Here is a very brief of summary of what Ted Ross (QMF guy) and I had discussed in the past.
Ted please correct/add anything if needed.
1. The broker is bootstraped with a file based ACL.
This will control who can and cannot use QMF to manage/control ACL.
2. The ACL module will contain a QMF agent which will handle the requests.
3. The QMF Agent will support (not an exhaustive list) the following
1. Add/Remove/Modify users and groups
2. Add/Remove/Modify permissions
3. Generate alerts for illegal accessing
As for JMX we could probably leverage the QMF <==> JMX bridge written by Andrea.