×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
Common mainframe infrastructure 2018 release Getting started

Required authorizations

 

Authorizations are required for installing, configuring, and using the common components with BMC products.

Installation user ID

The user ID of the installer must have the following permissions and security settings:

  • ALTER authority for the following data sets:
    • BMC Installation System installation data sets
    • SMP/E global, target, and distribution data sets
    • Runtime data sets
    • User data sets
  • READ authority for the IBM Resource Access Control Facility (RACF) FACILITY class for the following resources:
    • BMC.DBC.*
    • BMC.DPR.*
    • BMC.LGC.* (if LGC is installed)
    • BMC.NGL.* (if NGL is installed)
  • USS SUPERUSER access
  • CONSOLE command authorization

System symbolics

Infrastructure components make use of system symbolics to construct dynamically allocated data set names and to satisfy product requests.

The installation JCL for DBC, NGL, and LGC also uses system symbolics.

To enable the use of system symbolics in JCL, be sure that SYSSYM=ALLOW is set in the JOBCLASS definition in the SYS1.PARMLIB member where job classes are defined.


DBC started task user ID

The started task for the DBC must have the following permissions and security. For more information about DBC, see Working with BMC Execution Component for z/OS (DBC).

  • DBC must meet the following UNIX requirements:
    • Write and execute access to the /tmp directory.
    • Update access to the FSACCESS (UNIX file system access check) resource class.
  • DBC must be authorized to create an Extended MCS Console.
  • READ authority for the RACF FACILITY class for the following resources:
    • BMC.DBC.*
    • BMC.DPR.*
    • BMC.LGC.* (if LGC is installed)
    • BMC.NGL.* (if NGL is installed)
  • ALTER authority for the user data sets (that is, LOGSET files)
  • ALTER authority for data sets beginning with the HLQ value in the DBCOPTS member located in the DBCENV data set specified in the DBC$STC PROC. This HLQ will be used to allocate VSAM and NON-VSAM data sets.
  • READ and WRITE authority for the:
    • LGC product-specific registry data set (if LGC is installed)
    • NGL product-specific registry data set (if NGL is installed)
  • An OMVS segment defined in the IBM RACF (normal user) security product or an equivalent security product
  • When using APPTUNE object data collection, READ authority for:
    • db2cat.DSNDBD.DSNDB06.SYSTSTAB.I0001.A001
    • db2cat.DSNDBD.DSNDB06.SYSTSIXS.I0001.A001
    • db2cat.DSNDBD.DSNDB06.SYSUSER.I0001.A001
  • When using Pool Advisor, READ authority for these subsystems data sets:
    • db2cat.DSNDBD.DSNDB06.SYSTSDBA.I0001.A001
    • db2cat.DSNDBD.DSNDB06.SYSTSTAB.I0001.A001
    • db2cat.DSNDBD.DSNDB06.SYSTSTSP.I0001.A001
    • db2cat.DSNDBD.DSNDB06.SYSTSIXS.I0001.A001
  • READ authority for System Authorization Facility (SAF) class DSNR for:
    • db2ssid.BATCH
    • db2ssid.RRSAF

NGLARCH started task user ID

The started task for the NGL must have the following permissions and security:

  • ALTER authority for the HLQ for the user data sets (that is, LOGSET files)
  • An OMVS segment defined in IBM RACF (normal user) or the equivalent in your security system

User ID

To use interface components of the products, the user ID must have:

  • READ authority for the runtime data sets
  • READ authority for the RACF FACILITY class for the following resources:
    • hlq.DBC.*
    • hlq.DPR.*
  • An OMVS segment defined in the RACF (normal user) security product or an equivalent security product
  • Execute access to the /tmp directory
  • Any User ID that issues operator commands to the DBC must have READ authority for the RACF FACILITY class for the following resource: hlq.lpar.dbcgroup.prodCode.command.PFThe variables are defined as follows:
    • hlq is the high-level qualifier of the resource name. The HLQ node defaults to BMC, but you can customize the value by using the <HLQ> option in the DBC SAF startup options.
    • lpar is the MVS system name where DBC executes.
    • dbcgroup is the name of the DBC. This name is specified in the execution parameters for the DBC started task. This name is also the XCF group name for the DBC.
    • prodCode is the BMC product code of the product for which the resource is defined. This three-character code is specified in the INITPROD command used in product initialization.
    • command is the name of the command.

    Note

    If the resource rule for an operator command does not exist and the SAF security product returns RC=4, the operator command is allowed irrespective of the ALLOW_SAF_RC4 setting. Existing rules are then checked subject to the ALLOW_SAF_RC4 setting.

    If the resource rule for an operator command does exist, subsequent checks for existing rules are bypassed.

    You can use a wildcard for any of these nodes when you define a resource rule.

Was this page helpful? Yes No Submitting... Thank you
Last modified by Mary Cameron on Mar 26, 2020
getting_started

Comments

Log in or register to comment.

Cross-System Image Manager (XIM)
Installing
© Copyright 2013 - 2019 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.