that the service user ID is a member of the mqbrkrs group. In addition, the LocalSystem, LocalService, or NetworkService accounts can be used as the service user ID by using the -i parameter on the mqsicreatebroker command, and specifying the account name. No password is required for these accounts.