MQSetQueueSecurity

The MQSetQueueSecurity function sets the access control security for the queue. 

HRESULT APIENTRY MQSetQueueSecurity(
  LPCWSTR lpwcsFormatName,                    
  SECURITY_INFORMATION *SecurityInformation,  
  PSECURITY_DESCRIPTOR *pSecurityDescriptor  
);

Parameters

lpwcsFormatName
[in] Pointer to the format name string of the queue to be secured. You cannot specify a direct format name.
securityInformation
[in] Specifies a SECURITY_INFORMATION structure identifying the contents of the security descriptor pointed to by the pSecurityDescriptor parameter. (For information on the SECURITY_INFORMATION structure, see the Microsoft Platform SDK.)
pSecurityDescriptor
[in] Pointer to a SECURITY_DESCRIPTOR structure. Can be set to NULL; see default values in the following Return Values section. (For information on the SECURITY_DESCRIPTOR structure, see the Microsoft Platform SDK.)

Return Values

MQ_OK
Indicates success.
MQ_ERROR_ACCESS_DENIED
The process owner does not have the sufficient access rights to set the queue security information. The following access rights may be required:
  • MQSEC_CHANGE_QUEUE_PERMISSIONS

  • MQSEC_TAKE_QUEUE_OWNERSHIP

If access is denied, contact someone who has rights to modify the security descriptor.


MQ_ERROR_FUNCTION_NOT_SUPPORTED
MQSetQueueSecurity is not supported in Windows 95.
MQ_ERROR_ILLEGAL_FORMATNAME
The lpwcsFormatName parameter specified an illegal format name.
MQ_ERROR_NO_DS
No connection with the Site Controller server. Cannot access the MQIS.
MQ_ERROR_PRIVILEGE_NOT_HELD
The process owner does not have the proper privilege to set the queue's system access control list.
MQ_ERROR_SERVICE_NOT_AVAILABLE
Cannot connect to the Queue Manager.
MQ_ERROR_UNSUPPORTED_FORMATNAME_OPERATION
The lpwcsFormatName parameter contains a public or private queue using a direct format name or a journal, dead letter, or connector queue.

Remarks

Following are the default values for the security descriptor.

Default Value Meaning
Owner The process user.
Group The process group.
DACL Full control for the process user. All processes of other users can get queue properties, get queue security, and send messages to the queue.
SACL None.

The format name of the queue (specified by lpwcsFormatName) must be a public or private format name. MSMQ must be able to access MQIS (for public queues) or the local computer (for private queues) to get the queue's security descriptor.

If the format name of the queue is unknown, see Format Name to find ways to obtain a new format name.

The following access rights and privileges are required to change the queue's security descriptor.

Access Right/Privilege Required To
MQSEC_TAKE_QUEUE
_OWNERSHIP 		Change the owner of the queue. This access right is equivalent to WRITE_OWNER as defined by the Win32 header files.
SE_TAKE_OWNERSHIP
_NAME		 Change the owner of the queue. This privilege can be used instead of having the MQSEC_TAKE_QUEUE_OWNERSHIP access on the queue. If a user has this privilege on the server, the user can change the owner of any public queue in the enterprise. If the user has this privilege on the local computer, the user can change the owner of any private queue.
MQSEC_CHANGE_QUEUE
_PERMISSIONS 		Change the queue's discretionary access control list (DACL) if the process is not the owner of the queue. This access right is equivalent to WRITE_DAC as defined by the Win32 header files.
SE_SECURITY_NAME Change the queue's system ACL (SACL); this privilege must be enabled for the calling process on MQIS for public queues and on the local computer for private queues.

MQGetQueueSecurity cannot retrieve the security descriptor of a journal, dead letter, connector or foreign queues.

A public queue's security descriptor cannot be set by an independent client computer running offline. For information on offline operations, see MSMQ Offline Support.

See Also

MQGetQueueSecurity

© 1997 by Microsoft Corporation. All rights reserved.