Restricting group authorities for MFT-specific resources

Instead of granting authority to individual users for all of the various objects that might be involved, configure two security groups for the purposes of administering Managed File Transfer access control: FTEUSER and FTEAGENT. It is the responsibility of the IBM® MQ administrator to create and populate these groups. The administrator can choose to extend or modify the proposed configuration described here.

Authority to connect to queue managers

Commands that are run by operational users, administrative users, and the IBM MQ Explorer need to be able to connect to the command queue manager and coordination queue manager. The agent process and commands that are run to create, alter, or delete the agent need to be able to connect to the agent queue manager.

Grant the FTEUSER group connect authority for the command queue manager and coordination queue manager. For example:

For AIX®, Linux®, and Windows systems:

setmqaut -m command_queue_manager -t qmgr -g FTEUSER +connect
setmqaut -m coordination_queue_manager -t qmgr -g FTEUSER +connect

For IBM i:

GRTMQMAUT OBJ('command_queue_manager') OBJTYPE(*MQM) USER(FTEUSER) AUT(*CONNECT)
GRTMQMAUT OBJ('coordination_queue_manager') OBJTYPE(*MQM) USER(FTEUSER) AUT(*CONNECT)

For z/OS®:

RDEFINE MQCONN command_queue_manager.BATCH UACC(NONE)
PERMIT command_queue_manager.BATCH CLASS(MQCONN) ID(FTEUSER) ACCESS(READ)
RDEFINE MQCONN coordination_queue_manager.BATCH UACC(NONE)
PERMIT coordination_queue_manager.BATCH CLASS(MQCONN) ID(FTEUSER) ACCESS(READ)

Grant the FTEAGENT group connect and inquire authority to the agent queue manager. For example:

For AIX, Linux, and Windows systems:

setmqaut -m agent_queue_manager -t qmgr -g FTEAGENT +connect +inq +setid

For IBM i:

GRTMQMAUT OBJ('agent_queue_manager') OBJTYPE(*MQM) USER(FTEAGENT) AUT(*CONNECT)

For z/OS:

RDEFINE MQCONN agent_queue_manager.BATCH UACC(NONE)
PERMIT agent_queue_manager.BATCH CLASS(MQCONN) ID(FTEAGENT) ACCESS(READ)

For information about which command directly connects to which queue manager, see Which MFT command connects to which queue manager

Authority to put a message on the COMMAND queue that belongs to the agent

The agent command queue must be available to any user who is authorized to request that the agent performs an action. To satisfy this requirement,

Grant the FTEUSER group only put access to the SYSTEM.FTE.COMMAND.agent_name queue. For example:

For AIX, Linux, and Windows systems:

setmqaut -m QM1 -n SYSTEM.FTE.COMMAND.agent_name -t queue -g FTEUSER +put

For IBM i:

GRTMQMAUT OBJ('SYSTEM.FTE.COMMAND.agent_name') OBJTYPE(*Q) USER(FTEUSER) AUT(*PUT) MQMNAME('QM1')

For z/OS:

RDEFINE MQQUEUE QM1.SYSTEM.FTE.COMMAND.agent_name UACC(NONE)
PERMIT QM1.SYSTEM.FTE.COMMAND.agent_name CLASS(MQQUEUE) ID(FTEUSER) ACCESS(UPDATE)

Grant the FTEAGENT group put, get, and setid access to the SYSTEM.FTE.COMMAND.agent_name queue. For example:

For AIX, Linux, and Windows systems:

setmqaut -m QM1 -n SYSTEM.FTE.COMMAND.agent_name -t queue -g FTEAGENT +browse +put +get +setid

For IBM i:

GRTMQMAUT OBJ('SYSTEM.FTE.COMMAND.agent_name') OBJTYPE(*Q) USER(FTEAGENT) AUT(*PUT) MQMNAME('QM1')
GRTMQMAUT OBJ('SYSTEM.FTE.COMMAND.agent_name') OBJTYPE(*Q) USER(FTEAGENT) AUT(*GET) MQMNAME('QM1')
GRTMQMAUT OBJ('SYSTEM.FTE.COMMAND.agent_name') OBJTYPE(*Q) USER(FTEAGENT) AUT(*SETID) MQMNAME('QM1')

For z/OS:

RDEFINE MQQUEUE QM1.SYSTEM.FTE.COMMAND.agent_name UACC(NONE)
PERMIT QM1.SYSTEM.FTE.COMMAND.agent_name CLASS(MQQUEUE) ID(FTEAGENT) ACCESS(UPDATE)
RDEFINE MQADMIN QM1.CONTEXT.SYSTEM.FTE.COMMAND.agent_name UACC(NONE)
PERMIT QM1.CONTEXT.SYSTEM.FTE.COMMAND.agent_name CLASS(MQADMIN) ID(FTEAGENT) ACCESS(UPDATE)

Agents need access to put messages to other agents' command queues. If there are agents connected to remote queue managers, you might need to grant additional authorization to allow the channel to put messages to this queue.

Authority to put messages on the DATA, STATE, EVENT, and REPLY queues that belong to the agent

Only Managed File Transfer agents need to be able to use these system queues, therefore grant the group FTEAGENT put, get and inquire access. The names of these system queues are as follows:

DATA - SYSTEM.FTE.DATA.agent_name
STATE - SYSTEM.FTE.STATE.agent_name
EVENT - SYSTEM.FTE.EVENT.agent_name
REPLY - SYSTEM.FTE.REPLY.agent_name

For example, for the SYSTEM.FTE.DATA.agent_name queue, use a command like the following:

For AIX, Linux, and Windows systems:

setmqaut -m QM1 -n SYSTEM.FTE.DATA.agent_name -t queue -g FTEAGENT +put +get +inq

For IBM i:

GRTMQMAUT OBJ('SYSTEM.FTE.DATA.agent_name') OBJTYPE(*Q) USER(FTEAGENT) AUT(*PUT) MQMNAME('QM1')
GRTMQMAUT OBJ('SYSTEM.FTE.DATA.agent_name') OBJTYPE(*Q) USER(FTEAGENT) AUT(*GET) MQMNAME('QM1')

For z/OS:

RDEFINE MQQUEUE QM1.SYSTEM.FTE.DATA.agent_name UACC(NONE)
PERMIT QM1.SYSTEM.FTE.DATA.agent_name CLASS(MQQUEUE) ID(FTEAGENT) ACCESS(UPDATE)

Agents need access to put messages to other agents' data and reply queues. If there are agents connected to remote queue managers, you might need to grant additional authorization to allow the channel to put messages to these queues.

Authority that the agent process runs under

The authority that the agent process runs under affects the files the agent can read and write from the file system, and the queues and topics the agent can access. How the authority is configured is system-dependent. Add the user ID that the agent process runs under to the FTEAGENT group. For more information about adding a user ID to a group, see Setting up security and navigate to the information for your operating system.

Authority that the commands and IBM MQ Explorer run under

Administrative commands, for example the fteStartAgent command, and the Managed File Transfer plug-in for the IBM MQ Explorer need to be able to put messages to the SYSTEM.FTE.COMMAND.agent_name queue and retrieve published information from that queue. Add the user IDs that are authorized to run the commands or the IBM MQ Explorer to the FTEUSER group. This originator user ID is recorded in the transfer log. For more information about adding a user ID to a group, see Setting up security and navigate to the information for your operating system.

Authority to put messages on the SYSTEM.FTE queue and SYSTEM.FTE topic

Only the agent process needs to be able to place messages on the SYSTEM.FTE queue and SYSTEM.FTE topic. Grant put, get and inquire authority to the FTEAGENT group on the SYSTEM.FTE queue, and grant publish and subscribe authority to the FTEAGENT group on the SYSTEM.FTE topic. For example:

For AIX, Linux, and Windows systems:

setmqaut -m QM1 -n SYSTEM.FTE -t queue -g FTEAGENT +put +inq
setmqaut -m QM1 -n SYSTEM.FTE -t topic -g FTEAGENT +pub +sub +resume

For IBM i:

GRTMQMAUT OBJ('SYSTEM.FTE') OBJTYPE(*Q) USER(FTEAGENT) AUT(*PUT) MQMNAME('QM1')
GRTMQMAUT OBJ('SYSTEM.FTE') OBJTYPE(*TOPIC) USER(FTEAGENT) AUT(*PUB) MQMNAME('QM1')
GRTMQMAUT OBJ('SYSTEM.FTE') OBJTYPE(*TOPIC) USER(FTEAGENT) AUT(*SUB) MQMNAME('QM1')

For z/OS:

RDEFINE MQQUEUE QM1.SYSTEM.FTE UACC(NONE)
PERMIT QM1.SYSTEM.FTE CLASS(MQQUEUE) ID(FTEAGENT) ACCESS(UPDATE)
RDEFINE MXTOPIC QM1.PUBLISH.SYSTEM.FTE UACC(NONE)
PERMIT QM1.PUBLISH.SYSTEM.FTE CLASS(MXTOPIC) ID(FTEAGENT) ACCESS(UPDATE)

If there are agents connected to remote queue managers, additional authorization might also need to be granted to allow the channel to put messages to the SYSTEM.FTE queue.

For a message to get published to the SYSTEM.FTE topic, the authority records of the SYSTEM.FTE topic must allow publication by the user ID contained in the message descriptor structure (MQMD) of the message. This is described in Authority to publish MFT Agents log and status messages.

To allow a user to publish to the SYSTEM.FTE topic on z/OS, you must grant the channel initiator user ID access to publish to the SYSTEM.FTE topic. If the RESLEVEL security profile causes two user IDs to be checked for the channel initiator connection, you also need to grant access to the user ID contained in the message descriptor structure (MQMD) of the message. For more information, see The RESLEVEL security profile

Authority to receive publications on the SYSTEM.FTE topic

Transfer log messages, progress messages, and status messages are intended for general use, so grant the FTEUSER group authority to subscribe to the SYSTEM.FTE topic. For example:

For AIX, Linux, and Windows systems:

setmqaut -m QM1 -n SYSTEM.FTE -t topic -g FTEUSER +sub

For IBM i:

GRTMQMAUT OBJ('SYSTEM.FTE') OBJTYPE(*TOPIC) USER(FTEUSER) AUT(*SUB) MQMNAME('QM1')

For z/OS:

RDEFINE MXTOPIC QM1.SUBSCRIBE.SYSTEM.FTE UACC(NONE)
PERMIT QM1.SUBSCRIBE.SYSTEM.FTE CLASS(MXTOPIC) ID(FTEUSER) ACCESS(ALTER)

Authority to connect to remote queue managers using transmission queues

In a topology of multiple queue managers, the agent requires put authority on the transmission queues used to connect to the remote queue managers.

Authority to create a temporary reply queue for file transfers

File transfer requests wait for the transfer to complete and rely on a temporary reply queue being created and populated. Grant the FTEUSER group DISPLAY, PUT, GET, and BROWSE authorities on the temporary model queue definition. For example:

For AIX, Linux, and Windows systems:

setmqaut -m QM1 -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -g FTEUSER +dsp +put +get +browse

For IBM i:

GRTMQMAUT OBJ('SYSTEM.DEFAULT.MODEL.QUEUE') OBJTYPE(*Q) USER(FTEUSER) AUT(*ADMDSP) MQMNAME('QM1')
GRTMQMAUT OBJ('SYSTEM.DEFAULT.MODEL.QUEUE') OBJTYPE(*Q) USER(FTEUSER) AUT(*PUT)    MQMNAME('QM1')
GRTMQMAUT OBJ('SYSTEM.DEFAULT.MODEL.QUEUE') OBJTYPE(*Q) USER(FTEUSER) AUT(*GET)    MQMNAME('QM1')
GRTMQMAUT OBJ('SYSTEM.DEFAULT.MODEL.QUEUE') OBJTYPE(*Q) USER(FTEUSER) AUT(*BROWSE) MQMNAME('QM1')

For z/OS:

RDEFINE MQQUEUE QM1.SYSTEM.DEFAULT.MODEL.QUEUE UACC(NONE)
PERMIT QM1.SYSTEM.DEFAULT.MODEL.QUEUE CLASS(MQQUEUE) ID(FTEUSER) ACCESS(UPDATE)

By default, this queue is SYSTEM.DEFAULT.MODEL.QUEUE, but you can configure the name by setting values for the properties 'modelQueueName' and 'dynamicQueuePrefix' in the command.properties file.

On z/OS, you must also grant authority to access the temporary queues to FTEUSER. For example:


RDEFINE MQQUEUE QM1.WMQFTE.** UACC(NONE)
PERMIT QM1.WMQFTE.** CLASS(MQQUEUE) ID(FTEUSER) ACCESS(UPDATE)

By default the name of each temporary queue on z/OS starts with WMQFTE.

The following table summarizes the access control configuration for FTEUSER and FTEAGENT in the security scheme described:

Table 1. Summary of access control configuration for FTEUSER and FTEAGENT
Object	Object type	FTEUSER	FTEAGENT
Agent queue manager	Queue manager		CONNECT, INQ, and SETID. ALT_USER is also required to enable Restricting user authorities on MFT agent actions.
Coordination queue manager	Queue manager
Command queue manager	Queue manager	CONNECT	CONNECT
SYSTEM.FTE	Local queue		GET and PUT
SYSTEM.FTE.COMMAND.`agent_name`	Local queue	PUT	BROWSE, GET, PUT, and SETID
SYSTEM.FTE.DATA.`agent_name`	Local queue		GET and PUT
SYSTEM.FTE.EVENT.`agent_name`	Local queue		BROWSE, GET and PUT
SYSTEM.FTE.REPLY.`agent_name`	Local queue		GET and PUT
SYSTEM.FTE.STATE.`agent_name`	Local queue		BROWSE, GET, INQ, and PUT
SYSTEM.FTE	Local topic	SUBSCRIBE	PUBLISH and SUBSCRIBE
SYSTEM.DEFAULT.MODEL.QUEUE (or the model queue defined in Managed File Transfer that is used to create a temporary reply queue.)	Model queue	BROWSE, DISPLAY, GET, and PUT	BROWSE, DISPLAY, GET, and PUT
Transmission queues to communicate with remote queue managers	Local queue		PUT

Authority to manage transfers through IBM MQ Explorer

In addition to granting MFT authorities to users in situations that are already mentioned on this page, further authorities need to be granted to the MFT agent user who administers and performs all MFT operations through IBM MQ Explorer. To issue commands such as create, cancel, schedule file transfer, create, delete resource monitors, and create transfer templates, the IBM MQ Explorer user must have authority as follows:

Coordination queue manager: connect, inquire, display
Command queue manager: connect, inquire, display
SYSTEM.FTE topic: publish, subscribe
SYSTEM.MQEXPLORER.REPLY.MODEL: display, inquire, get, browse, put
SYSTEM.ADMIN.COMMAND.QUEUE: inquire, put, display
SYSTEM.DEFAULT.MODEL.QUEUE: get, put, inquire, display, browse