MFT message formats for security

This topic describes the messages published to the Managed File Transfer coordination queue manager relevant to security.

Not authorized log message

If user authority checking is enabled the agent can publish not authorized messages to the coordination queue manager. Restricting user authorities on MFT agent actions describes how to enable user authority checking.

Every time a user submits a request to perform a restricted action to the agent, either by using an Managed File Transfer command or by using the IBM® MQ Explorer plugin, the agent checks that the user has the authority to perform the action. If the user fails that authority check, a not authorized log message is published to the coordination queue manager on its SYSTEM.FTE/Log/agent_name/NotAuthorized topic.

This message conforms to the TransferLog.xsd XML schema. For example: 

<?xml version="1.0" encoding="UTF-8"?>
<notAuthorized version="3.00" 
               ID="414d5120716d312020202020202020204da5924a2010ce03" 
               agentRole="sourceAgent" 
               xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" 
               xsi:noNamespaceSchemaLocation="TransferLog.xsd"
               xmlns="">
	<action time="2009-08-28T12:31:15.781Z">not_authorized</action>
  <originator>
		<mqmdUserID>test1</mqmdUserID>
  </originator>
  <authority>administration</authority>
  <status resultCode="53">
		<supplement>BFGCH0083E: The user (test1) does not have the authority (ADMINISTRATION) required to shut down agent 'AGENT'.</supplement>
		<supplement>
&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
&lt;internal:request version=&quot3.00&quot; xmlns:xsi=&quot;https://www.w3.org/2001/XMLSchema-instance&quot; 
 xmlns:internal=&quot;http://wmqfte.ibm.com/internal&quot;&gt;
&lt;internal:shutdown agent=&quot;SYSTEM.FTE.COMMAND.AGENT&quot; hostname= &quot;qm1&quot; mode=&quot;controlled&quot;/&gt;
&lt;reply QMGR=&quot;qm1&quot;&gt;WMQFTE.4A92A54D02CE1020&lt;/reply&gt;
&lt;/internal:request&gt;		
    </supplement>
	</status>
</notAuthorized>
This message is a log of the following information:
  • Who originated the request
  • The level of Managed File Transfer access authority required to perform the request
  • The status of the request
  • The request specification

Understanding the not authorized log message

The elements and attributes used in the not authorized message are described:

<notAuthorized>
Group element that describes a single failed user authorization check.
Attribute Description
version Specifies the version of this element as detailed by Managed File Transfer.
ID The unique identifier for the request that was not authorized.
<originator>
Group element that contains the elements specifying the originator of the request.
<authority>
Specifies the level of Managed File Transfer access authority that the user required to perform the requested action.
<mqmdUserID>
The IBM MQ user ID that was supplied in the message descriptor (MQMD)
<action>
Specifies the authorization status of the request matching the ID attribute of <notAuthorized> element.
Attribute Description
time Specifies the date and time the log entry was published (in date time format).
<status>
The result code and supplement messages.