IMS product configuration

During product installations, you are prompted to define the UIM and ADV server address spaces.

Files in the UIM server address space determine server configuration for IMS products. One of those files (XMLConfigurationFile member ICO$DHSP) is an XML configuration file that is used to implement access controls. This file is downloaded to the UIM server configuration partitioned data set (default data set name hlq.CONFIG) on the mainframe.

If you use the default configuration, no configuration changes are required. To protect the access control policy from unauthorized changes, you must secure update access to the XML configuration file so that the defined resources names cannot be substituted.

The following figure shows an excerpt from the XML configuration file (member ICO$DHSP, DLI$DHSP, or BRI$DHSP) that is used to follow the access controls which are defined in SAF.

When a user attempts to perform a certain function or access a particular IMS RECON, the information in the XML configuration file is validated against the resources that are defined in the security profile and the access rules that are assigned to the user. Therefore, it is important to use the IMSPLEX name that is used by SAF (specified in the IMSPLEX window-IMSPLEX name that used by (SAF) field) as the IMS RECON name in the SAF resource definitions.

The following table shows the access control rules defined for the IMS system resources, their default class, and the resource or function that they control the access for.

For the access level, BMC AMI Database Advisor for IMS simply checks for READ access or above to any of the facility classes to grant permission.

Rule name	Default Facility Class	Controls access to
SDBA_IMSDB_DBG	BBM.SDBA.IMSDB.%RECON_NAME%.DBG	All DBGroups in this recon
SDBA_IMSDB_ENV	BBM.SDBA.IMSDB.%RECON_NAME%.ENV	All functions for objects in this recon
SDBA_IMSDB_SCD	BBM.SDBA.IMSDB.%RECON_NAME%.SCD	Edit scheduled tasks
SDBA_IMSDB_SVL	BBM.SDBA.IMSDB.%RECON_NAME%.SVL	Edit environmental parameters
SDBA_IMSDB_SPL	BBM.SDBA.IMSDB.%FUNCTION%.SPL	(unused)
SDBA_IMSDB_SUB	BBM.SDBA.IMSDB.%RECON_NAME%.SUB	Submit generated JCL
SDBA_CATMAN_CATVIEW	BBM.SDBA.CATMAN.%IMSPLEX_NAME%.CATVIEW	Catalog Viewer
SDBA_CATMAN_IMSCMD	BBM.SDBA.CATMAN.%IMSPLEX_NAME%.IMSCMD	IMS Commands function
SDBA_CATMAN_SPUFI	BBM.SDBA.CATMAN.%IMSPLEX_NAME%.SPUFI	“SPUFI” Ad hoc SQL processor
SDBA_GLOBAL_IMS	BBM.SDBA.GLOBAL.IMS	Global access to the web-based advisor GUI

The following figure shows sample RACF control statements to define IMSICMD resources that apply to a specified IMS system (IMSP).

RACF resource definitions for SDBACMD that apply to any IMS system

RDEFINE FACILITY BBM.SDBA.IMSDB.%RECON_NAME%.DBG UACC(NONE)
RDEFINE FACILITY BBM.SDBA.IMSDB.%RECON_NAME%.ENV UACC(NONE)
RDEFINE FACILITY BBM.SDBA.IMSDB.%RECON_NAME%.SCD UACC(NONE)
RDEFINE FACILITY BBM.SDBA.IMSDB.%RECON_NAME%.SVL UACC(NONE)
RDEFINE FACILITY BBM.SDBA.IMSDB.%RECON_NAME%.SUB UACC(NONE)
RDEFINE FACILITY BBM.SDBA.CATMAN.%IMSPLEX_NAME%.CATVIEW UACC(NONE)
RDEFINE FACILITY BBM.SDBA.CATMAN.%IMSPLEX_NAME%.IMSCMD UACC(NONE)
RDEFINE FACILITY BBM.SDBA.CATMAN.%IMSPLEX_NAME%.SPUFI UACC(NONE)
RDEFINE FACILITY BBM.SDBA.GLOBAL.IMS UACC(NONE)
PERMIT BBM.SDBA.IMSDB.%RECON_NAME%.DBG CLASS(FACILITY) ID(USER01)   ACCESS(READ)
PERMIT BBM.SDBA.IMSDB.%RECON_NAME%.ENV CLASS(FACILITY) ID(DBAGRP)   ACCESS(READ)
PERMIT BBM.SDBA.IMSDB.%RECON_NAME%.SCD CLASS(FACILITY) ID(DBAGRP)   ACCESS(READ)
PERMIT BBM.SDBA.IMSDB.%RECON_NAME%.SVL CLASS(FACILITY) ID(DBAGRP) ACCESS(READ)
PERMIT BBM.SDBA.IMSDB.%RECON_NAME%.SUB CLASS(FACILITY) ID(DBAGRP) ACCESS(READ)
PERMIT BBM.SDBA.CATMAN.%IMSPLEX_NAME%.CATVIEW CLASS(FACILITY) ID(DBAGRP)   ACCESS(READ)
PERMIT BBM.SDBA.CATMAN.%IMSPLEX_NAME%.IMSCMD CLASS(FACILITY) ID(DBAGRP)   ACCESS(READ)
PERMIT BBM.SDBA.CATMAN.%IMSPLEX_NAME%.SPUFI CLASS(FACILITY) ID(DBAGRP)   ACCESS(READ)
PERMIT BBM.SDBA.GLOBAL.IMS CLASS(FACILITY) ID(DBAGRP)   ACCESS(READ)

IMS product configuration

BMC AMI Database Advisor for IMS 3.1

On this page