IBM Support

IT20792: AMQ8077 (unauthorised "get" permission) reported for agent authority queues when user authority management is enabled

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • For MQ Managed File Transfer V9.0.0.0, user authority management
    is enabled based on the information in the "User authorities on
    IBM MQ Managed File Transfer actions"topic in the MQ V9 section
    of IBM Knowledge Center:
    https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm
    .wmqfte.doc/finegrain_resource_access.htm
    
    - In the agent.properties file, set the authorityChecking value
    to true.
    - Set MQ authority following the instruction.
    
    However, AMQ8077 (unauthorized get permission) error messages
    are reported in the queue manager error log for the agent
    authority queues when the agent starts up.
    
    The errors look like this:
    
    ----- amqzfubn.c : 518
    --------------------------------------------------------
    Program(amqzlaa0.exe)
                          Host(host1) Installation(Installation1)
                          VRMF(9.0.0.0) QMgr(<QM_name>)
    
    AMQ8077: Entity '<user_name>' has insufficient authority to
    access
    object  'SYSTEM.FTE.AUTHMON1.<agent_name>.
    
    EXPLANATION:
    The specified entity is not authorized to access the required
    object.
    The following requested permissions are unauthorized: get
    ACTION:
    Ensure that the correct level of authority has been set for
    this entity against the required object, or ensure that the
    entity is
    a member of a privileged group.
    ----- amqzfubn.c : 518
    --------------------------------------------------------
    

Local fix

  • Set get authority on the agent authority queues.
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This issue affects users of:
    
    - IBM MQ V8 Managed File Transfer.
    - IBM MQ V9 Managed File Transfer.
    
    who have enabled user authority management by setting the agent
    property "authortyChecking=true".
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    Each agent authority queue is dedicated for different Managed
    File Transfer (MFT) agent actions and requires different
    permissions such as browse, put etc. depending on which MFT
    actions a user is allowed to perform. These permissions are
    documented here:
    
    https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm
    .wmqfte.doc/finegrain_resource_access.htm
    
    The permissions do not include "get". Therefore, users are not
    expected to have "get" permission on any of the agent authority
    queues in order to perform agent actions.
    
    When the agent property: "authorityChecking=true" was set, the
    agent verified that all its authority related queues exist by
    opening them with a "get" option during startup.  The "get"
    command failed with MQ reason code 2035 (MQRC_NOT_AUTHORISED).
    The agent ignored this failure and carried on with its startup
    processing, because all it wanted to check was that the
    authority queues had already been created.
    
    However, the agent queue manager detected that the agent tried
    to access these queues without the appropriate permission, and
    reported an error in its log.
    

Problem conclusion

  • The product code for IBM MQ-MFT has been updated to open agent
    authority queues with more appropriate MQOPEN option when
    verifying their existence. The authority queues are now opened
    with the "inquire" option rather than "get".
    
    The "User authorities on IBM MQ Managed File Transfer actions"
    topic in the MQ V8 and V9 sections of IBM Knowledge Centre have
    been updated to include "inquire" as a required permission on
    all of the agent authority queues:
    
    https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm
    .wmqfte.doc/finegrain_resource_access.htm
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v8.0       8.0.0.8
    v9.0 CD    9.0.4
    v9.0 LTS   9.0.0.3
    
    The latest available MQ maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT20792

  • Reported component name

    WMQ BASE MULTIP

  • Reported component ID

    5724H7251

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-05-29

  • Closed date

    2017-09-29

  • Last modified date

    2017-09-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM MQ MFT V9.0

  • Fixed component ID

    5724H7262

Applicable component levels

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
29 September 2017