Securing the RMGR environment


The Recovery Manager functions and utilities require authorization for many functions. To establish the proper authorizations, perform the following steps:

  1. Ensure that the RECOVERY MANAGER for IMS load library (hlq.DBULIB or hlq.IMLIB) is APF authorized.
  2. Add entries to the AUTHPGM section of the IKJTSOxx member of PARMLIB (the TSO authorized program list) to authorize the IRMAUTH program and the IRMAPI10 program for RMGR.
  3. If your organization uses program-pathing to the IMS DBRC DSPURX00 module, ensure that the RMGR started task or job is allowed access to DSPURX00.Program-pathing is described in the RACF documentation as 'Protecting Load Modules as Controlled Programs.'
  4. If your facility uses an Computer Technologies CA-ACF2 command-limiting table, ensure that the IRMIMAN program is added to the table.
  5. If you have the APPLICATION RESTART CONTROL for IMS (AR/CTL) product and you want to use the AR/CTL suspend-and-resume interface for automatic handling of BMPs during the Hold Point of Consistency function, make sure that the library that contains the RMGR CPU authorization password is included in the AESPAUTH DD concatenation in the JCL to start the BMC Consolidated Subsystem (BCSS).For more information, see the APPLICATION RESTART CONTROL Reference Manual.

    Note

    The single-RMGR configuration does not interface with AR/CTL. If you use the AR/CTL suspend-and-resume interface, you must continue to use a legacy configuration. For more information, see Understanding-RMGR-customization-and-configurations.

  6. Provide the RMGR started task with authority to update the repository data sets and the IMS RECON data sets.The RMGR started task requires the same authorization as DBRC.
  7. Provide the RMGR started task with authority to issue operating system commands.During startup, the started task internally issues the following z/OS system MODIFY command to capture tracing information for diagnostic purposes if required at a later time:

    F rmgrName,SNAP

    For more information, see Using-RMGR-enhanced-modify-commands.

  8. Make sure that the appropriate authority levels are set for the resources shown in the following table. Your standard security procedures are used to set these authority levels.Access to resources from the RMGR ISPF interface and batch jobs is controlled by the TSO user ID of the user. Access to resources from the RMGR started task or job is controlled by the specific task or job name.

    The RMGR started task or job requires the same authorization as DBRC.

    Warning

    If authorization is not set at levels specified in the following table, system 913 abends may occur in the RMGR started task or job or in the RMGR ISPF interface.


    Resource

    RMGR started task or job

    RMGR ISPF interface users

    RMGR repository

    Update

    Update

    Data sets listed on the IMS Environment panel (RESLIB, DBDLIB, PSBLIB, MDALIB, ACBLIB, and MODSTAT libraries)

    Read, fetch, or execute

    Read, fetch, or execute

    IMS archived log prefixes

    Read

    Not applicable

    IMS RECONs

    Update

    Read

    Repository backup GDG

    Create/update

    Not applicable

    JCL partitioned data set (JOBPDS) specified in the RMGR startup SYSIN, in profiles, or at initiation of the Create Recovery JCL function

    Update

    Update

    Log analysis summary file

    For a description of this file and how it is used, see the Backup and Recovery Products for IMS Recovery Manager User Guide.

    Create/update

    Read

    RMGR BMCPSWD library

    Read

    Read

    PFX libraries used by the BMC Fast Path Indexer/EP product

    Read, fetch, or execute

    Read, fetch, or execute

    Operator commands

    Issue

    Not applicable

    DBRC GENJCL commands

    Issue

    Not applicable

    Note

    If the RMGR repository is secured by your system authorization facility (such as RACF, CA-ACF2, or Computer Technologies CA-Top Secret) and you want to use the RMGR Recovery Extensions feature with the BMC Image Copy, Change Accumulation, and Recovery utilities, the utility job must have authority to update the RMGR repository.

  9. If you want to secure the IMS system commands that RMGR can issue through the IMS Command utility (program IRMICMD), implement system authorization facility (SAF) definitions as explained in Securing-the-RMGR-IMS-Command-utility.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*