Group authorities for resources specific to WebSphere MQ File Transfer Edition
Instead of granting authority to individual users for all of the various objects that might be involved, configure two security groups for the purposes of administering WebSphere® MQ File Transfer Edition access control: FTEUSER and FTEAGENT. It is the responsibility of the WebSphere MQ administrator to create and populate these groups. The administrator can choose to extend or modify the proposed configuration described here.
Authority to connect to queue managers
Commands that are run by operational users, administrative users, and the WebSphere MQ Explorer need to be able to connect to the command queue manager and coordination queue manager. The agent process and commands that are run to create, alter, or delete the agent need to be able to connect to the agent queue manager. Grant the FTEUSER group connect authority for the command queue manager and coordination queue manager. Grant the FTEAGENT group connect authority to the agent queue manager.
For information about which command directly connects to which queue manager, see Issuing commands.
Authority to put a message on the COMMAND queue that belongs to the agent

- Grant the FTEUSER group solely put access to the
SYSTEM.FTE.COMMAND.agent_name queue. For example:
- For UNIX, Linux, and Windows systems:
setmqaut -m QM1 -n SYSTEM.FTE.COMMAND.agent_name -t queue -g FTEUSER +put
- For IBM® i:
GRTMQMAUT OBJ('SYSTEM.FTE.COMMAND.agent_name') OBJTYPE(*Q) USER(FTEUSER) AUT(*PUT) MQMNAME('QM1')
- For z/OS®:
RDEFINE MQQUEUE QM1.SYSTEM.FTE.COMMAND.agent_name UACC(NONE) PERMIT QM1.SYSTEM.FTE.COMMAND.agent_name CLASS(MQQUEUE) ID(FTEUSER) ACCESS(UPDATE)
- Grant the FTEAGENT group put, get, and setid access to the
SYSTEM.FTE.COMMAND.agent_name queue. For example:
- For UNIX, Linux, and Windows systems:
setmqaut -m QM1 -n SYSTEM.FTE.COMMAND.agent_name -t queue -g FTEAGENT +put +get +setid
- For IBM i:
GRTMQMAUT OBJ('SYSTEM.FTE.COMMAND.agent_name') OBJTYPE(*Q) USER(FTEAGENT) AUT(*PUT) MQMNAME('QM1') GRTMQMAUT OBJ('SYSTEM.FTE.COMMAND.agent_name') OBJTYPE(*Q) USER(FTEAGENT) AUT(*GET) MQMNAME('QM1') GRTMQMAUT OBJ('SYSTEM.FTE.COMMAND.agent_name') OBJTYPE(*Q) USER(FTEAGENT) AUT(*SETID) MQMNAME('QM1')
- For z/OS:
RDEFINE MQQUEUE QM1.SYSTEM.FTE.COMMAND.agent_name UACC(NONE) PERMIT QM1.SYSTEM.FTE.COMMAND.agent_name CLASS(MQQUEUE) ID(FTEAGENT) ACCESS(UPDATE) RDEFINE MQADMIN QM1.CONTEXT.SYSTEM.FTE.COMMAND.agent_name UACC(NONE) PERMIT QM1.CONTEXT.SYSTEM.FTE.COMMAND.agent_name CLASS(MQADMIN) ID(FTEAGENT) ACCESS(UPDATE)

Agents need access to put messages to other agents' command queues. If there are agents connected to remote queue managers, you might need to grant additional authorization to allow the channel to put messages to this queue.
Authority to put messages on the DATA, STATE, EVENT, and REPLY queues that belong to the agent

- DATA - SYSTEM.FTE.DATA.agent_name
- STATE - SYSTEM.FTE.STATE.agent_name
- EVENT - SYSTEM.FTE.EVENT.agent_name
- REPLY - SYSTEM.FTE.REPLY.agent_name


- For UNIX, Linux, and Windows systems:
setmqaut -m QM1 -n SYSTEM.FTE.DATA.agent_name -t queue -g FTEAGENT +put +get +inq
- For IBM i:
GRTMQMAUT OBJ('SYSTEM.FTE.DATA.agent_name') OBJTYPE(*Q) USER(FTEAGENT) AUT(*PUT) MQMNAME('QM1') GRTMQMAUT OBJ('SYSTEM.FTE.DATA.agent_name') OBJTYPE(*Q) USER(FTEAGENT) AUT(*GET) MQMNAME('QM1')
- For z/OS:
RDEFINE MQQUEUE QM1.SYSTEM.FTE.DATA.agent_name UACC(NONE) PERMIT QM1.SYSTEM.FTE.DATA.agent_name CLASS(MQQUEUE) ID(FTEAGENT) ACCESS(UPDATE)

Agents need access to put messages to other agents' data and reply queues. If there
are agents connected to remote queue managers, you might need to grant additional authorization to
allow the channel to put messages to these queues.
Authority that the agent process runs under
The authority that the agent process runs under affects the files the agent can read and write from the file system, and the queues and topics the agent can access. How the authority is configured is system-dependent. Add the user ID that the agent process runs under to the FTEAGENT group.
Authority that the commands and WebSphere MQ Explorer run under
Administrative commands, for example the fteStartAgent command, and the WebSphere MQ File Transfer Edition plug-in for the WebSphere MQ Explorer need to be able to put messages to the SYSTEM.FTE.COMMAND.agent_name queue and retrieve published information from that queue. Add the user IDs that are authorized to run the commands or the WebSphere MQ Explorer to the FTEUSER group. This originator user ID is recorded in the transfer log.
Authority to put messages on the SYSTEM.FTE queue and SYSTEM.FTE topic

- For UNIX, Linux, and Windows systems:
setmqaut -m QM1 -n SYSTEM.FTE -t queue -g FTEAGENT +put +get +inq setmqaut -m QM1 -n SYSTEM.FTE -t topic -g FTEAGENT +pub +sub +inq
- For IBM i:
GRTMQMAUT OBJ('SYSTEM.FTE') OBJTYPE(*Q) USER(FTEAGENT) AUT(*PUT) MQMNAME('QM1') GRTMQMAUT OBJ('SYSTEM.FTE') OBJTYPE(*Q) USER(FTEAGENT) AUT(*GET) MQMNAME('QM1') GRTMQMAUT OBJ('SYSTEM.FTE') OBJTYPE(*TOPIC) USER(FTEAGENT) AUT(*PUB) MQMNAME('QM1') GRTMQMAUT OBJ('SYSTEM.FTE') OBJTYPE(*TOPIC) USER(FTEAGENT) AUT(*SUB) MQMNAME('QM1')
- For z/OS:
RDEFINE MQQUEUE QM1.SYSTEM.FTE UACC(NONE) PERMIT QM1.SYSTEM.FTE CLASS(MQQUEUE) ID(FTEAGENT) ACCESS(UPDATE) RDEFINE MXTOPIC QM1.PUBLISH.SYSTEM.FTE UACC(NONE) PERMIT QM1.PUBLISH.SYSTEM.FTE CLASS(MXTOPIC) ID(FTEAGENT) ACCESS(UPDATE)

If there are agents connected to remote queue managers, additional authorization
might also need to be granted to allow the channel to put messages to the SYSTEM.FTE queue.
For a message to get published to the SYSTEM.FTE topic, the authority records of the
SYSTEM.FTE topic must allow publication by the user ID contained in the message descriptor structure
(MQMD) of the message. This is described in Authority to publish log and status messages.
To allow a user to publish to the SYSTEM.FTE topic on z/OS, you must grant the
channel initiator user ID access to publish to the SYSTEM.FTE topic. If the RESLEVEL security
profile causes two user IDs to be checked for the channel initiator connection, you also need to
grant access to the user ID contained in the message descriptor structure (MQMD) of the message. For
more information, see The RESLEVEL Security Profile
Authority to receive publications on the SYSTEM.FTE topic

- For UNIX, Linux, and Windows systems:
setmqaut -m QM1 -n SYSTEM.FTE -t topic -g FTEUSER +sub

- For IBM i:
GRTMQMAUT OBJ('SYSTEM.FTE') OBJTYPE(*TOPIC) USER(FTEUSER) AUT(*SUB) MQMNAME('QM1')
- For z/OS:
RDEFINE MXTOPIC QM1.SUBSCRIBE.SYSTEM.FTE UACC(NONE) PERMIT QM1.SUBSCRIBE.SYSTEM.FTE CLASS(MXTOPIC) ID(FTEUSER) ACCESS(ALTER)
Authority to connect to remote queue managers using transmission queues
In a topology of multiple queue managers, the agent requires put authority on the transmission queues used to connect to the remote queue managers.
Authority to create a temporary reply queue for file transfers

- For UNIX, Linux, and Windows systems:
setmqaut -m QM1 -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -g FTEUSER +dsp +put +get +browse
- For IBM i:
GRTMQMAUT OBJ('SYSTEM.DEFAULT.MODEL.QUEUE') OBJTYPE(*Q) USER(FTEUSER) AUT(*ADMDSP) MQMNAME('QM1') GRTMQMAUT OBJ('SYSTEM.DEFAULT.MODEL.QUEUE') OBJTYPE(*Q) USER(FTEUSER) AUT(*PUT) MQMNAME('QM1') GRTMQMAUT OBJ('SYSTEM.DEFAULT.MODEL.QUEUE') OBJTYPE(*Q) USER(FTEUSER) AUT(*GET) MQMNAME('QM1') GRTMQMAUT OBJ('SYSTEM.DEFAULT.MODEL.QUEUE') OBJTYPE(*Q) USER(FTEUSER) AUT(*BROWSE) MQMNAME('QM1')
- For z/OS:
RDEFINE MQQUEUE QM1.SYSTEM.DEFAULT.MODEL.QUEUE UACC(NONE) PERMIT QM1.SYSTEM.DEFAULT.MODEL.QUEUE CLASS(MQQUEUE) ID(FTEUSER) ACCESS(UPDATE)


RDEFINE MQQUEUE QM1.WMQFTE.** UACC(NONE)
PERMIT QM1.WMQFTE.** CLASS(MQQUEUE) ID(FTEUSER) ACCESS(UPDATE)
By
default the name of each temporary queue on z/OS starts with WMQFTE.
Object | Object type | FTEUSER | FTEAGENT |
---|---|---|---|
Agent queue manager | Queue manager | CONNECT, INQ, and SETID, ALT_USER is also required to enable user authority checking. | |
Coordination queue manager | Queue manager | ||
Command queue manager | Queue manager | CONNECT | CONNECT |
SYSTEM.FTE | Local queue | GET and PUT | |
SYSTEM.FTE.COMMAND.agent_name | Local queue | PUT | GET, PUT, and SETID BROWSE access is also required, if you have enabled the Version 7.0.4.1 function. |
SYSTEM.FTE.DATA.agent_name | Local queue | GET and PUT | |
SYSTEM.FTE.EVENT.agent_name | Local queue | GET and PUT BROWSE access is also required, if you have enabled the Version 7.0.4.1 function. |
|
SYSTEM.FTE.REPLY.agent_name | Local queue | GET and PUT | |
SYSTEM.FTE.STATE.agent_name | Local queue | GET, INQ,
and PUT BROWSE access is also required, if you have enabled the Version 7.0.4.1 function. |
|
SYSTEM.FTE.WEB.gateway_name | Local queue | PUT | |
SYSTEM.FTE.WEB.RESP.agent_name | Local queue | GET | |
SYSTEM.FTE | Local topic | SUBSCRIBE | PUBLISH and SUBSCRIBE |
SYSTEM.DEFAULT.MODEL.QUEUE (or the model queue defined in WebSphere MQ File Transfer Edition that is used to create a temporary reply queue.) |
Model queue | BROWSE, DISPLAY, GET, and PUT | BROWSE, DISPLAY, GET, and PUT |
Transmission queues to communicate with remote queue managers | Local queue | PUT |