Configuring user access for the stand-alone database logger

In a test environment, you can add any new privileges needed to your normal user account. In a production environment, you are recommended to create a new user with the minimum permissions required to do the job.

Before you begin

Before configuring user permissions for the database logger user you must ensure that the correct permissions are set for the queue manager user. The queue manager user account is created by WebSphere® MQ at installation.
  • If you are using DB2® on Windows ensure that the MUSR_MQADMIN user is in the DB2USERS group.

About this task

The number and type of user accounts you need to run the database logger depend on the number of systems you use. You can install the database logger, WebSphere MQ and your database on a single system, or across two systems. The database logger must be on the same system as WebSphere MQ. The components can be installed in the following topologies:
Database logger, WebSphere MQ and the database all on the same system
You can define a single operating system user for use with all three components. This is a suitable configuration for the stand-alone database logger. The database logger uses Bindings mode to connect to WebSphere MQ and a native connection to connect to the database.
Database logger and WebSphere MQ on one system, the database on a separate system
You create two users for this configuration: an operating system user on the system running the database logger, and a operating system user with remote access to the database on the database server. This is a suitable configuration for the stand-alone database logger using a remote database. The database logger uses Bindings mode to connect to WebSphere MQ and a client connection to access the database.

As an example, the rest of these instructions assume that the user is called ftelog, but you can use any user name. Configure the user's permissions as follows:

Procedure

  1. Ensure that the user has permission to read and, where necessary, execute, the files installed as part of the WebSphere MQ File Transfer Edition Remote Tools and Documentation installation.
  2. Ensure that the user has permission to create and write to any file in the logs directory (in the configuration directory). This directory is used for an event log, and if necessary for diagnostic trace and FFDC files.
  3. Ensure that the user has its own group, and is not also in any groups with wide-ranging permissions on the coordination queue manager. The user should not be in the mqm group. On certain platforms, the staff group is automatically given queue manager access as well; the database logger user should not be in the staff group. You can view authority records for the queue manager itself and for objects in it using the WebSphere MQ Explorer. Right-click the object and select Object Authorities > Manage Authority Records. At the command line, you can use the commands dspmqaut (display authority) or dmpmqaut (dump authority).
  4. Use the Manage Authority Records window in the WebSphere MQ Explorer or the setmqaut (grant or revoke authority) command to add authorities for the user's own group (on UNIX, WebSphere MQ authorities are associated with groups only, not individual users). The authorities required are as follows:
    • Connect and Inquire on the queue manager (the WebSphere MQ Java™ libraries require Inquire permission to operate).
    • Subscribe permission on the SYSTEM.FTE topic.
    • Put permission on the SYSTEM.FTE.DATABASELOGGER.REJECT queue.
    • Get permission on the SYSTEM.FTE.DATABASELOGGER.COMMAND queue.
    The reject and command queue names given above are the default names. If you chose different queue names when you configured the database logger queues, add the permissions to those queue names instead.
  5. Perform the user configuration that is specific to the database you are using.
    • If your database is Db2, carry out the following steps:
      There are several mechanisms for managing database users with Db2. These instructions apply to the default scheme based on operating system users.
    • If your database is Oracle, carry out the following steps:
      • Ensure that the ftelog user is not in any Oracle administration groups (for example, ora_dba on Windows or dba on Unix)
      • Give the user permission to connect to the database and permission to select, insert and update on the tables that you created as part of Step 2: create the required database tables

Task Task

Feedback

Timestamp icon Last updated: Tuesday, 30 January 2018
http://www.ibm.com/support/knowledgecenter/SSEP7X_7.0.4/com.ibm.wmqfte.doc/dl_user_config_standalone.htm