Managing authorities for MFT-specific resources

For any file transfer request, the Managed File Transfer Agent processes require some level of access to their local file systems. In addition, both the user identifier associated with the agent process, and the user identifiers associated with users performing file transfer operations must have the authority to use certain IBM® MQ objects.

Commands are issued by users, who might be in an operational role where they typically start a file transfer. Alternatively, they might be in an administrative role where they can additionally control when agents are created, started, deleted, or cleaned (that is, when messages from all agent system queues are removed). Messages containing command requests are placed on an agent's SYSTEM.FTE.COMMAND queue when a user issues a command. The agent process retrieves messages containing command requests from the SYSTEM.FTE.COMMAND queue. The agent process also uses four other system queues, which are as follows:
  • SYSTEM.FTE.DATA.agent_name
  • SYSTEM.FTE.EVENT.agent_name
  • SYSTEM.FTE.REPLY.agent_name
  • SYSTEM.FTE.STATE.agent_name

Because users issuing commands use the queues listed previously in different ways to the agent process, assign different IBM MQ authorities to the user identifiers or user groups associated with each. See Restricting group authorities for MFT-specific resources for more information.

The agent has additional queues that can be used to grant users the authority to perform certain actions. See Restricting user authorities on MFT agent actions for information about how to use the authority queues. The agent does not put or get messages on these queues. However, you must ensure that the queues are assigned the correct IBM MQ authorities both for the user identifier used to run the agent process as well as the user identifiers associated with users who are being authorized to perform certain actions. The authority queues are as follows:
  • SYSTEM.FTE.AUTHADM1.agent_name
  • SYSTEM.FTE.AUTHAGT1.agent_name
  • SYSTEM.FTE.AUTHMON1.agent_name
  • SYSTEM.FTE.AUTHOPS1.agent_name
  • SYSTEM.FTE.AUTHSCH1.agent_name
  • SYSTEM.FTE.AUTHTRN1.agent_name
If you are migrating from a version of Managed File Transfer earlier than 7.0.2 to IBM WebSphere® MQ 7.5, or later, and are keeping existing agent configurations, you will need to create the authority queues manually. Use the following MQSC command to create the queues: 

DEFINE QLOCAL(authority_queue_name) DEFPRTY(0) DEFSOPT(SHARED) GET(ENABLED) MAXDEPTH(0) +
 MAXMSGL(0) MSGDLVSQ(PRIORITY) PUT(ENABLED) RETINTVL(999999999) SHARE  NOTRIGGER +
 USAGE(NORMAL) REPLACE

The agent process also publishes messages to the SYSTEM.FTE topic on the coordination queue manager using the SYSTEM.FTE queue. Depending on whether the agent process is in the role of the source agent or destination agent, the agent process might require authority to read, write, update, and delete files.

You can create and modify authority records for IBM MQ objects using the IBM MQ Explorer. Right-click the object and then click Object Authorities > Manage Authority Records. You can also create authority records using the setmqaut command, which is described at setmqaut (grant or revoke authority) command.