Restricting user authorities on MFT agent actions
In addition to using groups to manage access to resources, you can enable an additional level of security to restrict the Managed File Transfer agent actions that a user can take. Grant authorities on an agent authority queue to a user to give the user permission to perform specific agent actions.
Enabling user authority management
To turn on user authority checking on agent actions, complete the following steps:
- In the agent.properties file, set the
authorityChecking
value totrue
. For more information, see The MFT agent.properties file. - Ensure that the user who runs the agent has the IBM® MQ alternate user (ALT_USER) authority to the agent queue manager.
On the z/OS® platform, the user that runs the agent must have ALT_USER authority to the user IDs that can request permission to perform an agent action.
authorityChecking
must
be set to the same value in the property files of both agents. Transfers
between agents that have different values for the authorityChecking
property
will fail.Agent authority queues
- SYSTEM.FTE.AUTHADM1.agent_name
- SYSTEM.FTE.AUTHAGT1.agent_name
- SYSTEM.FTE.AUTHMON1.agent_name
- SYSTEM.FTE.AUTHOPS1.agent_name
- SYSTEM.FTE.AUTHSCH1.agent_name
- SYSTEM.FTE.AUTHTRN1.agent_name
When user authority management is enabled by setting the agent property authorityChecking=true, the authorities that a user has on the agent authority queues specify the actions that the user is authorized to take.
User action | Managed File Transfer access authority | Authority queues | IBM MQ access
authority (Multiplatforms) |
RACF® access
level (z/OS only) |
---|---|---|---|---|
Shut down the agent, using the -m option on fteStopAgent command. | Administration | SYSTEM.FTE.AUTHADM1.agent_name | BROWSE | READ |
Start a transfer of files from this agent | Transfer source | SYSTEM.FTE.AUTHTRN1.source_agent_name | BROWSE | READ |
Run a managed call on this agent | ||||
Cancel a transfer of files from this agent started by the same user | ||||
Start a transfer of files to this agent | Transfer destination | SYSTEM.FTE.AUTHTRN1.destination_agent_name | PUT | UPDATE |
Cancel a transfer of files to this agent started by the same user | ||||
Create a resource monitor | Monitor | SYSTEM.FTE.AUTHMON1.monitor_agent_name | BROWSE | READ |
Delete a resource monitor created by the same user | ||||
Delete a resource monitor created by any user | Monitor operations | SYSTEM.FTE.AUTHOPS1.agent_name | SET | ALTER |
Create a scheduled transfer | Schedule | SYSTEM.FTE.AUTHSCH1.source_agent_name | BROWSE | READ |
Delete a scheduled transfer created by the same user | ||||
Delete a scheduled transfer created by any user or group | Schedule operations | SYSTEM.FTE.AUTHOPS1.agent_name | PUT | UPDATE |
Cancel a transfer created either by the same user or group that started the transfer, or by another user or group | Transfer operations | SYSTEM.FTE.AUTHOPS1.source_agent_name SYSTEM.FTE.AUTHOPS1.destination_agent_name | BROWSE | READ |
From IBM MQ 9.0.0 Fix Pack 3 and IBM MQ 9.0.4, the order in which authority checks are performed when an agent receives a request to cancel a file transfer is changed so that the agent first checks whether the user requesting the cancellation is the same user who started the transfer. If the user canceling the transfer is not the same as the user that requested it, the agent then checks if the canceling user has browse permission on SYSTEM.FTE.AUTHOPS1.agent_name queues. The change to the order of checking avoids unexpected errors in agent and queue manager error logs when the user who requested the file transfer and the user who requested the cancellation are the same.
Agent action | Managed File Transfer access authority | Authority queues | IBM MQ access authority (Multiplatforms) |
RACF access level (z/OS only) |
---|---|---|---|---|
Receive a transfer from source_agent |
Agent source | SYSTEM.FTE.AUTHAGT1.source_agent_name | BROWSE | READ |
Send a transfer to destination_agent |
Agent destination | SYSTEM.FTE.AUTHAGT1.destination_agent_name | PUT | UPDATE |
Configuring user authority management
To authorize a user to be able to perform an action on an agent, grant the user the appropriate authority on the relevant authority queue. To grant authorities to a user, complete the following steps:
- Create a user on the system where the agent queue manager is located that has the same name as the user you want to give authority to perform agent actions. This user does not have to be active.
- Grant the user the appropriate authority on the relevant authority queue. If you are using Linux®, UNIX, or Windows, you can use the setmqaut command.
- Refresh the security configuration of the queue manager. You can use the REFRESH SECURITY MQSC command.
Example
The setmqaut command is not used on z/OS systems. For z/OS, instead use RACF. See Setting up security on z/OS for more information.
The setmqaut command is not used on IBM i systems. For IBM i, see Access authorities for IBM MQ objects, which describes how authorization for IBM MQ objects is done. There are three relevant CL commands available on IBM i: Grant MQ Object Authority (GRTMQMAUT), Revoke MQ Object Authority (RVKMQMAUT), and Refresh MQ Authority (RFRMQMAUT).
A user, who is a member of the grouprequestor_group
, wants to set up a resource monitor on AGENT1 that transfers a file
from AGENT1, which is running under the user user1
, who is a member of the group
user1_group
, to AGENT2, which is running under the user user2
, who
is a member of the group user2_group
. AGENT1 connects to QM1; AGENT2 connects to
QM2. Both agents have authority checking enabled. To make this possible take the following steps:requestor
must have Monitor authority on AGENT1. Set this authority by running the following command on the system where QM1 is running:setmqaut -m QM1 -t queue -n SYSTEM.FTE.AUTHMON1.AGENT1 -g requestor_group +browse
requestor
must have Transfer source authority on AGENT1. Set this authority by running the following command on the system where QM1 is running:setmqaut -m QM1 -t queue -n SYSTEM.FTE.AUTHTRN1.AGENT1 -g requestor_group +browse
requestor
must have Transfer destination authority on AGENT2. Set this authority by running the following command On the system where QM2 is running:setmqaut -m QM2 -t queue -n SYSTEM.FTE.AUTHTRN1.AGENT2 -g requestor_group +put
user2
must have Agent source authority on AGENT1. Set this authority by running the following command on the system where QM1 is running:setmqaut -m QM1 -t queue -n SYSTEM.FTE.AUTHAGT1.AGENT1 -g user2_group +browse
user1
must have Agent destination authority on AGENT2. Set this authority by running the following command on the system where QM2 is running:setmqaut -m QM2 -t queue -n SYSTEM.FTE.AUTHAGT1.AGENT2 -g user1_group +put
Logging
If user authority checking is enabled, failed authority checks cause a not authorized log message to be published to the coordination queue manager. See MFT message formats for security for more information.
Messages about user authority can be written
to the agent event log. You can configure the amount of information
written to the agent event log by setting the logAuthorityChecks
property
in the agent property file. By default the level of authority check
logging is None
. You can also set the value of logAuthorityChecks
to Failures
,
which specifies that only failed authorization checks are reported,
or All
which specifies that failed and successful
authorization checks are reported.
For more information, see The MFT agent.properties file.