Configure user access for an MFT stand-alone database logger
In a test environment, we can add any new privileges needed to your normal user account. In a production environment, you are recommended to create a new user with the minimum permissions required to do the job.
The number and type of user accounts you need to run the stand-alone database logger depends on
the number of systems we use. We can install the stand-alone database logger, IBM MQ and your database on a single system, or across two
systems. The stand-alone database logger must be on the same system as IBM MQ. The components can be installed in the following topologies:
- Stand-alone database Logger, IBM MQ and the database all on the same system
- We can define a single operating system user for use with all three components. This is a suitable configuration for the stand-alone database logger. The stand-alone database logger uses Bindings mode to connect to IBM MQ and a native connection to connect to the database.
- Stand-alone database Logger and IBM MQ on one system, the database on a separate system
- We create two users for this configuration: an operating system user on the system running the stand-alone database logger, and a operating system user with remote access to the database on the database server. This is a suitable configuration for the stand-alone database logger using a remote database. The stand-alone database logger uses Bindings mode to connect to IBM MQ and a client connection to access the database.
As an example, the rest of these instructions assume that the user is called ftelog, but we can use any user name. Configure the user's permissions as follows:
Procedure
- Ensure that the user has permission to read and, where necessary, execute, the files installed as part of the Managed File Transfer Remote Tools and Documentation installation.
- Ensure that the user has permission to create and write to any file in the logs directory (in the configuration directory). This directory is used for an event log, and if necessary for diagnostic trace and FFDC files.
- Ensure that the user has its own group, and is not also in any groups with wide-ranging permissions on the coordination queue manager. The user should not be in the mqm group. On certain platforms, the staff group is automatically given queue manager access as well; the stand-alone database logger user should not be in the staff group. We can view authority records for the queue manager itself and for objects in it using the IBM MQ Explorer. Right-click the object and select Object Authorities > Manage Authority Records. At the command line, we can use the commands dspmqaut (display authority) or dmpmqaut (dump authority).
-
Use the Manage Authority Records window in the IBM MQ Explorer or the setmqaut (grant or revoke
authority) command to add authorities for the user's own group (on UNIX, IBM MQ authorities are associated with groups only, not individual users). The authorities required are as
follows:
- Connect and Inquire on the queue manager (the IBM MQ Java libraries require Inquire permission to operate).
- Subscribe permission on the SYSTEM.FTE topic.
- Put permission on the SYSTEM.FTE.LOG.RJCT.logger_name queue.
- Get permission on the SYSTEM.FTE.LOG.CMD.logger_name queue.
-
Perform the user configuration that is specific to the database you are using.
- If your database is Db2®, carry out the following
steps:There are several mechanisms for managing database users with Db2. These instructions apply to the default scheme based on
operating system users.
- Ensure that the ftelog user is not in any Db2 administration groups (for example, db2iadm1, db2fadm1, or dasadm1)
- Give the user permission to connect to the database and permission to select, insert and update on the tables that you created as part of Step 2: create the required database tables
- If your database is Oracle, carry out the following steps:
- Ensure that the ftelog user is not in any Oracle administration groups (for example, ora_dba on Windows or dba on UNIX)
- Give the user permission to connect to the database and permission to select, insert and update on the tables that you created as part of Step 2: create the required database tables
- If your database is Db2®, carry out the following
steps:There are several mechanisms for managing database users with Db2. These instructions apply to the default scheme based on
operating system users.