TIBCO MFT Platform Server Groups
As a TIBCO MFT Platform Server user, you can be a member of any of the following groups:
-
root -
cfadmin -
cfbrowse -
cftransfer
The order of group checking is always root, cfadmin, and then the other groups. Group names can be customized.
Root User
The difference between a root and a non-root user is shown by the following example.
| Installed under | Remote incoming | Resolved local | Request runs under |
Any file access done under |
Groups membership checked for | Local uid in Log.txt | |
|---|---|---|---|---|---|---|---|
| root | test | mary | mary | mary | mary | mary | |
| tom | test | mary | tom | tom | mary | mary |
Cfadmin Member
The following programs and CC requests check for membership in the cfadmin group:
| Program/CC Request | Description |
|---|---|
cfnode
|
Command-line program to manage nodes. |
cfprofile
|
Command-line program to manage profiles. |
cfping
|
Command-line program to "ping" target Platform Servers. |
cfinq
|
Command-line program to inquire on completed transfers, active transfers and to update the CyberMgr configuration.
|
cfrprofile
|
Platform Server command to list, add, or delete responder profiles. |
cc_node
|
Command Center-initiated request to manage nodes. |
cc_profile
|
Command Center-initiated request to manage profiles. |
cc_ping
|
Command Center-initiated ping requests. |
cc_get_active
|
Command Center-initiated request to inquire on active transfers. |
cc_rprofile
|
Command Center-initiated request to list, add, or delete responder profiles. |
cc collector
|
Command Center request to collect transfers history. |
The cfadmin group must exist. After installation if this group is removed, only file transfers work. Features other than file transfers, such as management, fail if the group is removed.
If you are a member of the cfadmin group, you have all Platform Server rights/access just like a member of the root group.
Special consideration should be given to the cfadmin group for High Availability (HA) setup.
-
All machines participating in HA should resolve group names the same way.
-
cfadmin,cfbrowse, andcftransfer, if they exist, should be identical on all machines in the same HA cluster. In other words, if you run anlscommand onHaDir, thecfadmingroup name must be the same, whether you run thelscommand on machine A or machine B.
Any request made by executable files or Command Center which modifies the existing setup require a strict cfadmin only right. These requests are:node, profile, rprofile, cfinq mgr=u
| Apps/CC Requests | Octal | Ownership | Permissions |
|---|---|---|---|
cfnode.cfg
|
664 | Owner, cfadmin, others |
Owner/ Others - Only read
|
cfnode.exe
|
510 | Owner, cfadmin, others |
Owner/cfadmin - execute |
CC_manage_nodes
|
User must be a member of cfadmin to run any CC node request. |
||
cfrprofile.cfg
|
664 | Owner, cfadmin, others |
Owner/ Others - Only read
|
cfrprofile.exe
|
510 | Owner, cfadmin, others |
Owner/cfadmin - execute |
CC_manage_rprofiles
|
User must be a member of cfadmin to run any CC rprofile request. |
||
cfprofile.cfg
|
664 | Owner, cfadmin, others |
Owner/ Others - Only read |
cfprofile.exe
|
510 | Owner, cfadmin, others |
Only owner/cfadmin - execute |
CC_manage_profiles
|
User must be a member of cfadmin to run any CC profile request. |
If you want to allow non-cfadmin users to create/update/delete their own profile or rprofile, change permissions to the following files:
| Files | Octal | Ownership | Permissions |
|---|---|---|---|
cfrprofile.cfg
|
666 | Owner, cfadmin, others |
Anybody can read and write. |
cfrprofile.exe
|
511 | Owner, cfadmin, others |
Anybody can execute, other programmatically restricted to only see/create/update/delete their own rprofile. |
cfprofile.cfg
|
666 | Owner, cfadmin, others |
Anybody can read and write. |
cfprofile.exe
|
511 | Owner, cfadmin, others |
Anybody can execute, other programmatically restricted to only see/create/update/delete their own rprofile. |
Also, for the following files, the ownership, and permissions are shown below:
| Files | Octal | Ownership | Permissions |
|---|---|---|---|
Log.txt
|
664 | Owner, cfadmin, others |
File is owned by CyberMgr account. |
visibility.txt
|
664 | Owner, cfadmin, others |
Shared by CyberResp account and CyberMgr
account; or cfinq account and CyberMgr account. This is a temporary file.
|
cfinq.exe |
511 | Owner, cfadmin, others |
Anybody can execute. |
-
To run
cfinq mgr=uand update activeCyberMgrdaemon setting, you must be in the cfadmin group. -
To run
cfinq mgr=aand see active transfers, you must be a member ofcfadmingroup. -
To run
cfinqand see the history, you don't need to be in thecfadmingroup. Depending on thecfbrowsegroup andStrictGroupChecking, you can see all history or only your own history. -
To run
fuspingand ping another machine, you don't need to be in thecfadmingroup.
Cfbrowse Member
Some requests check for membership in the cfbrowse group if you are not in the root or cfadmin group.
The following files and CC requests check for membership in the cfbrowse group: cc collector log history, cfinq log history
Group does not exist:
-
If
StrictGroupChecking=N, then you can see all log records. -
If
StrictGroupChecking=Y, then your request is rejected.
Group exists, user is a member:
-
If
StrictGroupChecking=N|Y, then you can see all log records.
Group exists, user is not a member:
-
If
StrictGroupChecking=N|Y, then you can see only your own log records.
cfinq mgr=active only allows you to see active transfers, there is no option to cancel active transfers. Cancellation can be done only from the Command Center side.In HA setups, the
haDir/visibility folder is used by cfinq mgr=active requests to create a temporary file, where CyberMgr writes active transfer information. This folder has permission 775, restricting ordinary users from having write access to it. Therefore, cfinq mgr=active can be successful only when it is run by a cfroot or a cfadmin member.Cftransfer Member
Only cc_xfer requests check for membership in the cftransfer group.
Group does not exist:
-
If
StrictGroupChecking=N, then you are allowed to runcc_xfertransfers. -
If
StrictGroupChecking=Y, then you are not allowed to runcc_xfertransfers.
Group exists, user is a member:
-
If
StrictGroupChecking=N|Y, then you are allowed to runcc_xfertransfers.
Group exists, user is not a member:
-
If
StrictGroupChecking=N|Y, then you are not allowed to runcc_xfertransfers.