User authorities on WebSphere MQ File Transfer Edition actions
In addition to using groups to manage access to resources, you can enable an additional level of security to restrict the agent actions that a user can take. Grant authorities on an agent authority queue to a user to give the user permission to perform specific agent actions.
Enabling user authority management
To turn on user authority checking on agent actions, complete the following steps:
- In the agent.properties file, set the authorityChecking value to true.
- Ensure that the user who runs the agent has the WebSphere® MQ ALT_USER authority to the agent queue manager.
Agent authority queues
- SYSTEM.FTE.AUTHADM1.agent_name
- SYSTEM.FTE.AUTHAGT1.agent_name
- SYSTEM.FTE.AUTHMON1.agent_name
- SYSTEM.FTE.AUTHOPS1.agent_name
- SYSTEM.FTE.AUTHSCH1.agent_name
- SYSTEM.FTE.AUTHTRN1.agent_name
DEFINE QLOCAL(authority_queue_name) DEFPRTY(0) DEFSOPT(SHARED) GET(ENABLED) MAXDEPTH(0) +
MAXMSGL(0) MSGDLVSQ(PRIORITY) PUT(ENABLED) RETINTVL(999999999) SHARE NOTRIGGER +
USAGE(NORMAL) REPLACE
User action | WebSphere MQ File Transfer Edition access authority | Authority queues | WebSphere MQ
access authority (Distributed platforms) |
RACF® access
level (z/OS® only) |
---|---|---|---|---|
Shut down the agent | Administration | SYSTEM.FTE.AUTHADM1.agent_name | BROWSE | READ |
Enable trace on the agent | ||||
Start a transfer of files from this agent | Transfer source | SYSTEM.FTE.AUTHTRN1.source_agent_name | BROWSE | READ |
Cancel a transfer of files from this agent started by the same user | ||||
Start a transfer of files to this agent | Transfer destination | SYSTEM.FTE.AUTHTRN1.destination_agent_name | PUT | UPDATE |
Cancel a transfer of files to this agent started by the same user | ||||
Create a resource monitor | Monitor | SYSTEM.FTE.AUTHMON1.monitor_agent_name | BROWSE | READ |
Delete a resource monitor created by the same user | ||||
Delete a resource monitor created by any user | Monitor operations | SYSTEM.FTE.AUTHOPS1.agent_name | SET | ALTER |
Create a schedule | Schedule | SYSTEM.FTE.AUTHSCH1.source_agent_name | BROWSE | READ |
Delete a schedule created by the same user | ||||
Delete a schedule created by any user or group | Schedule operations | SYSTEM.FTE.AUTHOPS1.agent_name | PUT | UPDATE |
Cancel a transfer created by any user or group | Transfer operations | SYSTEM.FTE.AUTHOPS1.source_agent_nameSYSTEM.FTE.AUTHOPS1.destination_agent_name | BROWSE | READ |
Agent action | WebSphere MQ File Transfer Edition access authority | Authority queues | WebSphere MQ
access authority (Distributed platforms) |
RACF access
level (z/OS only) |
---|---|---|---|---|
Receive a transfer from <source_agent> |
Agent source | SYSTEM.FTE.AUTHAGT1.source_agent_name | BROWSE | READ |
Send a transfer to <destination_agent> |
Agent destination | SYSTEM.FTE.AUTHAGT1.destination_agent_name | PUT | UPDATE |
Configuring user authority management
To authorize a user to be able to perform an action on an agent, grant the user the appropriate authority on the relevant authority queue. To grant authorities to a user, complete the following steps:
- Create a user on the system where the agent queue manager is located that has the same name as the user you want to give authority to perform agent actions. This user does not have to be active.
- Grant the user the appropriate authority on the relevant authority queue. If you are using Linux, UNIX, or Windows, you can use the WebSphere MQ V7.0.1 setmqaut command.
- Refresh the security configuration of the queue manager. You can use the WebSphere MQ V7.0.1 REFRESH SECURITY MQSC command.
Example
The setmqaut command is not used on z/OS or IBM® i systems. For z/OS, instead use RACF. For more information see Using RACF® classes and profiles. For IBM i, see Access authorities for WebSphere MQ objects, which describes how authorization for WebSphere MQ objects is done. There are three relevant CL commands available on IBM i: Grant MQ Object Authority (GRTMQMAUT), Revoke MQ Object Authority (RVKMQMAUT), and Refresh WebSphere MQ Authority (RFRMQMAUT).
A user, who is a member of the group requestor_group, wants to set up a resource monitor on AGENT1 that transfers a file from AGENT1, which is running under the user user1, who is a member of the group user1_group, to AGENT2, which is running under the user user2, who is a member of the group user2_group. AGENT1 connects to QM1; AGENT2 connects to QM2. Both agents have authority checking enabled. To make this possible take the following steps:- requestor must have Monitor authority on AGENT1. Set this authority by
running the following command on the system where QM1 is running:
setmqaut -m QM1 -t queue -n SYSTEM.FTE.AUTHMON1.AGENT1 -g requestor_group +browse
- requestor must have Transfer source authority on AGENT1. Set this
authority by running the following command on the system where QM1 is
running:
setmqaut -m QM1 -t queue -n SYSTEM.FTE.AUTHTRN1.AGENT1 -g requestor_group +browse
- requestor must have Transfer destination authority on AGENT2. Set this
authority by running the following command On the system where QM2 is running:
setmqaut -m QM2 -t queue -n SYSTEM.FTE.AUTHTRN1.AGENT2 -g requestor_group +put
- user2 must have Agent source authority on AGENT1. Set this authority by
running the following command on the system where QM1 is running:
setmqaut -m QM1 -t queue -n SYSTEM.FTE.AUTHAGT1.AGENT1 -g user2_group +browse
- user1 must have Agent destination authority on AGENT2. Set this
authority by running the following command on the system where QM2 is running:
setmqaut -m QM2 -t queue -n SYSTEM.FTE.AUTHAGT1.AGENT2 -g user1_group +put
Logging
If user authority checking is enabled, failed authority checks cause a not authorized log message to be published to the coordination queue manager. See Message formats for security for more information.
Messages about user authority can be written to the agent event log. You can configure the amount of information written to the agent event log by setting the logAuthorityChecks property in the agent property file. By default the level of authority check logging is None. You can also set the value of logAuthorityChecks to Failures, which specifies that only failed authorization checks are reported, or All which specifies that failed and successful authorization checks are reported.
See The agent.properties file for more information.