Internal access management

This section describes how to configure access management when not using Central Governance.

Internal access management is an out-of-the-box access management based on predefined roles and privileges, and a group internal datafile. Groups and their members are defined in this supplied database. Note however that when using this type of access management, there is no super user and the user who installed and starts the Copilot server must have Administrator rights.

The supplied pre-defined roles are:

  • Administrator: Provides full user access
  • Helpdesk: Enables you to view the catalog and log
  • Partner Manager: Allows you to manage partners
  • Designer: Allows you to manage application flows
  • Application: Allows applications to request and manage transfers, and view the catalog

Please refer to the Transfer CFT 3.6 Security Guide for a complete list of privileges and roles. (Required login.)

Configuring internal access management

  1. Set the access management type:

    CFTUTIL uconfset id=am.type,value=internal

  2. Set the specific group database parameter (see the table below for OS specifics):

    CFTUTIL uconfset id=am.internal.group_database,value=[ system | safClass | file | xfbadm ]

  3. Use the parameters and descriptions in the AM Parameters table below to help you customize the internal access management roles. For example, to assign the administrator role to the "admin" group:
  4. CFTUTIL uconfset id=am.internal.role.admin,value=admin

AM Parameters Default Description

file (z/OS)

system (all other platforms)

Group database where group members are defined.

  • system (UNIX, HP NonStop, Windows, and IBM i): the groups are defined in the OS group database (Unix, Windows, IBM i see security base, and OpenVMS)
  • system (z/OS only): the service 'IRRSEQ00' is used to recall the user's groups from RACF, for example:


  • safClass (z/OS only): the resources are defined in the SAF (System Authorization Facility) where Transfer CFT maps the groups to resources - see the Transfer CFT z/OS Installation and Operation Guide for details

  • file (z/OS, and OpenVMS): a variable file containing a users list and a groups list
  • xfbadm (UNIX, HP NonStop): the groups are defined in the xfbadm database; see Transfer CFT control utilities.

If you set am.internal.group_database=file, you must define this file name, which is a variable file containing the groups associated with each user.

For example:

  • USER001 group01 group02 group04
  • USER002 group04 group05

Where the groups are mapped as shown in the example mapping table below.


Admin role and groups mapping. This role enables you to perform all administrative tasks.

  • List of groups (blank separator)

Help Desk role and groups mapping. This role enables you to view the log, transfers and configuration.

  • List of groups (blank separator)

Partner Manager role and groups mapping. This role enables you to create and manage partner.

  • List of groups (blank separator)

Designer role and groups mapping. This role enables you to manage flows.

  • List of groups (blank separator)

Application role and groups mapping. This role enables application to send transfers.

  • List of groups (blank separator)
am.internal.persistence_timeout 300

Delay in seconds between updating the list of group that a user belongs to.

Mapping the group to predefined roles

To use the feature you will need to map the list of groups in the database to the Transfer CFT predefined roles. Use the following information as a basis for your mapping. You can enter these values either using command line or in the Transfer CFT UI.

Parameter Means the user in this group will have the role...
am.internal.role.admin=group01 The user who belongs to group “group01” has the admin role.
am.internal.role.helpdesk=group02 The user who belongs to group “group02” has the “helpdesk” role.
am.internal.role.partnermanager=group03 The user who belongs to group “group03” has the “partner manager” role.
am.internal.role.designer =group04 The user who belongs to group “group04” has the “designer” role.
am.internal.role.application=group05 The user who belongs to group “group05” has the “application” role.

Related Links