SFTP BOM sync integration fails with 'Permission denied' error during manufacturing plan import

Our SFTP integration for syncing BOM data from our ERP system to Blue Yonder Luminate manufacturing planning is failing with ‘Permission denied’ errors. The integration was working fine until last week when we had to rotate our service account credentials for security compliance.

Error from integration logs:

SFTP Error: Permission denied (publickey)
Failed to write file: /inbound/bom/BOM_20250608.xml
Connection: sftp://svc_bom_sync@sftp.luminate.blueyonder.com:22

We’ve verified the new SSH key is correctly configured in our ERP system. Manual SFTP uploads using the same credentials work fine, but the automated sync job fails. The service account appears to have proper permissions when we test manually, but automated uploads are blocked. We’re running BY 2022.2 and need to understand if this is a folder permission issue, service account configuration problem, or something specific to automated versus manual uploads. The BOM sync is critical for our production planning and we’re currently doing manual uploads as a workaround.

Thanks for the suggestions. I checked the SFTP user management console and found that the public key fingerprint does match our new key. However, when I look at the folder permissions for /inbound/bom, I see that the folder has Read and Write permissions for the ‘Integration_Users’ group, and svc_bom_sync is a member of that group. So it should have write access. Is there a difference in how permissions are evaluated for manual versus automated uploads?

I’ll provide you with a comprehensive solution addressing SFTP folder permissions, service account configuration, and the differences between automated and manual uploads.

1. SFTP Folder Permissions Configuration:

First, verify and correct the folder-level permissions for your BOM sync directory:

Navigate to Integration Setup > SFTP Configuration > Folder Permissions. For the /inbound/bom folder, ensure these settings:

• Folder Path: /inbound/bom
• Permission Type: Explicit (not inherited)
• User/Group: svc_bom_sync (assign directly to user, not just group)
• Permissions: Read, Write, Create, Delete
• Apply to Subfolders: Yes
• Session Type: Both Interactive and Non-Interactive

The key issue is the “Session Type” setting. BY 2022.2 introduced granular control over interactive (manual) versus non-interactive (automated) sessions. Your folder permissions must explicitly allow Non-Interactive access for automated jobs.

Click Edit on the /inbound/bom folder permissions, then:

1. Remove the group-level permission (Integration_Users)
2. Add user-level permission specifically for svc_bom_sync
3. Check both “Interactive Access” and “Non-Interactive Access” boxes
4. Set Permission Level to “Full Control”
5. Save and apply changes

Why user-level instead of group-level? Group permissions in BY 2022.2 default to Interactive-only for security. User-level permissions allow you to explicitly grant Non-Interactive access.

2. Service Account Configuration:

The service account requires multiple configuration updates after credential rotation:

A. SSH Key Registration: Go to Integration Setup > SFTP Configuration > User Management > svc_bom_sync:

• Remove the old public key
• Add new public key (paste the full key content, not just fingerprint)
• Key Type: RSA 2048-bit minimum (4096-bit recommended)
• Key Format: OpenSSH format (starts with “ssh-rsa”)
• Save and test key validation

B. Role Assignment: Navigate to User Management > Service Accounts > svc_bom_sync > Roles tab. Ensure these roles are assigned:

• IntegrationUser (base role for SFTP access)
• AutomatedFileTransfer (required for non-interactive sessions)
• ManufacturingDataImport (required for BOM file processing)

Critically, the AutomatedFileTransfer role is often removed during credential rotation as a security measure. You must explicitly re-assign it:

1. Click “Assign Roles” button
2. Search for “AutomatedFileTransfer”
3. Select and assign
4. Set Effective Date to current date
5. Leave Expiration Date blank (or set per your security policy)
6. Save changes

C. Authentication Method Configuration: In the service account settings, configure authentication preferences:

• Primary Auth Method: Public Key Only
• Allow Password Fallback: No
• Require Client Certificate: No (unless you use mutual TLS)
• Session Timeout: 3600 seconds (1 hour)
• Max Concurrent Sessions: 5

3. Automated vs Manual Upload Differences:

BY 2022.2 treats these session types differently for security:

Interactive (Manual) Sessions:

• Authenticated via SSH key or password
• Subject to group-level permissions
• Logged as user-initiated actions
• No rate limiting
• Can access any folder with group permissions

Non-Interactive (Automated) Sessions:

• Require explicit AutomatedFileTransfer role
• Subject to user-level permissions only (group permissions ignored)
• Logged as system-initiated actions
• Subject to rate limiting (100 files/hour by default)
• Can only access folders with explicit non-interactive permission
• Require specific connection parameters

To configure your ERP’s automated job for non-interactive sessions:

// Pseudocode - SFTP client configuration for automated access:
1. Set connection mode to "batch" or "non-interactive"
2. Use public key authentication exclusively (disable password)
3. Set SSH options: StrictHostKeyChecking=yes
4. Configure connection timeout: 30 seconds
5. Set file transfer mode: binary
6. Enable connection pooling for multiple files
// See documentation: SFTP Integration Guide Section 5.2

Verification Steps:

1. Test manual upload:

   
   sftp -i /path/to/new_key svc_bom_sync@sftp.luminate.blueyonder.com
   cd /inbound/bom
   put test_file.xml
   

2. Test automated upload from ERP:

   • Trigger the scheduled BOM sync job
   • Monitor SFTP logs: Integration Setup > SFTP Configuration > Session Logs
   • Verify “Session Type: Non-Interactive” in logs
   • Confirm successful file transfer

3. Check processing:

   • Navigate to Manufacturing Planning > Data Import > BOM Import Status
   • Verify the uploaded file appears in processing queue
   • Confirm successful import into manufacturing planning

Common Issues and Solutions:

• Issue: “Permission denied” persists after role assignment Solution: Service account changes require a 5-minute propagation period. Wait and retry.

• Issue: File uploads succeed but don’t process Solution: Check file naming convention. BY expects format: BOM_YYYYMMDD_HHMMSS.xml

• Issue: Intermittent failures Solution: Configure connection retry in ERP (3 attempts with 30-second delay)

• Issue: Rate limiting errors Solution: Contact BY support to increase file upload quota for your service account

Security Best Practices:

1. Use 4096-bit RSA keys for service accounts
2. Rotate credentials every 90 days per compliance requirements
3. Document the full credential rotation procedure including role re-assignment
4. Implement monitoring for failed automated uploads (alert after 2 consecutive failures)
5. Use separate service accounts for different integration types (don’t share svc_bom_sync for other file transfers)

Monitoring and Alerts:

Set up monitoring for the BOM sync integration:

• Alert on SFTP authentication failures (3+ in 1 hour)
• Alert on permission denied errors
• Alert on missing BOM files (expected daily at specific time)
• Track file processing time (alert if >30 minutes)

After implementing these changes, your automated BOM sync should work reliably. The key points are: user-level folder permissions with non-interactive access, AutomatedFileTransfer role assignment, and proper SSH key configuration. Test thoroughly before resuming production use.

When you rotated the service account credentials, did you update the SSH public key in Blue Yonder’s SFTP user management console? The key needs to be registered on the BY side, not just configured in your ERP. Log into Luminate Integration Setup > SFTP Configuration > User Management, find your svc_bom_sync account, and verify the public key fingerprint matches your new key.