Planning users

Many types of users are involved in planning, installing, customizing, and configuring Financial Transaction Manager. For maximum security, limit the access rights of users so that they can access only those system resources that are needed to do the activities to which they were assigned.

To restrict access to resources used by Financial Transaction Manager, such as files, database tables, and IBM® MQ resources, you must set up user groups to limit such access.

The recommended user groups are shown in the following table.

Table 1. Recommended users
User Description Authorization
Installer This user does the following tasks.
  • Installs and uninstalls FTM.
  • Handles the distribution media.

User ID: root

Db2® administrator This user configures and maintains Db2 resources, including those resources that are needed by FTM, and carries out the following tasks:
  • Prepares and runs Db2 configuration jobs.
  • Creates the FTM database.
  • Creates FTM database objects such as tables, indexes, and other objects.
  • Grants and revokes Db2 privileges.
  • Loads the initial data into the runtime database.
  • Carries out housekeeping tasks such as backing up and archiving data.
  • Starts and stops Db2 databases.
This user requires the following authorization on the runtime system on which the database is located.
  • Membership in the Db2 group.
Db2 fenced user This user runs the scripts that are generated to load and update the FSM, configuration, and operational data in the FTM database. For more information about the authorization details, see the Script load (application installation) operational component information in FTM Database permissions.
IBM MQ administrator This user configures and maintains IBM MQ queues and queue managers, including those queues and queue managers that are needed by FTM. This user requires the following authorization on the runtime systems.
  • Membership in group mqm

The mqm group is the IBM MQ administrator group. It is provided by IBM MQ and has all authorities for all IBM MQ resources.

If queue manager security is activated, this user must have the right to define queues and channels.

IBM App Connect Enterprise administrator This user configures the integration nodes that are used by FTM.
  • Issues integration node commands, for example, to activate integration node statistics and accounting.
  • Starts and stops integration nodes.
  • Deploys and customize the broker archive (BAR) files.
This user is also the user ID under which the integration node program runs.
This user requires the following authorization on the runtime systems.
  • Membership in group mqm.
  • Membership in group mqbrkrs

The mqbrkrs group is the IBM App Connect Enterprise administrator group. It is provided by IBM App Connect Enterprise and has all authorities that are needed to administer an integration node.

WebSphere® Application Server administrator This user authorizes the installation of the FTM OAC enterprise application, and uses the administrative console to:
  • Configure application servers.
  • Start, stop, and configure enterprise applications.
  • In network deployment environments (not single-server environments), start and stop application servers.
This user must be part of the configured external user registry (for example, LDAP) of the WebSphere Application Server environment and have the administration and security roles in the WebSphere Application Server environment. This user does not need to be defined in the local operating system.
DB data accessor for FTM Runtime (Integration node) This user authenticates the JDBC and ODBC connections between an FTM integration node application and the runtime database. For more information about the authorization details, see FTM Database permissions.
DB data accessor for FTM OAC (WebSphere Application Server) In the application server authentication alias for JDBC data sources, this user authenticates the connection between the FTM OAC enterprise application on WebSphere Application Server and the runtime database. For more information about the authorization details, see FTM Database permissions.
Usage report user This user runs the usage report tool. For more information about the authorization details, see Table 14 in FTM Database permissions.