Access control is the process of restricting access to resources. MSMQ access control is based on Windows NT security, which functions only when users are logged on and have access to domain controllers. However, MSMQ supports store-and-forward message queuing, so the source and destination computers do not need to be online at the same time. For MSMQ to support access control for disconnected users, the destination computer must check the access rights of the user who sent the message. Because the user who sent the message may not be logged on, MSMQ uses the sender's security identifier (SID) to verify the sender's access rights on a queue.. If a queue restricts who can send messages to it, the sending application must attach the sender's SID to a message.
Caution In MSMQ, security is defined on each object. Therefore, if you deny yourself the Get Properties permission to a queue, you will not be able to see the queue, and will not be able to regain access to it, even if you still have the Change Security permission for the queue. However, it is still possible to regain control programmatically using the MSMQ API.
Also, any user who has the Take Ownership right on a PEC, PSC or BSC, can take ownership of any object within the enterprise without explicitly having the Take Ownership access right on the specific object.
|
To install a PSC, you must have the required MSMQ access permissions and belong to the Administrator's group on the PEC computer. To install a BSC, you must have the required MSMQ access permissions and belong to the Administrator's group on the PSC or PEC computer that the BSC will support. |
You can limit access to the enterprise, sites, CNs, computers, and queues on an individual or group basis. For information on how to set permissions, see MSMQ Explorer Help.