[V9.0.5 Mar 2018]

Configuring MFT REST API security

The configuration for the Managed File Transfer REST API role based security is done through mqwebuser.xml, as is done for the IBM® MQ REST API.

Before you begin

See IBM MQ Console and REST API security for information on how you set up security.

About this task

To handle aspects of MFT resources for the MFT REST API interface, the new roles of MFTWebAdmin and MFTWebAdminRO have been added to the existing IBM MQ specific roles of MQWebAdmin, MQWebAdminRO, and MQWebUser.
MFTWebAdmin
A user or group assigned this role can perform all MFT REST operations, and operates under the security context of the operating system user ID that is used to start the mqweb server.
MFTWebAdminRO
This role gives read only access to the MFT REST API. A user or group that is assigned this role can perform read only operations (GET requests) like list transfer and list agents.
A user or group that is assigned this role operates under the security context of the operating system user ID that is used to start the mqweb server.
Important:
  1. A principal with either the MFTWebAdmin or MFTWebAdminRO role does not have access to any of the IBM MQ REST API services.
  2. If an MFTWebAdmin user needs to access the IBM MQ REST API, that user needs to be member of one of the MQWebAdmin, MQWebAdminRO, or MQWebUser groups.
  3. Members of the MQWebAdmin, MQWebAdminRO, and MQWebUser groups do not have access to the MFT REST API.
The following example grants the:
  • MQWebAdmin, MQWebAdminRO, and MQWebUser roles, the access described in Roles on the IBM MQ Console and REST API.
  • MFTWebAdmin role access to the “mftadmin” user. The “mftadmin” user can perform all MFT REST services.
  • MFTWebAdminRO role access to the “mftreader” user. The “mftreader” user can perform read only operations, such as list agent and list transfer.
<?xml version="1.0" encoding="UTF-8"?>
<server>
    <!-- Enable features -->
    <featureManager>
        <feature>appSecurity-2.0</feature>
    </featureManager>

    <!-- Role Mappings -->
    <enterpriseApplication id="com.ibm.mq.rest">
        <application-bnd>
            <security-role name="MQWebAdmin">
                <group name="MQWebUI" realm="defaultRealm"/>
            </security-role>
            <security-role name="MQWebAdminRO">
                <user name="reader" realm="defaultRealm"/>
            </security-role>
            <security-role name="MQWebUser">
                <special-subject type="ALL_AUTHENTICATED_USERS"/>
            </security-role>
            <security-role name="MFTWebAdmin">
                <user name="mftadmin" realm="defaultRealm"/>
            </security-role>
            <security-role name="MFTWebAdminRO">
                <user name="mftreader" realm="defaultRealm"/>
            </security-role>


        </application-bnd>
    </enterpriseApplication>