Configure user access for an MFT stand-alone file logger

In a test environment, we can add any new privileges needed to your normal user account. In a production environment, we are recommended to create a new user with the minimum permissions required to do the job.


We must install the stand-alone file logger and IBM MQ on a single system. Configure the user's permissions as follows:


Procedure

  1. Ensure that the user has permission to read and, where necessary, execute, the files installed as part of the Managed File Transfer installation.
  2. Ensure that the user has permission to create and write to any file in the logs directory which is in the configuration directory. This directory is used for an event log, and if necessary for diagnostic trace and First Failure Data Capture (FFDC) files.
  3. Ensure that the user has its own group, and is also not in any groups with wide-ranging permissions on the coordination queue manager. The user should not be in the mqm group. On certain platforms, the staff group is automatically given queue manager access as well; the stand-alone file logger user should not be in the staff group. We can view authority records for the queue manager itself and for objects in it by using the IBM MQ Explorer. Right-click the object and select Object Authorities > Manage Authority Records. At the command line, we can use the commands dspmqaut (display authority) or dmpmqaut (dump authority).
  4. Use the Manage Authority Records window in the IBM MQ Explorer or the setmqaut (grant or revoke authority) command to add authorities for the user's own group (on UNIX, IBM MQ authorities are associated with groups only, not individual users). The authorities required are as follows:

    • Connect and Inquire on the queue manager (the IBM MQ Java libraries require Inquire permission to operate).
    • Subscribe permission on the SYSTEM.FTE topic.
    • Put permission on the SYSTEM.FTE.LOG.RJCT.logger_name queue.
    • Get permission on the SYSTEM.FTE.LOG.CMD.logger_name queue.

    The reject and command queue names given are the default names. If you chose different queue names when you configured the stand-alone file logger queues, add the permissions to those queue names instead.

Parent topic: Installing the MFT stand-alone file logger