IBM Support often receive requests from customers for clarification on which IBM MQ Managed File Transfer (MFT) authorities are required to manage transfers with a user account that is not in the mqm group. Authorities for MFT are explained in several places in the IBM Knowledge Center for different features of the product but there isnâ€™t an overview where all the authorities are included in one place. This blog post will describe the particular permissions that are required to request an agent to perform simple MFT actions such as creating a transfer with one or two agents etc. based on the following example. It will also explain how to manage and administer transfers through MQ Explorer.
In this example, Iâ€™m going to use the following MFT user ID and agent configuration:
- User name = â€śfredâ€ť
- Agent name = â€ślocalAgentâ€ť
- Agent queue manager name = â€ślocalAgentQmgrâ€ť
- Coordination/Command queue manager = “coordQmgr”
Authorities required for MFT agent actions
With the authorities in Table 1 granted to my user â€śfredâ€ť, I would be able to:
- Stop and start â€ślocalAgentâ€ť
- Create/schedule/cancel file transfers that â€ślocalAgentâ€ť is involved with
- Create/delete transfer templates and resource monitors for â€ślocalAgentâ€ť
Note that the system topic and queues mentioned in Table 1 are all held on the coordination queue manager.
|MQ Objects||Authorities||Brief Description|
|localAgentQmgr||connect, inquire, setid||The agent queue manager.|
|coordQmgr||connect||Coordination and command queue manager.|
|SYSTEM.FTE.COMMAND.localAgent||put, get, browse, setid||All internal and external commands submitted to the agent are held on this queue to be processed by the agent.|
|SYSTEM.FTE.DATA.localAgent||put, get||This queue stores file data for transfer requests.|
|SYSTEM.FTE.STATE.localAgent||put, get, browse, inquire||This queue holds information for the transfer that are currently in progress.|
|SYSTEM.FTE.EVENT.localAgent||put, get, browse||Holds definitions and history of resource monitors.|
|SYSTEM.FTE.REPLY.localAgent||put, get||Stores reply messages from destination agents.|
|SYSTEM.FTE topic||publish, subscribe, resume||All MFT-related information is held on this topic such as agent status, transfer status, monitor status, transfer templates, etc.|
|SYSTEM.FTE queue||put, get||The queue for SYSTEM.FTE topic|
|SYSTEM.DEFAULT.MODEL.QUEUE||put, get, display||Template queue that specifies the attributes of dynamic queues.|
To set authorities for each of these objects, you need to issue the â€śsetmqautâ€ť command. For example:
setmqaut â€“m coordQmgr â€“t queue â€“n SYSTEM.FTE.COMMAND.localAgent â€“p fred +put, +get, +browse +setid
Also remember to refresh the security settings to ensure the queue manager has picked up the new authorities granted to the user. This can be done using MQSC command â€ś
Authorities required when transferring a file between two different agents
If I want to transfer a file from â€ślocalAgentâ€ť to another agent called â€śpartnerAgentâ€ť which is started by a different user, for example the user account is â€śbillyâ€ť, then the authorities detailed in Table 2 are required for both source and destination agent users.
|Agent Users||Agent Queues||Authority Required|
This allows â€ślocalAgentâ€ť (running as user â€śfredâ€ť) to be able to send messages to â€śpartnerAgentâ€ť, and â€śpartnerAgentâ€ť (running as user â€śbillyâ€ť) to send messages to â€ślocalAgentâ€ť.
Additional authorities required when managing transfers through MQ Explorer
In order to administer MFT via MQ Explorer, the user running MQ Explorer would need the authorities in Table 3 which would allow the user to see information for agents, resource monitors and transfer logs:
|Coordination/Command queue manager||connect, inquire, display|
|SYSTEM.FTE topic||publish, subscribe|
|SYSTEM.MQEXPLORER.REPLY.MODEL queue||inquire, display, get|
Furthermore, if the user wants to create/schedule/cancel file transfers and create/delete transfer templates and resource monitors using MQ Explorer, the authorities in Table 4 need to be granted in addition to all the authorities mentioned above.
- Giving access to an IBM MQ object on UNIX, Linux, and Windows systems
- Refresh Security
- Group authorities for resources specific to Managed File Transfer
- Connecting to a WebSphere MQ V7.1 or later queue manager in client mode with channel authentication
- Authorisation to user the MQ Explorer