IBM Support often receive requests from customers for clarification on which IBM MQ Managed File Transfer (MFT) authorities are required to manage transfers with a user account that is not in the mqm group. Authorities for MFT are explained in several places in the IBM Knowledge Center for different features of the product but there isn’t an overview where all the authorities are included in one place. This blog post will describe the particular permissions that are required to request an agent to perform simple MFT actions such as creating a transfer with one or two agents etc. based on the following example. It will also explain how to manage and administer transfers through MQ Explorer.

In this example, I’m going to use the following MFT user ID and agent configuration:

  • User name = “fred”
  • Agent name = “localAgent”
  • Agent queue manager name = “localAgentQmgr”
  • Coordination/Command queue manager = “coordQmgr”

Authorities required for MFT agent actions

With the authorities in Table 1 granted to my user “fred”, I would be able to:

  • Stop and start “localAgent”
  • Create/schedule/cancel file transfers that “localAgent” is involved with
  • Create/delete transfer templates and resource monitors for “localAgent”

Note that the system topic and queues mentioned in Table 1 are all held on the coordination queue manager.

Table 1

MQ Objects Authorities Brief Description
localAgentQmgr connect, inquire, setid The agent queue manager.
coordQmgr connect Coordination and command queue manager.
SYSTEM.FTE.COMMAND.localAgent put, get, browse, setid All internal and external commands submitted to the agent are held on this queue to be processed by the agent.
SYSTEM.FTE.DATA.localAgent put, get This queue stores file data for transfer requests.
SYSTEM.FTE.STATE.localAgent put, get, browse, inquire This queue holds information for the transfer that are currently in progress.
SYSTEM.FTE.EVENT.localAgent put, get, browse Holds definitions and history of resource monitors.
SYSTEM.FTE.REPLY.localAgent put, get Stores reply messages from destination agents.
SYSTEM.FTE topic publish, subscribe, resume All MFT-related information is held on this topic such as agent status, transfer status, monitor status, transfer templates, etc.
SYSTEM.FTE queue put, get The queue for SYSTEM.FTE topic
SYSTEM.DEFAULT.MODEL.QUEUE put, get, display Template queue that specifies the attributes of dynamic queues.

To set authorities for each of these objects, you need to issue the “setmqaut” command. For example:
setmqaut –m coordQmgr –t queue –n SYSTEM.FTE.COMMAND.localAgent –p fred +put, +get, +browse +setid

Also remember to refresh the security settings to ensure the queue manager has picked up the new authorities granted to the user. This can be done using MQSC command “REFRESH SECURITY(*)”.

Authorities required when transferring a file between two different agents

If I want to transfer a file from “localAgent” to another agent called “partnerAgent” which is started by a different user, for example the user account is “billy”, then the authorities detailed in Table 2 are required for both source and destination agent users.

Table 2

Agent Users Agent Queues Authority Required
fred SYSTEM.FTE.COMMAND.partnerAgent
billy SYSTEM.FTE.COMMAND.localAgent

This allows “localAgent” (running as user “fred”) to be able to send messages to “partnerAgent”, and “partnerAgent” (running as user “billy”) to send messages to “localAgent”.

Additional authorities required when managing transfers through MQ Explorer

In order to administer MFT via MQ Explorer, the user running MQ Explorer would need the authorities in Table 3 which would allow the user to see information for agents, resource monitors and transfer logs:

Table 3

MQ Objects Authorities
Coordination/Command queue manager connect, inquire, display
SYSTEM.FTE topic publish, subscribe
SYSTEM.MQEXPLORER.REPLY.MODEL queue inquire, display, get

Furthermore, if the user wants to create/schedule/cancel file transfers and create/delete transfer templates and resource monitors using MQ Explorer, the authorities in Table 4 need to be granted in addition to all the authorities mentioned above.

Table 4

MQ Objects Authorities

Related links:

Leave a Reply