Group authorities for resources specific to WebSphere MQ File Transfer Edition

Instead of granting authority to individual users for all of the various objects that might be involved, configure two security groups for the purposes of administering WebSphere® MQ File Transfer Edition access control: FTEUSER and FTEAGENT. It is the responsibility of the WebSphere MQ administrator to create and populate these groups. The administrator can choose to extend or modify the proposed configuration described here.

Authority to connect to queue managers

Commands that are run by operational users, administrative users, and the WebSphere MQ Explorer need to be able to connect to the command queue manager and coordination queue manager. The agent process and commands that are run to create, alter, or delete the agent need to be able to connect to the agent queue manager. Grant the FTEUSER group connect authority for the command queue manager and coordination queue manager. Grant the FTEAGENT group connect authority to the agent queue manager.

For information about which command directly connects to which queue manager, see Issuing commands.

Authority to put a message on the COMMAND queue that belongs to the agent

The agent command queue must be available to any user who is authorized to request that the agent performs an action. To satisfy this requirement:Start of change
  • Grant the FTEUSER group solely put access to the SYSTEM.FTE.COMMAND.agent_name queue. For example:
    For UNIX, Linux, and Windows systems:
    setmqaut -m QM1 -n SYSTEM.FTE.COMMAND.agent_name -t queue -g FTEUSER +put
    For IBM® i:
    GRTMQMAUT OBJ('SYSTEM.FTE.COMMAND.agent_name') OBJTYPE(*Q) USER(FTEUSER) AUT(*PUT) MQMNAME('QM1')
    For z/OS®:
    RDEFINE MQQUEUE QM1.SYSTEM.FTE.COMMAND.agent_name UACC(NONE)
    PERMIT QM1.SYSTEM.FTE.COMMAND.agent_name CLASS(MQQUEUE) ID(FTEUSER) ACCESS(UPDATE)
  • Grant the FTEAGENT group put, get, and setid access to the SYSTEM.FTE.COMMAND.agent_name queue. For example:
    For UNIX, Linux, and Windows systems:
    setmqaut -m QM1 -n SYSTEM.FTE.COMMAND.agent_name -t queue -g FTEAGENT +put +get +setid
    For IBM i:
    GRTMQMAUT OBJ('SYSTEM.FTE.COMMAND.agent_name') OBJTYPE(*Q) USER(FTEAGENT) AUT(*PUT) MQMNAME('QM1')
    GRTMQMAUT OBJ('SYSTEM.FTE.COMMAND.agent_name') OBJTYPE(*Q) USER(FTEAGENT) AUT(*GET) MQMNAME('QM1')
    GRTMQMAUT OBJ('SYSTEM.FTE.COMMAND.agent_name') OBJTYPE(*Q) USER(FTEAGENT) AUT(*SETID) MQMNAME('QM1')
    For z/OS:
    Start of change
    RDEFINE MQQUEUE QM1.SYSTEM.FTE.COMMAND.agent_name UACC(NONE)
    PERMIT QM1.SYSTEM.FTE.COMMAND.agent_name CLASS(MQQUEUE) ID(FTEAGENT) ACCESS(UPDATE)
    RDEFINE MQADMIN QM1.CONTEXT.SYSTEM.FTE.COMMAND.agent_name UACC(NONE)
    PERMIT QM1.CONTEXT.SYSTEM.FTE.COMMAND.agent_name CLASS(MQADMIN) ID(FTEAGENT) ACCESS(UPDATE)
    End of change
End of change

Agents need access to put messages to other agents' command queues. If there are agents connected to remote queue managers, you might need to grant additional authorization to allow the channel to put messages to this queue.

Authority to put messages on the DATA, STATE, EVENT, and REPLY queues that belong to the agent

Only WebSphere MQ File Transfer Edition agents need to be able to use these system queues, therefore only grant the group FTEAGENT put and get access. The names of these system queues are as follows:Start of change
  • DATA - SYSTEM.FTE.DATA.agent_name
  • STATE - SYSTEM.FTE.STATE.agent_name
  • EVENT - SYSTEM.FTE.EVENT.agent_name
  • REPLY - SYSTEM.FTE.REPLY.agent_name
End of change For example, for the SYSTEM.FTE.DATA.agent_name queue, use a command like the following:
Start of change
For UNIX, Linux, and Windows systems:
setmqaut -m QM1 -n SYSTEM.FTE.DATA.agent_name -t queue -g FTEAGENT +put +get +inq
For IBM i:
GRTMQMAUT OBJ('SYSTEM.FTE.DATA.agent_name') OBJTYPE(*Q) USER(FTEAGENT) AUT(*PUT) MQMNAME('QM1')
GRTMQMAUT OBJ('SYSTEM.FTE.DATA.agent_name') OBJTYPE(*Q) USER(FTEAGENT) AUT(*GET) MQMNAME('QM1')
For z/OS:
RDEFINE MQQUEUE QM1.SYSTEM.FTE.DATA.agent_name UACC(NONE)
PERMIT QM1.SYSTEM.FTE.DATA.agent_name CLASS(MQQUEUE) ID(FTEAGENT) ACCESS(UPDATE)
End of change

Start of changeAgents need access to put messages to other agents' data and reply queues. If there are agents connected to remote queue managers, you might need to grant additional authorization to allow the channel to put messages to these queues.End of change

Authority that the agent process runs under

The authority that the agent process runs under affects the files the agent can read and write from the file system, and the queues and topics the agent can access. How the authority is configured is system-dependent. Add the user ID that the agent process runs under to the FTEAGENT group.

Authority that the commands and WebSphere MQ Explorer run under

Administrative commands, for example the fteStartAgent command, and the WebSphere MQ File Transfer Edition plug-in for the WebSphere MQ Explorer need to be able to put messages to the SYSTEM.FTE.COMMAND.agent_name queue and retrieve published information from that queue. Add the user IDs that are authorized to run the commands or the WebSphere MQ Explorer to the FTEUSER group. This originator user ID is recorded in the transfer log.

Authority to put messages on the SYSTEM.FTE queue and SYSTEM.FTE topic

Start of changeOnly the agent process needs to be able to place messages on the SYSTEM.FTE queue and SYSTEM.FTE topic. Grant put, get and inquire authority to the FTEAGENT group on the SYSTEM.FTE queue, and grant publish and subscribe authority to the FTEAGENT group on the SYSTEM.FTE topic. For example:
For UNIX, Linux, and Windows systems:
setmqaut -m QM1 -n SYSTEM.FTE -t queue -g FTEAGENT +put +get +inq
setmqaut -m QM1 -n SYSTEM.FTE -t topic -g FTEAGENT +pub +sub +inq
For IBM i:
GRTMQMAUT OBJ('SYSTEM.FTE') OBJTYPE(*Q) USER(FTEAGENT) AUT(*PUT) MQMNAME('QM1')
GRTMQMAUT OBJ('SYSTEM.FTE') OBJTYPE(*Q) USER(FTEAGENT) AUT(*GET) MQMNAME('QM1')
GRTMQMAUT OBJ('SYSTEM.FTE') OBJTYPE(*TOPIC) USER(FTEAGENT) AUT(*PUB) MQMNAME('QM1')
GRTMQMAUT OBJ('SYSTEM.FTE') OBJTYPE(*TOPIC) USER(FTEAGENT) AUT(*SUB) MQMNAME('QM1')
For z/OS:
RDEFINE MQQUEUE QM1.SYSTEM.FTE UACC(NONE)
PERMIT QM1.SYSTEM.FTE CLASS(MQQUEUE) ID(FTEAGENT) ACCESS(UPDATE)
RDEFINE MXTOPIC QM1.PUBLISH.SYSTEM.FTE UACC(NONE)
PERMIT QM1.PUBLISH.SYSTEM.FTE CLASS(MXTOPIC) ID(FTEAGENT) ACCESS(UPDATE)
End of change

Start of changeIf there are agents connected to remote queue managers, additional authorization might also need to be granted to allow the channel to put messages to the SYSTEM.FTE queue.End of change

Start of changeFor a message to get published to the SYSTEM.FTE topic, the authority records of the SYSTEM.FTE topic must allow publication by the user ID contained in the message descriptor structure (MQMD) of the message. This is described in Authority to publish log and status messages.End of change

Start of changeTo allow a user to publish to the SYSTEM.FTE topic on z/OS, you must grant the channel initiator user ID access to publish to the SYSTEM.FTE topic. If the RESLEVEL security profile causes two user IDs to be checked for the channel initiator connection, you also need to grant access to the user ID contained in the message descriptor structure (MQMD) of the message. For more information, see The RESLEVEL Security ProfileEnd of change

Authority to receive publications on the SYSTEM.FTE topic

Transfer log messages, progress messages, and status messages are intended for general use, so grant the FTEUSER group authority to subscribe to the SYSTEM.FTE topic. For example:Start of change
For UNIX, Linux, and Windows systems:
setmqaut -m QM1 -n SYSTEM.FTE -t topic -g FTEUSER +sub
End of change
For IBM i:
GRTMQMAUT OBJ('SYSTEM.FTE') OBJTYPE(*TOPIC) USER(FTEUSER) AUT(*SUB) MQMNAME('QM1')
For z/OS:
Start of change
RDEFINE MXTOPIC QM1.SUBSCRIBE.SYSTEM.FTE UACC(NONE)
PERMIT QM1.SUBSCRIBE.SYSTEM.FTE CLASS(MXTOPIC) ID(FTEUSER) ACCESS(ALTER)             
End of change

Authority to connect to remote queue managers using transmission queues

In a topology of multiple queue managers, the agent requires put authority on the transmission queues used to connect to the remote queue managers.

Authority to create a temporary reply queue for file transfers

File transfer requests wait for the transfer to complete and rely on a temporary reply queue being created and populated. Therefore grant any user that can run a file transfer command DISPLAY, PUT, GET, and BROWSE authorities on the temporary model queue definition as it is known to the agent. For example:Start of change
For UNIX, Linux, and Windows systems:
setmqaut -m QM1 -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -g FTEUSER +dsp +put +get +browse
For IBM i:
GRTMQMAUT OBJ('SYSTEM.DEFAULT.MODEL.QUEUE') OBJTYPE(*Q) USER(FTEUSER) AUT(*ADMDSP) MQMNAME('QM1')
GRTMQMAUT OBJ('SYSTEM.DEFAULT.MODEL.QUEUE') OBJTYPE(*Q) USER(FTEUSER) AUT(*PUT)    MQMNAME('QM1')
GRTMQMAUT OBJ('SYSTEM.DEFAULT.MODEL.QUEUE') OBJTYPE(*Q) USER(FTEUSER) AUT(*GET)    MQMNAME('QM1')
GRTMQMAUT OBJ('SYSTEM.DEFAULT.MODEL.QUEUE') OBJTYPE(*Q) USER(FTEUSER) AUT(*BROWSE) MQMNAME('QM1')
For z/OS:
RDEFINE MQQUEUE QM1.SYSTEM.DEFAULT.MODEL.QUEUE UACC(NONE)
PERMIT QM1.SYSTEM.DEFAULT.MODEL.QUEUE CLASS(MQQUEUE) ID(FTEUSER) ACCESS(UPDATE)
End of change By default, this queue is SYSTEM.DEFAULT.MODEL.QUEUE, but you can configure the name by setting values for the properties 'modelQueueName' and 'dynamicQueuePrefix' in the command.properties file.
Start of changeOn z/OS, you must also grant authority to access the temporary queues to FTEUSER. For example:
RDEFINE MQQUEUE QM1.WMQFTE.** UACC(NONE)
PERMIT QM1.WMQFTE.** CLASS(MQQUEUE) ID(FTEUSER) ACCESS(UPDATE)
By default the name of each temporary queue on z/OS starts with WMQFTE.End of change
The following table summarizes the access control configuration for FTEUSER and FTEAGENT in the security scheme described:
Table 1. Summary of access control configuration for FTEUSER and FTEAGENT
Object Object type FTEUSER FTEAGENT
Agent queue manager Queue manager   CONNECT, INQ, and SETID, ALT_USER is also required to enable user authority checking.
Coordination queue manager Queue manager    
Command queue manager Queue manager CONNECT CONNECT
SYSTEM.FTE Local queue   GET and PUT
SYSTEM.FTE.COMMAND.agent_name Local queue PUT GET, PUT, and SETID

BROWSE access is also required, if you have enabled the Version 7.0.4.1 function.

SYSTEM.FTE.DATA.agent_name Local queue   GET and PUT
SYSTEM.FTE.EVENT.agent_name Local queue   GET and PUT

BROWSE access is also required, if you have enabled the Version 7.0.4.1 function.

SYSTEM.FTE.REPLY.agent_name Local queue   GET and PUT
SYSTEM.FTE.STATE.agent_name Local queue   GET, INQ, and PUT

BROWSE access is also required, if you have enabled the Version 7.0.4.1 function.

SYSTEM.FTE.WEB.gateway_name Local queue   PUT
SYSTEM.FTE.WEB.RESP.agent_name Local queue   GET
SYSTEM.FTE Local topic SUBSCRIBE PUBLISH and SUBSCRIBE
SYSTEM.DEFAULT.MODEL.QUEUE

(or the model queue defined in WebSphere MQ File Transfer Edition that is used to create a temporary reply queue.)

Model queue BROWSE, DISPLAY, GET, and PUT BROWSE, DISPLAY, GET, and PUT
Transmission queues to communicate with remote queue managers Local queue   PUT

Reference Reference

Feedback

Timestamp icon Last updated: Tuesday, 30 January 2018
http://www.ibm.com/support/knowledgecenter/SSEP7X_7.0.4/com.ibm.wmqfte.doc/group_resource_access.htm