The configuration for the company mycompany is made up of four computer centers, two in Munich (MCH1, MCH2) and two in Hamburg (HH1, HH2). A separate subgroup is created for each computer center. The remote administration computer MCHSRV01 is located in MCH1.
Four remote administrators are configured: John, Fred, Jack and Mike. The following table shows the groups, subgroups and openFT instances and specifies which remote administrator has which permissions.
Group | Subgroup | Instance | Permissions of the remote administrator | |||
John | Fred | Jack | Mike | |||
Muenchen | MCH1 | MCHSRV01 | FT | FT, FTAC | ||
OPENFT01 | FT | FT, FTAC | ||||
OPENFT02 | FT | FT, FTAC | ||||
OPENFT03 | FTOP | FT, FTAC | ||||
MCHSRV02 | FT, FTAC | |||||
MCH2 | MCHSRV03 | FT, FTAC | ||||
Hamburg | HH1 | HHWSRV01 | FT, FTAC | FT, FTAC | ||
HHWSRV02 | FT, FTAC | FT, FTAC | ||||
HHWSRV11 | FT, FTAC | FT | ||||
HH2 | HHWSRV99 | FT, FTAC | FTOP | |||
XML configuration file
The configuration shown in the table is defined using the following configuration file. Items indicated by numbers on the right margin are explained after the file.
<?xml version="1.0" encoding="UTF-8"?>
<Configuration
Version="1210"
Description="Configuration for central server MCHSRV01">
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
; Only on Unix systems
xsi:noNamespaceSchemaLocation="/opt/openFT/include/config.xsd">
; Only on Windows systems
xsi:noNamespaceSchemaLocation="<openFT-installationdirectory>/include/config.xsd">
<AdministratorID
Name="John"
Description="Domain Controller Administrator"
UserID="rz\John" 1.
Profile="Profile01"/> 2.
<AdministratorID
Name="Fred"
Description="Production computer administrator"
UserID="rz\Fred" 1.
Profile="Profile02"/> 2.
<AdministratorID
Name="Jack"
Description="Administrator of the HR department computer in HH"
Profile="Profile03"/> 2.
<AdministratorID
Name="Mike"
Description="Administrator of the QA computer in HH"
Profile="Profile04"/> 2.
<Group
Name="Muenchen"
Description="Computer Center Muenchen">
<Group
Name="MCH1"
Description="Computer Center Muenchen Schwabing">
<AccessList> 3.
<AccessEntry
AdministratorID="John"
AllowFunction="FT"/>
<AccessEntry
AdministratorID="Fred"
AllowFunction="FT FTAC"/>
</AccessList>
<Instance
Name="MCHSRV01" 4.
Description="Remote administration server"
Address="ftadm: //MCHSRV01.mch.mycompany.net"
Admission="mchsrv01remote"/>
<Instance
Name="OPENFT01" 4.
Description="Windows 10"
Address="ftadm: //OPENFT01.mch.mycompany.net"
Admission="openft01remote"/>
<Instance
Name="OPENFT02" 4.
Description="Windows 10"
Address="ftadm: //OPENFT02.mch.mycompany.net"
Admission="openft02remote"/>
<Instance
Name="OPENFT03" 4.
Description="Windows 10"
Address="ftadm: //OPENFT03.mch.mycompany.net"
Admission="openft03remote">
<AccessList> 5.
<AccessEntry
AdministratorID="John"
DenyFunction="FTMOD"/>
</AccessList>
</Instance>
<Instance
Name="MCHSRV02" 4.
Description="SUSE SLES 11, source management"
Address="ftadm: //MCHSRV02.mch.mycompany.net"
Admission="mchsrv02remote">
<AccessList 5.
InheritFromParent="No">
<AccessEntry
AdministratorID="Jack"
AllowFunction="FT FTAC"/>
</AccessList>
</Instance>
</Group>
<Group
Name="MCH2"
Description="Computer Center Muenchen Freimann">
<AccessList> 5.
<AccessEntry
AdministratorID="John"
AllowFunction="FT FTAC"/>
</AccessList>
<Instance
Name="MCHSRV03" 4.
Description="Windows Server 2016 domain controller"
Address="ftadm: //MCHSRV03.mch.mycompany.net"
Admission="mchsrv03remote">
</Instance>
</Group>
</Group>
<Group
Name="Hamburg"
Description="Computer Center North in Hamburg Wandsbek">
<Group
Name="HH1"
Description="QA Computer Center">
<AccessList> 3.
<AccessEntry
AdministratorID="Jack"
AllowFunction="FT FTAC"/>
<AccessEntry
AdministratorID="Mike"
AllowFunction="FT FTAC"/>
</AccessList>
<Instance
Name="HHWSRV01" 4.
Description="Solaris 10"
Address="ftadm: //HHWSRV01.hhw.mycompany.net"
CmdMode="Char"
Admission="hhwsrv01remote"/>
<Instance
Name="HHWSRV02" 4.
Description="HP-11"
Address="ftadm: //HHWSRV02.hhw.mycompany.net"
Admission="hhwsrv02remote"/>
<Instance
Name="HHWSRV11" 4.
Description="Solaris 10"
Address="HHWSRV11.hhw.mycompany.net"
Admission="hhwsrv11remote"
Mode="Legacy"> 6.
<AccessList> 5.
<AccessEntry
AdministratorID="Mike"
DenyFunction="FTAC"/>
</AccessList>
</Instance>
</Group>
<Group
Name="HH2"
Description="HR department">
<AccessList> 3.
<AccessEntry
AdministratorID="Jack"
AllowFunction="FT FTAC"/>
<AccessEntry
AdministratorID="Mike"
AllowFunction="FTOP"/>
</AccessList>
<Instance
Name="HHWSRV99" 4.
Description="Mainframe system (BS2000)"
Address="ftadm: //HHWSRV99.hhw.mycompany.net"
Admission="hhwsrv99remote"/>
</Group>
</Group>
</Configuration>
Explanation
User ID that has the specified administrator permissions on the remote administration server. This allows remote administration to be performed directly on the remote administration server. If no user ID is specified here, remote administration is only possible using the FTAC transfer admission (see 2).
Name of the admission profile for accessing the remote administration server. The profile must include the function ACCESS-TO-ADMINISTRATION (corresponds to ftcrep -ff=c). If remote administration is performed from a remote computer, the remote administrator must specify the associated FTAC transfer admission.
Defines the admissions for the entire group. An <AccessEntry> tag is specified for each authorized remote administrator. This permission can be expanded or restricted in an instance (see 5).
Defines an instance. The complete address (as in the example) or the name from the partner list can be specified in the Address attribute. Partners with openFT as of V11.0 must be defined with ftadm: //....
Admission specifies the transfer admission for the instance to be administered. The associated admission profile must be set up there and must permit the REMOTE-ADMINISTRATION function (Corresponds to ftcrep -ff=a). In addition, the encoding mode can be defined using CmdMode.
The <AccessList> tag for an instance defines permissions that only apply for this instance:
The InheritFromParent="No" attribute cancels a parent (inherited) permission.
The DenyFunction attribute under <AccessEntry> restricts inherited permissions. For instance, the FT permission is reduced to FTOP with DenyFunction="FTMOD".
AllowFunction defines or extends permissions.
The Mode="Legacy" attribute specifies that an openFT version < V11.0 is running on the instance. The instance is addressed as an openFT partner, i.e. the address is specified without a prefix. The ftexec command is then used internally for a remote administration request.