One way is to define a login module in server/xxx/conf/login-config.xml, and then reference that login module in server/xxx/deploy/messaging-jboss-beans.xml using the SecurityDomain property of the SecurityStore bean. Then for each of you destinations include as SecurityConfig attribute that identifies the roles that have read, write and create roles. The docs/examples/jms/example-destinations.xml file shows examples of setting the SecurityConfig roles.
Surprisingly, the docs are silent on this; at least, I could not find a specific section on securing destinations. Of course, if you are familiar with general access control on JBoss AS, then the access control for emssaging is very simple since it follows the same patterns.
I do have another resource that describes securing destinations in detail, but it is not free. I would be happy to provide the URL if you like.