Restricting user authorities on MFT agent actions

In addition to using groups to manage access to resources, we can enable an additional level of security to restrict the Managed File Transfer agent actions that a user can take. Grant authorities on an agent authority queue to a user to give the user permission to perform specific agent actions.

Enable user authority management

To turn on user authority checking on agent actions, complete the following steps:

In the agent.properties file, set the authorityChecking value to true. For more information, see The MFT agent.properties file.
Ensure that the user who runs the agent has the IBM MQ alternate user (ALT_USER) authority to the agent queue manager.
On the z/OS platform, the user that runs the agent must have ALT_USER authority to the user IDs that can request permission to perform an agent action.

Both agents involved in a transfer must have the same level of security enabled, that is, authorityChecking must be set to the same value in the property files of both agents. Transfers between agents that have different values for the authorityChecking property will fail.

Agent authority queues

The agent has authority queues that are used to manage which users have the authority to perform certain agent actions. The agent does not put or get messages to these queues. The agent authority queues are as follows:

SYSTEM.FTE.AUTHADM1.agent_name
SYSTEM.FTE.AUTHAGT1.agent_name
SYSTEM.FTE.AUTHMON1.agent_name
SYSTEM.FTE.AUTHOPS1.agent_name
SYSTEM.FTE.AUTHSCH1.agent_name
SYSTEM.FTE.AUTHTRN1.agent_name

When user authority management is enabled by setting the agent property authorityChecking=true, the authorities that a user has on the agent authority queues specify the actions that the user is authorized to take.

Important: The inquire permission is a required permission on all of the agent authority queues. The following table summarizes the IBM MQ access authorities that users or groups require, in addition to inquire permission, on an agent authority queue to perform specific actions.

User action	Managed File Transfer access authority	Authority queues	IBM MQ access authority (Multiplatforms)	RACF access level (z/OS only)
Shut down the agent, using the -m option on fteStopAgent command.	Administration	SYSTEM.FTE.AUTHADM1.agent_name	BROWSE	READ
Start a transfer of files from this agent	Transfer source	SYSTEM.FTE.AUTHTRN1.source_agent_name	BROWSE	READ
Cancel a transfer of files from this agent started by the same user	Transfer source	SYSTEM.FTE.AUTHTRN1.source_agent_name	BROWSE	READ
Start a transfer of files to this agent	Transfer destination	SYSTEM.FTE.AUTHTRN1.destination_agent_name	PUT	UPDATE
Cancel a transfer of files to this agent started by the same user	Transfer destination	SYSTEM.FTE.AUTHTRN1.destination_agent_name	PUT	UPDATE
Create a resource monitor	Monitor	SYSTEM.FTE.AUTHMON1.monitor_agent_name	BROWSE	READ
Delete a resource monitor created by the same user	Monitor	SYSTEM.FTE.AUTHMON1.monitor_agent_name	BROWSE	READ
Delete a resource monitor created by any user	Monitor operations	SYSTEM.FTE.AUTHOPS1.agent_name	SET	ALTER
Create a schedule	Schedule	SYSTEM.FTE.AUTHSCH1.source_agent_name	BROWSE	READ
Delete a schedule created by the same user	Schedule	SYSTEM.FTE.AUTHSCH1.source_agent_name	BROWSE	READ
Delete a schedule created by any user or group	Schedule operations	SYSTEM.FTE.AUTHOPS1.agent_name	PUT	UPDATE
Cancel a transfer created either by the same user or group that started the transfer, or by another user or group	Transfer operations	SYSTEM.FTE.AUTHOPS1.source_agent_name SYSTEM.FTE.AUTHOPS1.destination_agent_name	BROWSE	READ

Note: To give a user or group permission to set up a resource monitor or schedule that starts a transfer the user needs both the Monitor or Schedule authority and Transfer source and Transfer destination authorities.

When an agent receives a request to cancel a file transfer, the agent first checks whether the user requesting the cancellation is the same user who started the transfer. If the user canceling the transfer is not the same as the user that requested it, the agent then checks if the canceling user has browse permission on SYSTEM.FTE.AUTHOPS1.agent_name queues. Checking authority in this order avoids unexpected errors in agent and queue manager error logs when the user who requested the file transfer and the user who requested the cancellation are the same.

A user can start one agent and want it to interact with another agent. How the two agents can interact depends on the level of access authority that the user has on the other agent authority queue.

Agent action	Managed File Transfer access authority	Authority queues	IBM MQ access authority (Multiplatforms)	RACF access level (z/OS only)
Receive a transfer from source_agent	Agent source	SYSTEM.FTE.AUTHAGT1.source_agent_name	BROWSE	READ
Send a transfer to destination_agent	Agent destination	SYSTEM.FTE.AUTHAGT1.destination_agent_name	PUT	UPDATE

Configure user authority management

To authorize a user to be able to perform an action on an agent, grant the user the appropriate authority on the relevant authority queue. To grant authorities to a user, complete the following steps:

Create a user on the system where the agent queue manager is located that has the same name as the user we want to give authority to perform agent actions. This user does not have to be active.
Grant the user the appropriate authority on the relevant authority queue. If we are using Linux, UNIX, or Windows, we can use the setmqaut command.
Refresh the security configuration of the queue manager. We can use the REFRESH SECURITY MQSC command.

Example

The setmqaut command is not used on z/OS systems. For z/OS, instead use RACF. See Set up security on z/OS for more information.

The setmqaut command is not used on IBM i systems. For IBM i, see Access authorities for IBM MQ objects, which describes how authorization for IBM MQ objects is done. There are three relevant CL commands available on IBM i: Grant MQ Object Authority (GRTMQMAUT), Revoke MQ Object Authority (RVKMQMAUT), and Refresh MQ Authority (RFRMQMAUT).

A user, who is a member of the group requestor_group, wants to set up a resource monitor on AGENT1 that transfers a file from AGENT1, which is running under the user user1, who is a member of the group user1_group, to AGENT2, which is running under the user user2, who is a member of the group user2_group. AGENT1 connects to QM1; AGENT2 connects to QM2. Both agents have authority checking enabled. To make this possible take the following steps:

requestor must have Monitor authority on AGENT1. Set this authority by running the following command on the system where QM1 is running:
```
setmqaut -m QM1 -t queue -n SYSTEM.FTE.AUTHMON1.AGENT1 -g requestor_group +browse
```
requestor must have Transfer source authority on AGENT1. Set this authority by running the following command on the system where QM1 is running:
```
setmqaut -m QM1 -t queue -n SYSTEM.FTE.AUTHTRN1.AGENT1 -g requestor_group +browse
```
requestor must have Transfer destination authority on AGENT2. Set this authority by running the following command On the system where QM2 is running:
```
setmqaut -m QM2 -t queue -n SYSTEM.FTE.AUTHTRN1.AGENT2 -g requestor_group +put
```
user2 must have Agent source authority on AGENT1. Set this authority by running the following command on the system where QM1 is running:
```
setmqaut -m QM1 -t queue -n SYSTEM.FTE.AUTHAGT1.AGENT1 -g user2_group +browse
```
user1 must have Agent destination authority on AGENT2. Set this authority by running the following command on the system where QM2 is running:
```
setmqaut -m QM2 -t queue -n SYSTEM.FTE.AUTHAGT1.AGENT2 -g user1_group +put
```

Logging

If user authority checking is enabled, failed authority checks cause a not authorized log message to be published to the coordination queue manager. See MFT message formats for security for more information.

Messages about user authority can be written to the agent event log. We can configure the amount of information written to the agent event log by setting the logAuthorityChecks property in the agent property file. By default the level of authority check logging is None. We can also set the value of logAuthorityChecks to Failures, which specifies that only failed authorization checks are reported, or All which specifies that failed and successful authorization checks are reported.

For more information, see The MFT agent.properties file.

Parent topic: Manage authorities for MFT-specific resources

Related reference

Restricting group authorities for MFT-specific resources