In a test environment, you can add any new privileges needed to your normal user account.
In a production environment, you are recommended to create a new user with the minimum permissions
required to do the job.
About this task
You must install the stand-alone file logger and IBM® MQ on a single system. Configure the user's permissions as follows:
Procedure
-
Ensure that the user has permission to read and, where necessary, execute, the files installed
as part of the Managed File Transfer installation.
-
Ensure that the user has permission to create and write to any file in the
logs directory which is in the configuration directory. This directory is used
for an event log, and if necessary for diagnostic trace and First Failure Data Capture (FFDC)
files.
-
Ensure that the user has its own group, and is also not in any groups with wide-ranging
permissions on the coordination queue manager. The user should not be in the mqm group. On certain
platforms, the staff group is automatically given queue manager access as well; the stand-alone file
logger user should not be in the staff group. You can view authority records for the queue manager
itself and for objects in it by using the IBM MQ Explorer.
Right-click the object and select Object Authorities > Manage Authority
Records. At the command line, you can use the commands dspmqaut (display authority) or
dmpmqaut (dump
authority).
-
Use the Manage Authority Records window in the IBM MQ Explorer or the setmqaut (grant or revoke
authority) command to add authorities for the user's own group (on AIX®, IBM MQ
authorities are associated with groups only, not individual users). The authorities required are as
follows:
- Connect and Inquire on the queue manager (the IBM MQ
Java libraries require Inquire permission to
operate).
- Subscribe permission on the SYSTEM.FTE topic.
- Put permission on the SYSTEM.FTE.LOG.RJCT.logger_name queue.
- Get permission on the SYSTEM.FTE.LOG.CMD.logger_name queue.
The reject and command queue names given are the default names. If you chose different queue
names when you configured the stand-alone file logger queues, add the permissions to those queue
names instead.