What authorities to grant for non-mqm users to perform Managed File Transfer actions?
Gantigmaa Selenge
Published on 05/10/2017 / Updated on 30/07/2018
IBM Support often receive requests from customers for clarification on which IBM MQ Managed File Transfer (MFT) authorities are required to manage transfers with a user account that is not in the mqm group. Authorities for MFT are explained in several places in the IBM Knowledge Center for different features of the product but there isn’t an overview where all the authorities are included in one place. This blog post will describe the particular permissions that are required to request an agent to perform simple MFT actions such as creating a transfer with one or two agents etc. based on the following example. It will also explain how to manage and administer transfers through MQ Explorer.
In this example, I’m going to use the following MFT user ID and agent configuration:
- User name = “fred”
- Agent name = “localAgent”
- Agent queue manager name = “localAgentQmgr”
- Coordination/Command queue manager = “coordQmgr”
Authorities required for MFT agent actions
With the authorities in Table 1 granted to my user “fred”, I would be able to:
- Stop and start “localAgent”
- Create/schedule/cancel file transfers that “localAgent” is involved with
- Create/delete transfer templates and resource monitors for “localAgent”
Note that the system topic and queues mentioned in Table 1 are all held on the coordination queue manager.
Table 1
MQ Objects
|
Authorities
|
Brief Description
|
localAgentQmgr
|
connect, inquire, setid
|
The agent queue manager.
|
coordQmgr
|
connect
|
Coordination and command queue manager.
|
SYSTEM.FTE.COMMAND.localAgent
|
put, get, browse, setid
|
All internal and external commands submitted to the agent are held on this queue to be processed by the agent.
|
SYSTEM.FTE.DATA.localAgent
|
put, get
|
This queue stores file data for transfer requests.
|
SYSTEM.FTE.STATE.localAgent
|
put, get, browse, inquire
|
This queue holds information for the transfer that are currently in progress.
|
SYSTEM.FTE.EVENT.localAgent
|
put, get, browse
|
Holds definitions and history of resource monitors.
|
SYSTEM.FTE.REPLY.localAgent
|
put, get
|
Stores reply messages from destination agents.
|
SYSTEM.FTE topic
|
publish, subscribe, resume
|
All MFT-related information is held on this topic such as agent status, transfer status, monitor status, transfer templates, etc.
|
SYSTEM.FTE queue
|
put, get
|
The queue for SYSTEM.FTE topic
|
SYSTEM.DEFAULT.MODEL.QUEUE
|
put, get, display
|
Template queue that specifies the attributes of dynamic queues.
|
To set authorities for each of these objects, you need to issue the “setmqaut” command. For example:
setmqaut –m coordQmgr –t queue –n SYSTEM.FTE.COMMAND.localAgent –p fred +put, +get, +browse +setid
Also remember to refresh the security settings to ensure the queue manager has picked up the new authorities granted to the user. This can be done using MQSC command “REFRESH SECURITY(*)”.
Authorities required when transferring a file between two different agents
If I want to transfer a file from “localAgent” to another agent called “partnerAgent” which is started by a different user, for example the user account is “billy”, then the authorities detailed in Table 2 are required for both source and destination agent users.
Table 2
Agent Users
|
Agent Queues
|
Authority Required
|
fred
|
SYSTEM.FTE.COMMAND.partnerAgent SYSTEM.FTE.DATA.partnerAgent
|
put
|
billy
|
SYSTEM.FTE.COMMAND.localAgent SYSTEM.FTE.REPLY.localAgent
|
put
|
This allows “localAgent” (running as user “fred”) to be able to send messages to “partnerAgent”, and “partnerAgent” (running as user “billy”) to send messages to “localAgent”.
Additional authorities required when managing transfers through MQ Explorer
In order to administer MFT via MQ Explorer, the user running MQ Explorer would need the authorities in Table 3 which would allow the user to see information for agents, resource monitors and transfer logs:
Table 3
MQ Objects
|
Authorities
|
Coordination/Command queue manager
|
connect, inquire, display
|
SYSTEM.FTE topic
|
publish, subscribe
|
SYSTEM.MQEXPLORER.REPLY.MODEL queue
|
inquire, display, get
|
SYSTEM.ADMIN.COMMAND.QUEUE
|
inquire, put
|
Furthermore, if the user wants to create/schedule/cancel file transfers and create/delete transfer templates and resource monitors using MQ Explorer, the authorities in Table 4 need to be granted in addition to all the authorities mentioned above.
Table 4
MQ Objects
|
Authorities
|
SYSTEM.MQEXPLORER.REPLY.MODEL queue
|
browse
|
SYSTEM.ADMIN.COMMAND.QUEUE
|
display
|
SYSTEM.DEFAULT.MODEL.QUEUE
|
inquire, browse
|
Related links:
- Giving access to an IBM MQ object on UNIX, Linux, and Windows systems
https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.0.0/com.ibm.mq.sec.doc/q013490_.htm
https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.0.0/com.ibm.mq.ref.adm.doc/q086490_.htm
- Group authorities for resources specific to Managed File Transfer
https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.0.0/com.ibm.wmqfte.doc/group_resource_access.htm
- Connecting to a WebSphere MQ V7.1 or later queue manager in client mode with channel authentication
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_8.0.0/com.ibm.wmqfte.doc/mq_chlauth.htm
- Authorisation to user the MQ Explorer
https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.0.0/com.ibm.mq.adm.doc/q020400_.htm