Required authorizations
System symbolics
Infrastructure components make use of system symbolics to construct dynamically allocated data set names and to satisfy product requests.
The installation JCL for DBC, NGL, and LGC also uses system symbolics.
To enable the use of system symbolics in JCL, be sure that SYSSYM=ALLOW is set in the JOBCLASS definition in the SYS1.PARMLIB member where job classes are defined.
CIS started task user ID
The started task for CIS must have the following permissions and security:
- The user ID of the CIS started task needs at least the Read permission to the BPX.SERVER and BPX.DAEMON facility classes.
- The LOAD libraries in the CIS STEPLIB need to be added to Program Control by using NOPADCHK.
For example, RALTER PROGRAM * ADDMEM('CIS.LOADLIB'//NOPADCHK) UACC(READ). - The user assigned to the started task must have an OMVS segment in its RACF profile, or an equivalent security product.
- The started task user ID automatically gains Read and Execute permissions to the runtime path identified as CIS_INSTALL_PATH (CISHOME) and all directories (or folders) such as /logs and /bmchfs.
Write permission must be added for updates to the /logs and /bmchfs folders.
Alternatively, customers can update hlq.BMCSAMP(CISTCENV) to separate /logs and /bmchfs folders to a different path with the Write permission.
DBC started task user ID
The started task for the DBC must have the following permissions and security. For more information about DBC, see Administering-BMC-Execution-Component-for-z-OS-DBC.
- DBCmust meet the following UNIX requirements:
- Write and execute access to the /tmp directory.
- Update access to the FSACCESS (UNIX file system access check) resource class.
- DBCmust be authorized to create an Extended MCS Console.
- READ authority for the RACF FACILITY class for the following resources:
- BMC.DBC.*
- BMC.DPR.*
BMC.LGC.* (if
LGC
is installed)
BMC.NGL.* (if
NGL
is installed)
- ALTER authority for the user data sets (that is, LOGSET files)
- ALTER authority for data sets beginning with the HLQ value in the DBCOPTS member located in the DBCENV data set specified in the DBC$STC PROC. This HLQ will be used to allocate VSAM and NON-VSAM data sets.
- READ and WRITE authority for the:
LGC
product-specific registry data set (if
LGC
is installed)
NGL
product-specific registry data set (if
NGL
is installed)
- An OMVS segment defined in the IBM RACF (normal user) security product or an equivalent security product
- When using BMC AMI Command Center object data collection, READ authority for:
- db2cat.DSNDBD.DSNDB06.SYSTSTAB.I0001.A001
- db2cat.DSNDBD.DSNDB06.SYSTSIXS.I0001.A001
- db2cat.DSNDBD.DSNDB06.SYSUSER.I0001.A001
- When using Pool Advisor, READ authority for these subsystems data sets:
- db2cat.DSNDBD.DSNDB06.SYSTSDBA.I0001.A001
- db2cat.DSNDBD.DSNDB06.SYSTSTAB.I0001.A001
- db2cat.DSNDBD.DSNDB06.SYSTSTSP.I0001.A001
- db2cat.DSNDBD.DSNDB06.SYSTSIXS.I0001.A001
- READ authority for System Authorization Facility (SAF) class DSNR for:
- db2ssid.BATCH
- db2ssid.RRSAF
NGLARCH started task user ID
The started task for the NGL must have the following permissions and security:
- ALTER authority for the HLQ for the user data sets (that is, LOGSET files)
- An OMVS segment defined in IBM RACF (normal user) or the equivalent in your security system
User ID
To use interface components of the products, the user ID must have:
- READ authority for the runtime data sets
- READ authority for the RACF FACILITY class for the following resources:
- hlq.DBC.*
- hlq.DPR.*
- An OMVS segment defined in the RACF (normal user) security product or an equivalent security product
- Execute access to the /tmp directory
Any User ID that issues operator commands to the DBC must have READ authority for the RACF FACILITY class for the following resource: hlq.lpar.dbcgroup.prodCode.command.PF The variables are defined as follows:
- hlq is the high-level qualifier of the resource name. The HLQ node defaults to BMC, but you can customize the value by using the <HLQ> option in the DBC SAF startup options.
- lpar is the MVS system name where DBC executes.
- dbcgroup is the name of the DBC. This name is specified in the execution parameters for the DBC started task. This name is also the XCF group name for the DBC.
- prodCode is the BMC product code of the product for which the resource is defined. This three-character code is specified in the INITPROD command used in product initialization.
- command is the name of the command.