Securing the RMGR environment
The Recovery Manager functions and utilities require authorization for many functions. To establish the proper authorizations, perform the following steps:
- Ensure that the RECOVERY MANAGER for IMS load library (hlq.DBULIB or hlq.IMLIB) is APF authorized.
- Add entries to the AUTHPGM section of the IKJTSOxx member of PARMLIB (the TSO authorized program list) to authorize the IRMAUTH program and the IRMAPI10 program for RMGR.
- If your organization uses program-pathing to the IMS DBRC DSPURX00 module, ensure that the RMGR started task or job is allowed access to DSPURX00.Program-pathing is described in the RACF documentation as 'Protecting Load Modules as Controlled Programs.'
- If your facility uses an Computer Technologies CA-ACF2 command-limiting table, ensure that the IRMIMAN program is added to the table.
If you have the APPLICATION RESTART CONTROL for IMS (AR/CTL) product and you want to use the AR/CTL suspend-and-resume interface for automatic handling of BMPs during the Hold Point of Consistency function, make sure that the library that contains the RMGR CPU authorization password is included in the AESPAUTH DD concatenation in the JCL to start the BMC Consolidated Subsystem (BCSS).For more information, see the APPLICATION RESTART CONTROL Reference Manual.
- Provide the RMGR started task with authority to update the repository data sets and the IMS RECON data sets.The RMGR started task requires the same authorization as DBRC.
Provide the RMGR started task with authority to issue operating system commands.During startup, the started task internally issues the following z/OS system MODIFY command to capture tracing information for diagnostic purposes if required at a later time:
F rmgrName,SNAP
For more information, see Using-RMGR-enhanced-modify-commands.
Make sure that the appropriate authority levels are set for the resources shown in the following table. Your standard security procedures are used to set these authority levels.Access to resources from the RMGR ISPF interface and batch jobs is controlled by the TSO user ID of the user. Access to resources from the RMGR started task or job is controlled by the specific task or job name.
The RMGR started task or job requires the same authorization as DBRC.
Resource
RMGR started task or job
RMGR ISPF interface users
RMGR repository
Update
Update
Data sets listed on the IMS Environment panel (RESLIB, DBDLIB, PSBLIB, MDALIB, ACBLIB, and MODSTAT libraries)
Read, fetch, or execute
Read, fetch, or execute
IMS archived log prefixes
Read
Not applicable
IMS RECONs
Update
Read
Repository backup GDG
Create/update
Not applicable
JCL partitioned data set (JOBPDS) specified in the RMGR startup SYSIN, in profiles, or at initiation of the Create Recovery JCL function
Update
Update
Log analysis summary file
For a description of this file and how it is used, see the Backup and Recovery Products for IMS Recovery Manager User Guide.
Create/update
Read
RMGR BMCPSWD library
Read
Read
PFX libraries used by the BMC Fast Path Indexer/EP product
Read, fetch, or execute
Read, fetch, or execute
Operator commands
Issue
Not applicable
DBRC GENJCL commands
Issue
Not applicable
- If you want to secure the IMS system commands that RMGR can issue through the IMS Command utility (program IRMICMD), implement system authorization facility (SAF) definitions as explained in Securing-the-RMGR-IMS-Command-utility.
Related topic