TIBCO MFT Platform Server Groups

As a TIBCO MFT Platform Server user, you can be a member of any of the following groups:

The order of group checking is always root, cfadmin, and then the other groups. Group names can be customized.

Root User

The difference between a root and a non-root user is shown by the following example.

Installed under Remote incoming Resolved local Request runs under

Any file access done under

Groups membership checked for Local uid in Log.txt  
root test mary mary mary mary mary  
tom test mary tom tom mary mary  

Cfadmin Member

The following programs and CC requests check for membership in the cfadmin group:

Program/CC Request Description
cfnode Command-line program to manage nodes.
cfprofile Command-line program to manage profiles.
cfping Command-line program to "ping" target Platform Servers.
cfinq Command-line program to inquire on completed transfers, active transfers and to update the CyberMgr configuration.
cfrprofile

Platform Server command to list, add, or delete responder profiles.

cc_node Command Center-initiated request to manage nodes.
cc_profile Command Center-initiated request to manage profiles.
cc_ping Command Center-initiated ping requests.
cc_get_active Command Center-initiated request to inquire on active transfers.
cc_rprofile

Command Center-initiated request to list, add, or delete responder profiles.

cc collector

Command Center request to collect transfers history.

The cfadmin group must exist. After installation if this group is removed, only file transfers work. Features other than file transfers, such as management, fail if the group is removed.

If you are a member of the cfadmin group, you have all Platform Server rights/access just like a member of the root group.

Special consideration should be given to the cfadmin group for High Availability (HA) setup.

Any request made by executable files or Command Center which modifies the existing setup require a strict cfadmin only right. These requests are:
node, profile, rprofile, cfinq mgr=u

Apps/CC Requests Octal Ownership Permissions
cfnode.cfg 664 Owner, cfadmin, others

Owner/cfadmin - read and write

Others - Only read


cfnode.exe 510 Owner, cfadmin, others Owner/cfadmin - execute
CC_manage_nodes     User must be a member of cfadmin to run any CC node request.
cfrprofile.cfg 664 Owner, cfadmin, others

Owner/cfadmin - read and write

Others - Only read


cfrprofile.exe 510 Owner, cfadmin, others Owner/cfadmin - execute
CC_manage_rprofiles     User must be a member of cfadmin to run any CC rprofile request.
cfprofile.cfg 664 Owner, cfadmin, others

Owner/cfadmin - read and write

Others - Only read

cfprofile.exe 510 Owner, cfadmin, others Only owner/cfadmin - execute
CC_manage_profiles     User must be a member of cfadmin to run any CC profile request.

If you want to allow non-cfadmin users to create/update/delete their own profile or rprofile, change permissions to the following files:

Files Octal Ownership Permissions
cfrprofile.cfg 666 Owner, cfadmin, others Anybody can read and write.
cfrprofile.exe 511 Owner, cfadmin, others Anybody can execute, other programmatically restricted to only see/create/update/delete their own rprofile.
cfprofile.cfg 666 Owner, cfadmin, others Anybody can read and write.
cfprofile.exe 511 Owner, cfadmin, others Anybody can execute, other programmatically restricted to only see/create/update/delete their own rprofile.

Also, for the following files, the ownership, and permissions are shown below:

Files Octal Ownership Permissions
Log.txt 664 Owner, cfadmin, others File is owned by CyberMgr account.
visibility.txt 664 Owner, cfadmin, others Shared by CyberResp account and CyberMgr account; or cfinq account and CyberMgr account. This is a temporary file.
cfinq.exe 511 Owner, cfadmin, others Anybody can execute.

Cfbrowse Member

Some requests check for membership in the cfbrowse group if you are not in the root or cfadmin group.

The following files and CC requests check for membership in the cfbrowse group:
cc collector log history, cfinq log history

Group does not exist:

Group exists, user is a member:

Group exists, user is not a member:

Note: cfinq mgr=active only allows you to see active transfers, there is no option to cancel active transfers. Cancellation can be done only from the Command Center side.
In HA setups, the haDir/visibility folder is used by cfinq mgr=active requests to create a temporary file, where CyberMgr writes active transfer information. This folder has permission 775, restricting ordinary users from having write access to it. Therefore, cfinq mgr=active can be successful only when it is run by a cfroot or a cfadmin member.

Cftransfer Member

Only cc_xfer requests check for membership in the cftransfer group.

Group does not exist:

Group exists, user is a member:

Group exists, user is not a member: