TIBCO MFT Platform Server Groups
As a TIBCO MFT Platform Server user, you can be a member of any of the following groups:
-
root
-
cfadmin
-
cfbrowse
-
cftransfer
The order of group checking is always root
, cfadmin
, and then the other groups. Group names can be customized.
Root User
The difference between a root and a non-root user is shown by the following example.
Installed under | Remote incoming | Resolved local | Request runs under |
Any file access done under |
Groups membership checked for | Local uid in Log.txt | |
---|---|---|---|---|---|---|---|
root | test | mary | mary | mary | mary | mary | |
tom | test | mary | tom | tom | mary | mary |
Cfadmin Member
The following programs and CC requests check for membership in the cfadmin
group:
Program/CC Request | Description |
---|---|
cfnode
|
Command-line program to manage nodes. |
cfprofile
|
Command-line program to manage profiles. |
cfping
|
Command-line program to "ping" target Platform Servers. |
cfinq
|
Command-line program to inquire on completed transfers, active transfers and to update the CyberMgr configuration.
|
cfrprofile
|
Platform Server command to list, add, or delete responder profiles. |
cc_node
|
Command Center-initiated request to manage nodes. |
cc_profile
|
Command Center-initiated request to manage profiles. |
cc_ping
|
Command Center-initiated ping requests. |
cc_get_active
|
Command Center-initiated request to inquire on active transfers. |
cc_rprofile
|
Command Center-initiated request to list, add, or delete responder profiles. |
cc collector
|
Command Center request to collect transfers history. |
The cfadmin
group must exist. After installation if this group is removed, only file transfers work. Features other than file transfers, such as management, fail if the group is removed.
If you are a member of the cfadmin
group, you have all Platform Server rights/access just like a member of the root group.
Special consideration should be given to the cfadmin
group for High Availability (HA) setup.
-
All machines participating in HA should resolve group names the same way.
-
cfadmin
,cfbrowse
, andcftransfer
, if they exist, should be identical on all machines in the same HA cluster. In other words, if you run anls
command onHaDir
, thecfadmin
group name must be the same, whether you run thels
command on machine A or machine B.
Any request made by executable files or Command Center which modifies the existing setup require a strict cfadmin
only right. These requests are:node, profile, rprofile,
cfinq mgr=u
Apps/CC Requests | Octal | Ownership | Permissions |
---|---|---|---|
cfnode.cfg
|
664 | Owner, cfadmin , others |
Owner/ Others - Only read
|
cfnode.exe
|
510 | Owner, cfadmin , others |
Owner/cfadmin - execute |
CC_manage_nodes
|
User must be a member of cfadmin to run any CC node request. |
||
cfrprofile.cfg
|
664 | Owner, cfadmin , others |
Owner/ Others - Only read
|
cfrprofile.exe
|
510 | Owner, cfadmin , others |
Owner/cfadmin - execute |
CC_manage_rprofiles
|
User must be a member of cfadmin to run any CC rprofile request. |
||
cfprofile.cfg
|
664 | Owner, cfadmin , others |
Owner/ Others - Only read |
cfprofile.exe
|
510 | Owner, cfadmin , others |
Only owner/cfadmin - execute |
CC_manage_profiles
|
User must be a member of cfadmin to run any CC profile request. |
If you want to allow non-cfadmin users to create/update/delete their own profile or rprofile, change permissions to the following files:
Files | Octal | Ownership | Permissions |
---|---|---|---|
cfrprofile.cfg
|
666 | Owner, cfadmin , others |
Anybody can read and write. |
cfrprofile.exe
|
511 | Owner, cfadmin , others |
Anybody can execute, other programmatically restricted to only see/create/update/delete their own rprofile . |
cfprofile.cfg
|
666 | Owner, cfadmin , others |
Anybody can read and write. |
cfprofile.exe
|
511 | Owner, cfadmin , others |
Anybody can execute, other programmatically restricted to only see/create/update/delete their own rprofile . |
Also, for the following files, the ownership, and permissions are shown below:
Files | Octal | Ownership | Permissions |
---|---|---|---|
Log.txt
|
664 | Owner, cfadmin , others |
File is owned by CyberMgr account. |
visibility.txt
|
664 | Owner, cfadmin , others |
Shared by CyberResp account and CyberMgr
account; or cfinq account and CyberMgr account. This is a temporary file.
|
cfinq.exe |
511 | Owner, cfadmin , others |
Anybody can execute. |
-
To run
cfinq mgr=u
and update activeCyberMgr
daemon setting, you must be in the cfadmin group. -
To run
cfinq mgr=a
and see active transfers, you must be a member ofcfadmin
group. -
To run
cfinq
and see the history, you don't need to be in thecfadmin
group. Depending on thecfbrowse
group andStrictGroupChecking
, you can see all history or only your own history. -
To run
fusping
and ping another machine, you don't need to be in thecfadmin
group.
Cfbrowse Member
Some requests check for membership in the cfbrowse
group if you are not in the root
or cfadmin
group.
The following files and CC requests check for membership in the cfbrowse
group: cc collector log history
, cfinq log history
Group does not exist:
-
If
StrictGroupChecking=N
, then you can see all log records. -
If
StrictGroupChecking=Y
, then your request is rejected.
Group exists, user is a member:
-
If
StrictGroupChecking=N|Y
, then you can see all log records.
Group exists, user is not a member:
-
If
StrictGroupChecking=N|Y
, then you can see only your own log records.
cfinq mgr=active
only allows you to see active transfers, there is no option to cancel active transfers. Cancellation can be done only from the Command Center side.In HA setups, the
haDir/visibility
folder is used by cfinq mgr=active
requests to create a temporary file, where CyberMgr
writes active transfer information. This folder has permission 775
, restricting ordinary users from having write access to it. Therefore, cfinq mgr=active
can be successful only when it is run by a cfroot
or a cfadmin
member.Cftransfer Member
Only cc_xfer
requests check for membership in the cftransfer
group.
Group does not exist:
-
If
StrictGroupChecking=N
, then you are allowed to runcc_xfer
transfers. -
If
StrictGroupChecking=Y
, then you are not allowed to runcc_xfer
transfers.
Group exists, user is a member:
-
If
StrictGroupChecking=N|Y
, then you are allowed to runcc_xfer
transfers.
Group exists, user is not a member:
-
If
StrictGroupChecking=N|Y
, then you are not allowed to runcc_xfer
transfers.