Commands and Functions that Generate External Security Events

Resource Tables and Predefined Resources › Commands and Functions that Generate External Security Events

Commands and Functions that Generate External Security Events

The table in this section provides the following information:

All CA OPS/MVS commands
The SAF access level required to execute the command
The SAF resource name used to validate the command issuers
The group name, which is derived from the facility names associated with the security event the group name protects
The facility name for DEFSAF

The first qualifier of the resource name (OP$MVS in the table SAF Resource Names Table) is the default resource name prefix value. You can override the prefix value with the EXTSECPREFIX parameter to meet local naming standards.

Review the following explanations of the *var and **table variables in the table column SAF Resource Name:

*var

Contains the name of the global variable being read or updated. When the variable starts with one of the global stem prefixes, the var appended to the resource name is the variable name itself. If the variables do not start with one of the product-defined global stems, the prefix GLVTEMPG gets added before var.

Note: The global stem prefixes recognized by CA OPS/MVS are GLOBAL, GLOBALx, or GLVTEMPx.

For example:

OPSVALUE(MYVAR): Checks using resource name OP$MVS.OPSGLOBAL.GLVTEMPG.MYVAR for READ access
OPSVALUE(GLOBAL.1): Checks using resource name OP$MVS.OPSGLOBAL.GLOBAL.1 for READ access
OPSSETV(MYVAR ('1')): Checks using resource name OP$MVS.OPSGLOBAL.GLVTEMPG.MYVAR for UPDATE access

**table

Most simple SQL statements have only one table reference. In those cases, SQLTBL contains that table name and checks only that one resource.

More complex SQL statements (such as joins and subselect clauses) can reference more than one table. In those cases, SQLTBL treats each table as a separate resource with potentially its own access requirements. A separate SAF call initiates for each table referenced.

For example:

Address SQL select name from table: Checks using resource name OP$MVS.SQL.TABLE for READ access.
Address insert into t1 select * from t2: Checks resource name OP$MVS.SQL.T1 for UPDATE, and then verifies OP$MVS.SQL.T2 for READ access.

Note: The utility DEFSAF eliminates the need to remember group names. If you use these SAF group names outside of DEFSAF, be sure to use the correct group name when adding user IDs to groups.

The facilities are divided into the following three types:

Facilities containing a single READ group
For example: OPSBRW
Facilities containing a single UPDATE group
For example: OPSAP
Facilities containing two groups – one for READ and one for UPDATE. In this case, the READ group has an appended R
For example: OPSAOFR

Command or Function (subcommand verb)	Description	SAF Access	SAF Resource Name	Group Name	Facility Name (for DEFSAF)
address AOF (INDEX, LISTINST, LIST, LISTSRC, LISTCOMP)	Access AOF (Rule or Rule sets)	Read	OP$MVS.OPSAOF	OPSAOFR	OPSAOF
address AOF (SETAUTO, DISABLE, ENABLE, COMPILE, DELCOMP, RESETAUTO)	Modify AOF (Rule or Rule sets)	Update	OP$MVS.OPSAOF	OPSAOF	OPSAOF
address AP (all verbs)	All OPS-AP Interface commands	Update	OP$MVS.AP	OPSAP	OPSAP
OPSLOG() function (all verbs)	Retrieve information from OPSLOG	Read	OP$MVS.OPSBRW	OPSBRW	OPSBRW
address OPER (all verbs)	Issuing z/OS commands	Update	OP$MVS.OPSCMD	OPSCMD	OPSCMD
address TSO OPSCMD (all verbs)	Issuing z/OS commands	Update	OP$MVS.OPSCMD	?OPSCMD?	OPSCMD
address OPSCTL COF (LIST)	Access COF components	Read	OP$MVS.OPSCTL.COF	OPSCTCFR	OPSCTCOF
address OPSCTL COF (ACTIVATE, DEACTIVATE, DEFINE, DELETE)	Modify COF components	Update	OP$MVS.OPSCTL.COF	OPSCTCOF	OPSCTCOF
address OPSCTL ECF (all verbs)	Access ECF components	Read	OP$MVS.OPSCTL.ECF	OPSCTECF	OPSCTECF
address OPSCTL MSF (LIST)	Access MSF components	Read	OP$MVS.OPSCTL.MSF	OPSCTMSR	OPSCTMSF
address OPSCTL MSF (ACTIVATE, DEACTIVATE, DEFAULT, DEFINE, DELETE, START, STOP)	Modify MSF operations	Update	OP$MVS.OPSCTL.MSF	OPSCTMSF	OPSCTMSF
address OPSCTL OPSLOG (LIST)	Access OPSLOG management and control	Read	OP$MVS.OPSCTL.OPSLOG	OPSCTLGR	OPSCTLOG
address OPSCTL OPSLOG (ACTIVATE, DEACTIVATE, DEFINE, DELETE, RESET, SETLIVE)	Modify OPSLOG management and control	Update	OP$MVS.OPSCTL.OPSLOG	OPSCTLOG	OPSCTLOG
address OPSCTL OSF (EXECSTATS, QUEUE, LIST)	Access OSF components	Read	OP$MVS.OPSCTL.OSF	OPSCTOSR	OPSCTOSF
address OPSCTL OSF (RESETQ, STOP)	Modify OSF components	Update	OP$MVS.OPSCTL.OSF	OPSCTOSF	OPSCTOSF
address TSO OPSDOM or OPSDOM()	Deleting an Operator Message	Update	OP$MVS.OPSDOM	OPSDOM	OPSDOM
address EPI (all verbs)	Using External Product Interface	Update	OP$MVS.OPSEPI	OPSEPI	OPSEPI
OPSVALUE() function (O, E, F, I, J, K, L, N, O, S, T)	Access global variables	Read	OP$MVS.OPSGLOBAL.var*	OPSGLOB	OPSGLOBAL
OPSVALUE() function (6, A. C, D, R, U, V)	Modify global variables	Update	OP$MVS.OPSGLOBAL.var*	OPSGLOBR	OPSGLOBAL
OPSHFI function or command processor (all verbs)	Access global variables from a VSAM data set	Update	OP$MVS.OPSHFI	OPSHFI	OPSHFI
OPSLOG API	Access OPSLOG using OPSLOG API	Read	OP$MVS.OPSLOG	OPSLOG	OPSLOG
OPSPARM() function (SHOW)	Accessing CA OPS/MVS parameters	Read	OP$MVS.OPSPARM	OPSPAR	OPSPARM
OPSPARM() function (SET)	Modifying CA OPS/MVS parameters	Update	OP$MVS.OPSPARM	OPSPARM	OPSPARM
address TSO OPSREPLY (all verbs)	Reply to WTORs	Update	OP$MVS.OPSREPLY	OPSREP	OPSREP
address TSO OPSREQ (all verbs)	Invoke AOF request (REQ) rules	Update	OP$MVS.OPSREQ	OPSREQ	OPSREQ
address TSO OPSRMT (all verbs)	Send commands to remote OPS	Update	OP$MVS.OPSRMT	OPSRMT	OPSRMT
address OSF (all verbs)	Send command to an OSF server	Update	OP$MVS.OPSOSF.OSF	OPSOSF	OPSOSF
address OSFTSL (all verbs)	Send command to OSFTSL server	Update	OP$MVS.OPSOSF.OSFTSL	OPSOSTSL	OPSOSTSL
address OSFTSP (all verbs)	Send command to OSFTSP server	Update	OP$MVS.OPSOSF.OSFTSP	OPSOSTSP	OPSOSTSP
OPSSMTBL() function (LIST)	Accessing STATEMAN definitions	Read	OP$MVS.OPSSMTBL	OPSSSMR	OPSSSM
OPSSMTBL() function (ADD, CHANGE, DELETE, POST)	Modifying STATEMAN definitions	Update	OP$MVS.OPSSMTBL	OPSSSM	OPSSSM
address SOF (QUERY)	SOF commands	Read	OP$MVS.SOF	OPSSOFR	OPSSOF
address SOF (COMMAND, FIND, LOG, READ, WRITE, DELETE, TERM, TERMINATE)	SOF commands	Update	OP$MVS.SOF	OPSSOF	OPSSOF
address SQL or OPSSQL function (SELECT, DECLARE, OPEN, FETCH, CLOSE)	Accessing SQL tables	Read	OP$MVS.SQL.table**	OPSSQLR	OPSSQL
address SQL or OPSSQL function (CREATE, INSERT, UPDATE, DELETE, DROP, ADD)	Modifying SQL tables	Update	OP$MVS.SQL.table**	OPSSQL	OPSSQL
SUBSYSTEM data set OPEN Request	Allocate OPSS SUBSYS data set	Update	OP$MVS.SUBSYSDSN	OPSSUB	OPSSUB
address USS or OPSUSS() function (all verbs)	All UNIX System Services	Update	OP$MVS.USS	OPSUSS	OPSUSS
OPSVIEW command	Access ISPF interface	Read	OP$MVS.OPSVIEW	OPSVW	OPSVIEW
address WTO (all verbs)	Send a WTO	Update	OP$MVS.OPSWTO	OPSWTO	OPSWTO
OPSWTO command(all verbs)	Send a WTO	Update	OP$MVS.OPSWTO	OPSWTO	OPSWTO

Tell Technical Publications how we can improve this information