3. Define client user rights

This section describes the copilot.misc.createprocessasuser parameter. By default this parameter is set to NO. When set to NO, user authentication is controlled by Central Governance. When set to YES, user authentication is controlled by the system where Transfer CFT is installed. Setting this to YES allows user authentication via a client, such as web services, if there were a Central Governance failure. This setup requires that users be known on both the system and on Central Governance, meaning an LDAP directory.

When you set copilot.misc.createprocessasuser to YES, the Copilot server will start a process under the connected user.

Reminder:  Configuration changes should be managed by Central Governance.

UCONF createprocessasuser is set to NO

OS Details

UNIX/Windows / IBM i / and z/OS

Actions made on the configuration are done with the user that started Copilot server.

The owner of the transfer request is the user that connects to Copilot, for example the Central Governance user assuming that USERCTRL is set to yes (when set to No the transfer owner is the user that started Transfer CFT).

Note On z/OS this means JOBLIB is not defined as an APF.
Note Using Central Governance you must set appropriate user privileges. Otherwise, a user with extensive Central Governance privileges could modify the Transfer CFT configuration by connecting via the client, even if this user has restricted access to the runtime environment.

UCONF createprocessasuser is set to YES

OS Details

UNIX/

Windows

Actions made on the configuration are done with the user that connects to Copilot.

The owner of the transfer request is the user that connects to Copilot, but notice that actions on the configuration are done with the user connecting to Copilot.

IBM i The owner of the transfer request is the user that connects to Copilot.
z/OS

This means the JOBLIB is defined as an APF. The USERID is the user that is connected, as with UNIX/Windows.

Note The copilot.misc.createprocessasuser parameter is not available on the z/OS platform.

You only need to perform the following tasks if createprocessasuser is set to YES.

UNIX specific tasks

To be able to update your Transfer CFT from Central Governance, you must put the cftsu file outside of the home directory and point to the new path.

  1. Log on as root.
  2. Copy the file to the new folder location.

cp $CFTINSTALLDIR/bin/cftsu <new_folder>/cftsu

  1. Change the owner of the file.

chown root:root <new_folder>/cftsu

chmod u+s <new_folder>/cftsu
  1. Use CFTUTIL to set the new folder path:
uconfset id=copilot.unix.cftsu.fname, value=<new_folder>/cftsu

Windows specific tasks

This section describes how to define users for Transfer CFT Copilot server. The following information applies except if you are using the local system account when working in service mode.

Note For information on troubleshooting, see Troubleshooting the Copilot server.

Related topics

Related Links