IBM Support

IT20792: AMQ8077 (unauthorised "get" permission) reported for agent authority queues when user authority management is enabled

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • For MQ Managed File Transfer V9.0.0.0, user authority management
is enabled based on the information in the "User authorities on
IBM MQ Managed File Transfer actions"topic in the MQ V9 section
of IBM Knowledge Center:
https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm
.wmqfte.doc/finegrain_resource_access.htm

- In the agent.properties file, set the authorityChecking value
to true.
- Set MQ authority following the instruction.

However, AMQ8077 (unauthorized get permission) error messages
are reported in the queue manager error log for the agent
authority queues when the agent starts up.

The errors look like this:

----- amqzfubn.c : 518
--------------------------------------------------------
Program(amqzlaa0.exe)
                      Host(host1) Installation(Installation1)
                      VRMF(9.0.0.0) QMgr(<QM_name>)

AMQ8077: Entity '<user_name>' has insufficient authority to
access
object  'SYSTEM.FTE.AUTHMON1.<agent_name>.

EXPLANATION:
The specified entity is not authorized to access the required
object.
The following requested permissions are unauthorized: get
ACTION:
Ensure that the correct level of authority has been set for
this entity against the required object, or ensure that the
entity is
a member of a privileged group.
----- amqzfubn.c : 518
--------------------------------------------------------

Local fix

  • Set get authority on the agent authority queues.

Problem summary

  • ****************************************************************
USERS AFFECTED:
This issue affects users of:

- IBM MQ V8 Managed File Transfer.
- IBM MQ V9 Managed File Transfer.

who have enabled user authority management by setting the agent
property "authortyChecking=true".


Platforms affected:
MultiPlatform

****************************************************************
PROBLEM DESCRIPTION:
Each agent authority queue is dedicated for different Managed
File Transfer (MFT) agent actions and requires different
permissions such as browse, put etc. depending on which MFT
actions a user is allowed to perform. These permissions are
documented here:

https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm
.wmqfte.doc/finegrain_resource_access.htm

The permissions do not include "get". Therefore, users are not
expected to have "get" permission on any of the agent authority
queues in order to perform agent actions.

When the agent property: "authorityChecking=true" was set, the
agent verified that all its authority related queues exist by
opening them with a "get" option during startup.  The "get"
command failed with MQ reason code 2035 (MQRC_NOT_AUTHORISED).
The agent ignored this failure and carried on with its startup
processing, because all it wanted to check was that the
authority queues had already been created.

However, the agent queue manager detected that the agent tried
to access these queues without the appropriate permission, and
reported an error in its log.

Problem conclusion

  • The product code for IBM MQ-MFT has been updated to open agent
authority queues with more appropriate MQOPEN option when
verifying their existence. The authority queues are now opened
with the "inquire" option rather than "get".

The "User authorities on IBM MQ Managed File Transfer actions"
topic in the MQ V8 and V9 sections of IBM Knowledge Centre have
been updated to include "inquire" as a required permission on
all of the agent authority queues:

https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm
.wmqfte.doc/finegrain_resource_access.htm

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level
v8.0       8.0.0.8
v9.0 CD    9.0.4
v9.0 LTS   9.0.0.3

The latest available MQ maintenance can be obtained from
'WebSphere MQ Recommended Fixes'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037

If the maintenance level is not yet available information on
its planned availability can be found in 'WebSphere MQ
Planned Maintenance Release Dates'
http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
---------------------------------------------------------------

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT20792
    • 

  • Reported component name
    WMQ BASE MULTIP
    • 

  • Reported component ID
    5724H7251
    • 

  • Reported release
    900
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2017-05-29
    • 

  • Closed date
    2017-09-29
    • 

  • Last modified date
    2017-09-29
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    IBM MQ MFT V9.0
    • 

  • Fixed component ID
    5724H7262
    • 



Applicable component levels


    

  • R900  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            29 September 2017
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback