Access control for Message Queuing

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Access control for Message Queuing

Access control is used to restrict user access to Message Queuing objects in Active Directory and can be implemented by assigning security descriptors to objects. A security descriptor lists the users and groups that are granted or denied access to an object and the specific permissions assigned to those users and groups. This part of the security descriptor is known as a discretionary access control list (DACL). By setting the permissions on an object, the owner of the object controls which access is allowed. The Message Queuing objects include computer (msmq), queue, routing link, and MSMQ Settings objects. For more information on Message Queuing objects, where they are created, and where they are located in Active Directory, see Message Queuing and Active Directory.

Permissions can also be used to restrict users from sending messages to, or retrieving messages from, a particular queue on a computer. Although messages are not objects in Active Directory, they are protected through the security descriptor of the queue object.

Because Message Queuing provides asynchronous messaging, the source and destination computers do not need to be online at the same time. In this case, Message Queuing can implement access control for offline users through the use of sender security IDs (SIDs). For example, because a queue can restrict access to itself, the sending application must attach the sender's SID to any message directed to that queue. The Message Queuing service on the destination computer then checks the SID to verify that the sender has the proper permissions to access the queue.

Note

  • You must also be granted certain permissions to be able to install and uninstall Message Queuing. For more information, see Installation permissions.

For more information on access control for the Windows Server 2003 family, see Access Control, in the Windows Help file.