Configuring user access for a stand-alone database logger

In a test environment, you can add any new privileges needed to your normal user account. In a production environment, you are recommended to create a new user with the minimum permissions required to do the job.

About this task

The number and type of user accounts you need to run the stand-alone database logger depends on the number of systems you use. You can install the stand-alone database logger, IBM® MQ and your database on a single system, or across two systems. The stand-alone database logger must be on the same system as IBM MQ. The components can be installed in the following topologies:
Stand-alone database Logger, IBM MQ and the database all on the same system
You can define a single operating system user for use with all three components. This is a suitable configuration for the stand-alone database logger. The stand-alone database logger uses Bindings mode to connect to IBM MQ and a native connection to connect to the database.
Stand-alone database Logger and IBM MQ on one system, the database on a separate system
You create two users for this configuration: an operating system user on the system running the stand-alone database logger, and a operating system user with remote access to the database on the database server. This is a suitable configuration for the stand-alone database logger using a remote database. The stand-alone database logger uses Bindings mode to connect to IBM MQ and a client connection to access the database.

As an example, the rest of these instructions assume that the user is called ftelog, but you can use any user name. Configure the user's permissions as follows:

Procedure

  1. Ensure that the user has permission to read and, where necessary, execute, the files installed as part of the IBM MQ Managed File Transfer Remote Tools and Documentation installation.
  2. Ensure that the user has permission to create and write to any file in the logs directory (in the configuration directory). This directory is used for an event log, and if necessary for diagnostic trace and FFDC files.
  3. Ensure that the user has its own group, and is not also in any groups with wide-ranging permissions on the coordination queue manager. The user should not be in the mqm group. On certain platforms, the staff group is automatically given queue manager access as well; the stand-alone database logger user should not be in the staff group. You can view authority records for the queue manager itself and for objects in it using the WebSphere® MQ Explorer. Right-click the object and select Object Authorities > Manage Authority Records. At the command line, you can use the commands dspmqaut (display authority) or dmpmqaut (dump authority).
  4. Use the Manage Authority Records window in the IBM MQ Explorer or the setmqaut (grant or revoke authority) command to add authorities for the user's own group (on UNIX, IBM MQ authorities are associated with groups only, not individual users). The authorities required are as follows:
    • Connect and Inquire on the queue manager (the IBM MQ Java libraries require Inquire permission to operate).
    • Subscribe permission on the SYSTEM.FTE topic.
    • Put permission on the SYSTEM.FTE.LOG.RJCT.logger_name queue.
    • Get permission on the SYSTEM.FTE.LOG.RJCT.logger_name queue.
    The reject and command queue names given are the default names. If you chose different queue names when you configured the stand-alone database logger queues, add the permissions to those queue names instead.
  5. Perform the user configuration that is specific to the database you are using.
    • If your database is Db2®, carry out the following steps:
      There are several mechanisms for managing database users with Db2. These instructions apply to the default scheme based on operating system users.
      • Ensure that the ftelog user is not in any Db2 administration groups (for example, db2iadm1, db2fadm1, or dasadm1)
      • Give the user permission to connect to the database and permission to select, insert and update on the tables that you created as part of Step 2: create the required database tables
    • If your database is Oracle, carry out the following steps:
      • Ensure that the ftelog user is not in any Oracle administration groups (for example, ora_dba on Windows or dba on Unix)
      • Give the user permission to connect to the database and permission to select, insert and update on the tables that you created as part of Step 2: create the required database tables