Interfacing with External Security › User Access Requirements to Resources › Add OMVS Segment to User IDs

Add OMVS Segment to User IDs

When user IDs have an OMVS segment defined, they can issue any of the USS, TCP/IP, or CSM (Communications Storage Manager) commands.

Some USS commands, like UPROCESS, only display processes belonging to the USS UID and GID of a user.

To add OMVS segment to user IDs, see the Security Requirement section in the HELPLIB member for the command.

Example: Help Command

Issue the following Help command to retrieve security requirements information for a specific USS, TCP/IP, or CSM:

HELP UPROCESS

SAF Requirements

The following sections list SAF authorizations that are required for both the CA SYSVIEW address spaces and for individual user IDs. The SAF authorizations depend on what features and components are implemented at your site.

JESSPOOL Class

The JESSPOOL class is used to protect JES spool data from unauthorized access. If the JESSPOOL class is active in your external security product, the SYSLOG, OUTPUT, and JJCL commands make SAF calls in the JESSPOOL class for the resources shown.

JESSPOOL Class (if active)

• This resource requires all users have Read access when permitted access to the SYSLOG command:

  jesnode.+MASTER+.SYSLOG.SYSTEM.sysname
  

• This resource requires all users have Read access when selecting a job on spool, or issuing the OUTPUT command directly:

  jesnode.userid.jobname.jobid.jesdsname.ddname
  

• This resource requires all users have Read access when selecting the execution JCL using the JJCL command:

  jesnode.userid.jobname.jobid.JCL
  

FACILITY Class

Access is required to the following FACILITY class resources so you can:

• Define MVS log streams
• Allow the dynamic install utility to APF authorize load libraries
• Permit access to various MQSeries Queue Managers
• Allow access to USS commands

FACILITY Class

• The administrator, or user defining the CA SYSVIEW log streams, requires ALTER authority to the following resource:

  MVSADMIN.LOGR
  

• The administrator, or user defining the CA SYSVIEW log streams requires ALTER authority to the following resource:

  MVSADMIN.XCF.CFRM
  

• The administrator, or user defining the CA SYSVIEW log streams requires ALTER authority to the following resource:

  XLSTR.cf_structure_name
  

• The CA SYSVIEW main task needs UPDATE authority to the following resource:

  CSVAPF.**
  

  This access lets the task run the dynamic install program GSVXINST.

• The CA SYSVIEW started tasks and any individual user IDs requiring access to data from MQ needs READ authority to the specific MQ subsystem.

  ssid.MQM
  

• Grant READ authority to users in lieu of a default UID(0) to let them switch in and out of SUPERUSER.

  BPX.SUPERUSER
  

LOGSTRM Class

The LOGSTRM class is used to secure access to MVS log streams.

LOGSTRM Class

• The CA SYSVIEW main address space requires UPDATE authority to write records to the log streams.

  log.stream.name
  

• The administrator, or user defining the CA SYSVIEW log streams, requires ALTER authority to change or alter the characteristics of the log stream.

  log.stream.name
  

• All users require READ authority to read data from the log stream.

  log.stream.name
  

OPERCMDS Class

The OPERCMDS class is used to secure access to MVS operator commands.

OPERCMDS Class

• The user requires UPDATE authority to issue the STOP command for any of the CA SYSVIEW started tasks.

  MVS.STOP.STC.**
  

• The user requires UPDATE authority to issue the START command for any of the CA SYSVIEW started tasks.

  MVS.START.STC.**
  

• The user requires UPDATE authority to issue the MODIFY command for any of the CA SYSVIEW started tasks.

  MVS.MODIFY.STC.**
  

• The user requires UPDATE authority to issue the MVS or XMVS command. Access to the appropriate resource in the OPERCMDS class will also be checked.

  MVS.mvscommand.**
  

UNIXPRIV Class

The UNIXPRIV class is used to secure access to Unix System Services (USS) commands.

UNIXPRIV Class

• Users require READ authority to see all USS processes from the UPROCESS display.

  SUPERUSER.PROCESS.GETPSENT
  

  Note: Use this resource in place of granting the user access to BPX.SUPERUSER in the FACILITY class, or having a default UID of 0. By default, you will only see processes running with the same UID/GID as your user ID.

• Grant READ authority to users that issue the UFILESYS command to view USS file systems. This prevents any security errors.

  SUPERUSER.FILESYS
  

  Note: Use this resource in place of granting the user access to BPX.SUPERUSER in the FACILITY class, or having a default UID of 0.

• Grant users READ authority to use the UKILL command to terminate any USS process.

  SUPERUSER.PROCESS.KILL
  

  Note: This could be done in place of granting the user access to BPX.SUPERUSER in the FACILITY class, or having a default UID of 0. By default, you will only be able to kill USS processes owned by your UID/GID.

MQCONN Class

The MQCONN class is used to secure access to MQSeries connections.

MQCONN Class

• The CA SYSVIEW started task and individual user IDs require READ authority to the following resource to connect to WebSphere MQ.

  ssid.BATCH
  

MQQUEUE Class

The MQQUEUE class is used to secure access to MQSeries queues.

MQQUEUE Class

• The CA SYSVIEW started task and individual user IDs require UPDATE authority to issue commands to WebSphere MQ through the system command queue.

  ssid.SYSTEM.COMMAND.**
  

• The CA SYSVIEW started task and individual user IDs require UPDATE authority to create temporary dynamic queues in which the queue manager puts replies from the display commands issued to the system command queue.

  ssid.SSID.**
  

MQCMDS Class

The MQCMDS class is used to secure access to MQSeries commands.

MQCMDS Class

• The CA SYSVIEW started task and individual user IDs require READ authority to the following resource to issue display commands to WebSphere MQ.

  Resource:

  ssid.DISPLAY.**
  

SERVAUTH Class

The SERVAUTH class is used to secure access to TCP/IP stacks.

SERVAUTH Class

• This resource allows access to the TCP/IP stacks. The CA SYSVIEW started task and individual user IDs requiring access to TCP/IP or CSM (Communications Storage Manager) commands will need READ authority to this resource.

  EZB.STACKACCESS.**
  

• This resource allows access to the NETSTAT commands. The CA SYSVIEW started task and individual user IDs requiring access to NETSTAT commands will need READ access to this resource.

  EZB.NETSTAT.**
  

• CSM commands use the Communications Server Network Management Interface to gather CSM data. READ authority to this resource is required for CSM monitoring, or the ability to issue any CSM commands. If the resource is not defined, then SUPERUSER access, or access to BPX.SUPERUSER in the FACILITY class, is required.

  IST.NETMGMT.mvsname.SNAMGMT
  

  mvsname

  Represents the z/OS system name.

  Note: Superuser authority is either a UID of 0 or READ access to the BPX.SUPERUSER entity of the FACILITY class.

  Note: The VTAM start option, SNAMGMT, must be set to YES, so that the ISTMGCEH subtask will be attached to open the Network Management Interface.