Skip to Content

Abend-AID Viewer security requirements

This section describes the required action you must take if your site has an external security package installed, regardless of whether you explicitly enable the Abend-AID Viewer external security interface through the specification of external security viewing server configuration parameters. The section describes granting authority for the following:

  • Viewing server
  • Viewing server access to Abend-AID data sets
  • MSDCCOPY procedure
  • Viewing access requirements
  • Application security (resource class="APPL") requirements
  • User access to Abend-AID data sets
  • User access to specific Abend-AID Viewer functions
  • BMC AMI Common Shared Services (CSS) security exit (CWASSECU).
Warning

Note

Refer to the Advanced-configuration for complete descriptions of the External_Security* viewing server parameters.

Granting authority to the viewing Server

The sections below describe the authority you must grant to each Abend-AID viewing server to allow it access to Abend-AID data sets. To provide proper access for the viewing server, you must complete the following procedure, described in the section below:

Specifying viewing server access to Abend-AID data sets

When you have defined a user ID for your Abend-AID viewing server, you must permit that user ID to access the Abend-AID data sets with the necessary authority. The minimum authorization that the Abend-AID viewing server requires for its data sets is shown following table:

Required viewing server authority for Abend-AID data sets

File

ddname

Authority

Dump information file

MFDDINFO

UPDATE

Dump information file backup (for the reorganization step in the viewing server JCL)

MFDDINFB

ALTER

IPCS directory

IPCSDDIR

CONTROL

PDSM (persistent data) file

FDBDPDSM

UPDATE

Viewing server work file

FDBDWORK

UPDATE

Shared directory

MFDCATLG

UPDATE

Report/transaction databases attached to the shared directory

n/a

UPDATE

Customization file

FDBDCUST

UPDATE

Region dump data sets

n/a

ALTER

Target sample library (SKAZSAMP)

SYSIN, SYSTSIN

READ

System DSECT file

MSDDSECT

READ

User DSECT file

MSDDUSER

READ

Abend-AID nonauthorized load library (SPAALOAD)

FDBDRPL

READ

Abend-AID authorized load library (SPAAAUTH)

STEPLIB

READ

Abend-AID Common Components nonauthorized load library (SKAZLOAD)

FDBDRPL

READ

Abend-AID Common Components authorized load library (SKAZAUTH)

STEPLIB

READ

Abend-AID for CICS nonauthorized load library (SKFXLOAD)

FDBDRPL

READ

Abend-AID for CICS authorized load library (SKFXAUTH)

STEPLIB

READ

ECC nonauthorized load library (SLCXLOAD)

FDBDRPL

READ

ECC authorized load library (SLCXAUTH)

STEPLIB

READ

Source listing files/source listing shared directory

MFDDXLSF

UPDATE

Source listing Scratchpad data set

CWPDDIO

READ

TSO/ISPF viewing access CLIST data set

FDBDCLST

READ

Program compiler listing data sets

MFDDLIST

READ

SYS1.PARMLIB

n/a

READ

Abend-AID load library(SPAALODE)

n/a

READ

Custom load library(CUSTLOAD)

n/a

READ


Warning

Notes

  • The ddnames shown in this table refer to the ddnames specified for these files in the viewing server JCL.
  • Access to SYS1.PARMLIB and the IPCS directory is required only if your site plans to use IPCS support.
  • If you use VTAM viewing access and you specify NO for the EXTERNAL_SECURITY_ENABLED viewing server configuration parameter, the viewing server must have ALTER access to the print work files. The data set name prefix of the print work files is based on the value that you specify for the Print data set prefix for VTAM access user profile option. If this value is not specified, the user’s user ID is used as the data set prefix. The second node of the data set name is the literal, followed by a system-generated date and time stamp as the last two nodes.
  • The ECC authorized and nonauthorized load libraries are created during the Enterprise Common Components (ECC) SMP/E installation. Refer to the  Enterprise Common Components Installation and Configuration Guide for more information.
  • The //FDBDCLST DD statement is required for TSO/ISPF viewing access and the TSO/ISPF access-only facilities: links to the CSS utilities and File-AID, and the HOTKEY command.
  • We recommend defining the source listing files that are commonly accessed by many users to the viewing server via the //MFDDXLSF DD statement in your viewing server JCL.

IBM disassembler ASMADOP RACF requirements

Abend-AID uses the IBM disassembler ASMADOP module, which IBM provides as part of the High Level Assembler. This module is used to disassemble instructions at dump capture time and at view time. If your installation has protected the use of this module by defining a profile in the PROGRAM class for it, you need to give READ access to this program to any user who will run a job that abends and will need to create an Abend-AID report.

In addition, the user ID that is used for the TDCAS needs READ access to this profile when producing a report for a CICS transaction, and the Abend-AID Viewer needs READ access to this profile in order to use the DISASM command in the viewer. We recommend that the PROGRAM class entry for program ASMADOP have a UACC of READ.

Authorizing the MSDCCOPY Procedure

If you install the Abend-AID Viewer post-dump exit as described in the Advanced-configuration, you must associate the MSDCCOPY procedure name with a suitably authorized user.

Be aware that MSDCCOPY must have authority to create dump-copy data sets whose names are specified in the region dump capture profile options. For example, if MSDCCOPY is associated with user AAVIEWER and the region dump capture profiles specify that all copied dump data sets are copied to data sets beginning with the high-level qualifier SDUMP, then AAVIEWER must be granted authority to create ‘SDUMP.nnnn...’ data sets.

The MSDCCOPY procedure must have the access levels shown in the following table.

Required authority for the MSDCCOPY procedure

Data set

Authority

Dump data set

ALTER

Abend-AID nonauthorized load library (SPAALOAD)

UPDATE

Abend-AID authorized load library (SPAAAUTH)

READ

Abend-AID Viewer nonauthorized load library (SKAZLOAD)

READ

Abend-AID Viewer authorized load library (SKAZAUTH)

READ

Abend-AID for CICS nonauthorized load library (SKFXLOAD)

READ

Abend-AID for CICS authorized load library (SKFXAUTH)

READ

ECC nonauthorized load library (SLCXLOAD)

READ

ECC authorized load library (SLCXAUTH)

READ

Warning

Notes

  • You must also grant universal READ access to the customization file, as described in Specifying Access to the Customization File.
  • The ECC authorized and nonauthorized load libraries are created during the Enterprise Common Components (ECC) SMP/E installation. Refer to the Enterprise Common Components Installation and Configuration Guide for more information.

Viewing access requirements

Each viewing access method has different external security requirements. For each viewing access method supported at your site, complete the requirements described in the following sections.

TSO/ISPF requirements

TSO/ISPF users must be authorized to access certain Abend-AID Viewer data sets. The minimum authorization that the Abend-AID Viewer requires for its data sets is shown in the Table 9 required viewing server authority for Abend-AID Data sets. TSO/ISPF authorization requirements differ from VTAM and CICS requirements because the Abend-AID Viewer data sets are accessed in the user’s TSO address space (with VTAM and CICS access, the data sets are accessed in the viewing server’s address space).

For TSO/ISPF users, you must grant this authority, even if you specify NO for the EXTERNAL_SECURITY_ENABLED viewing server configuration parameter.

Warning

Notes

  • If you did not grant universal READ access to the customization file, as described in Granting Default Authority to the Customization File, you must grant READ authority to the file to each TSO/ISPF user ID. Access to SYS1.PARMLIB and the IPCS directory is required only if your site plans to use IPCS support.
  • The ECC authorized and nonauthorized load libraries are created during the Enterprise Common Components (ECC) SMP/E installation. Refer to the  Enterprise Common Components Installation and Configuration Guide for more information.
  • If your site is using ACF2 as your external security, you must add Abend-AID Common Components program FDBSINIT to the security package’s command list table.
  • If your site secures the ISPF Command Table via an external security manager such as RACF, ACF2, or Top Secret, you must take appropriate steps to identify the command FDBSINIT to your external security manager.

VTAM requirements

If you specified YES for the EXTERNAL_SECURITY_ENABLED viewing server configuration parameter and you are using VTAM viewing access, each Abend-AID Viewer user must have the following:

  • A valid user ID and password to access the Abend-AID Viewer.
  • ALTER access to the print work files.

The data set name prefix of the print work files is based on the value that you specify for the Print data set prefix for VTAM and CICS access user profile option. If this value is not specified, the user’s user ID is used as the data set prefix. The second node of the data set name is the literal CICSAAFX, followed by a system-generated date and time stamp as the last two nodes.

Refer to the Advanced-configuration or more information about specifying the user profile.

CICS requirements

If you specified YES for the EXTERNAL_SECURITY_ENABLED viewing server configuration parameter and you are using VTAM viewing access, each Abend-AID Viewer user must have the following:

  • A valid user ID and password to access the Abend-AID Viewer.
  • ALTER access to the print work files.

The data set name prefix of the print work files is based on the value that you specify for the Print data set prefix for VTAM and CICS access user profile option. If this value is not specified, the user’s user ID is used as the data set prefix. The second node of the data set name is the literal CICSAAFX, followed by a system-generated date and time stamp as the last two nodes.

Refer to the Advanced-configuration for more information about specifying the user profile.

Warning

Notes

  • Your site must be licensed for and have installed Abend-AID for CICS to use CICS viewing access.
  • Users who log onto CICS with CESN or CSSN are not required to re-specify their user ID and password when they access the Abend-AID Viewer.
  • If your users log onto CICS with a default CICS user ID, that ID is the only one used by Abend-AID for CICS, and it must have ALTER access to the print work files.

If you have restricted application security

If you have restricted application security (Resource class="APPL"), be aware that the Abend-AID Viewer uses the viewing server name, and not the LU 2 or LU 6.2 APPLID associated with the viewing server, when issuing the RACROUTE verification at user logon time. The viewing server name is specified on the execute statement in the server JCL, as described in Advanced-configuration. Therefore, if you want to use the VTAM APPLID for the RACROUTE verification at logon time, you need to make the viewing server name match the LU 2 or LU 6.2 APPLID.

Using the viewing server name results in the external security package verifying that the user has access to the viewing server name resource in the APPL resource class. If the user does not have access to this resource, the logon is rejected.

The Abend-AID Viewer uses the viewing server name instead of the APPLID to provide a consistent resource name, regardless of the user’s viewing environment.

Controlling user access to Abend-AID data sets

The sections below describe granting authority to users to the following Abend-AID data sets:

  • Region dump data sets
  • Report databases
  • Source listing files/source listing shared directories.

Specifying access to region dump data sets

If you specified REGION for the EXTERNAL_SECURITY_DATASET_CHECK viewing server configuration parameter, you must grant either specific, generic, or universal READ access for users to read region dump data sets.

To allow users to delete region dumps, you must permit ALTER access to the dump. To allow users to migrate a region dump, you must permit UPDATE access to the dump.

Warning

Note

You can also restrict the execution of specific Abend-AID Directory line commands. This facility is described in Batch Reports.

Specifying access to report/transaction databases

You can restrict user access to report/transaction databases on the data set level by doing both of the following:

  • Specifying TRAN for the EXTERNAL_SECURITY_DATASET_CHECK viewing server configuration parameter. Doing so causes the Abend-AID Viewer to check a user’s authority to access (that is, select, delete, lock and unlock) a batch dump when access is attempted. The authority is checked on the data set level — if a user has READ or UPDATE access to the report/transaction database, the user is allowed to access any dump in that database.
  • Writing rules for your external security package to allow only authorized users access to the databases.

To allow users to delete, lock, or unlock entries in the report/transaction databases using Abend-AID Directory facilities, you must permit UPDATE access to the report/transaction databases.

Specifying Access to Source Listing Files/Source Listing Shared Directories

You can restrict user access to source listing files/source listing shared directories on the data set level by doing both of the following:

  • Specifying SLS for the EXTERNAL_SECURITY_DATASET_CHECK viewing server configuration parameter. Doing so causes the Abend-AID Viewer to check a user’s authority to access (that is, select, delete, lock and unlock) a source listing file/source listing shared directory when access is attempted. The authority is checked on the data set level — if a user has READ or UPDATE access to the source listing file/source listing shared directory, the user is allowed to access any listing in that file.
  • Writing rules for your external security package to allow only authorized users access to the files.

To allow users to delete, lock, or unlock entries in the source listing files/source listing shared directories using the Abend-AID Viewer facilities, you must permit UPDATE access to the source listing files.

Warning

You can use the BMC AMI Common Shared Services security exit (CWASSECU), as described in Using the CSS Security Exit (CWASSECU), to restrict access to individual listings within a source listing file/source listing shared directory.

Specifying access to the customization file

You can restrict user’s access to the Customization file by specifying CUST for the EXTERNAL_SECURITY_DATASET_CHECK viewing server configuration parameter. Doing so causes the Abend-AID Viewer to check a user's authority to delete server records from the Customization file.

To allow records of inactive servers to be deleted, you must grant users UPDATE or greater access to the Customization file. Refer to the Advanced-configuration for more information.

Pass ticket considerations

In order to use Pass Ticket, the application name used to generate the Pass Ticket must match the viewing server name. The viewing server name must be specified in the RACF PTKTDATA class as well.

When using Pass Ticket, specify YES for the EXTERNAL_SECURITY_ENABLED viewing server configuration parameter. The default is NO. Refer to the description in the Advanced-configuration for details about this parameter.

Controlling user access to specific functions

Warning

Note

The information in this section applies only if you specify the EXTERNAL_SECURITY_FUNCTION_CHECK viewing server configuration parameter, which is described in the Advanced-configuration.

The Abend-AID Viewer checks for security rules at the points indicated by the EXTERNAL_SECURITY_FUNCTION_CHECK subparameters you specify. For example, if you specify the IMPORT subparameter, a user’s authorization to issue the IMPORT function is verified when the user attempts to import a region dump.

The Abend-AID Viewer uses the resource class you specify on the EXTERNAL_SECURITY_RESOURCE_CLASS viewing server configuration parameter to protect these functions. You must write rules for your external security package against the resource name generated by the Abend-AID Viewer to control access to these functions. The resource names generated by the Abend-AID Viewer for each of the function exit points are described in Function Descriptions.

Using the default resource class

By default, the Abend-AID Viewer uses data set class security to control access to Abend-AID Viewer functions, even though the functions are not data sets. Using data set class security means that you do not have to modify the Class Descriptor Table for your security package.

To accomplish this, the Abend-AID Viewer builds resource names that correspond to each function. If you use data set class security, use the resource names generated by the Abend-AID Viewer as pseudo-data set names for which you write external security rules, as if the resources being protected were data sets. These data sets do not exist, but the Abend-AID Viewer allows or denies user access to the functions they represent based on the rules you write for the pseudo-data sets.

Specifying a resource class

If you do not want to use a resource class of data set to restrict access to Abend-AID Viewer functions, specify the class you want to use on the EXTERNAL_SECURITY_RESOURCE_CLASS viewing server configuration parameter.

Resource names generated by the Abend-AID Viewer

Regardless of whether you use the default resource class, DATASET, or specify your own resource class, the Abend-AID Viewer uses the components listed below to generate resource names used to identify each Abend-AID function. Write rules for your external security package according to the resource class you specify.

The following are the components of each resource name generated by the Abend-AID Viewer:

  • prefix: The value specified for the EXTERNAL_SECURITY_PREFIX viewing server configuration parameter. The prefix specifies the high-level qualifier the Abend-AID Viewer uses to generate the resource names. You must write rules for your external security package against the resource names that the Abend-AID Viewer generates.
  • function: The Abend-AID Viewer function for which you are writing the security rule. Valid functions are described in Function Descriptions below.
  • server name: The name of the viewing server specified as a parameter on the execute statement of the viewing server JCL. See Task 7: Activate the Abend-AID viewing server in Abend-AID-viewer-configuration-tasks-new-installation or Abend-AID-viewer-configuration-tasks-upgrade for more information.

For example, to set up a security rule to check for authority to use the IMPORT function, using the prefix COMPWARE and the servername PRODSERV, you would write rules for the resource name:

COMPWARE.SERVER.IMPORT.PRODSERV


Warning

The word SERVER as the second node in the resource name is a constant that must be specified as shown. This is a convention for most of the functions, so make sure that you include SERVER if it is shown in the resource name for a function.

Function descriptions

The sections below describe each of the Abend-AID Viewer functions that you can control using this method, and indicate the resource name for which you should write rules to restrict access to the function.

  • Logging onto the Abend-AID viewer

    Users are required to log onto the Abend-AID Viewer using a valid user ID and password if you specify YES for the EXTERNAL_SECURITY_ENABLED viewing server configuration parameter.

    The function value for the logon function is LOGON.FD.

    You must write the appropriate rules for your external security package, based on the following resource name Abend-AID Viewer generates for the logon function:

    prefix.SERVER.LOGON.FD.servername

    The minimum authority you must grant users for this function is READ.

    Warning

    Note

    A rule for the logon function is required to enable any of the other external security parameters described below.

  • Accessing the online customization function
    To restrict access to the online customization function, you must specify the CUSTOM subparameter of the EXTERNAL_SECURITY_FUNCTION_CHECK viewing server configuration parameter.

    The function value for the online customization function is LOGON.IC. You must write the appropriate rules for your external security package based on the following resource name the Abend-AID Viewer generates for the online customization function:

    prefix.SERVER.LOGON.IC.servername

    The minimum authority you must grant users for this function is READ.

  • Issuing 

    Abend-AID

     directory line commands
    To control the line commands that users can issue on the Abend-AID Directory display, you must specify the DIRCMDS subparameter of the EXTERNAL_SECURITY_FUNCTION_CHECK viewing server configuration parameter.

    You must also write the appropriate rules for your external security package, based on the resource names Abend-AID Viewer generates for the directory line commands function. Resource names are generated for transaction dumps and batch and region dumps, as described below.

  • Transaction reports

    Using this method, you can control access to specific entries (reports) in transaction databases without requiring data set-level access to the file. In addition to specifying the DIRCMDS subparameter for the EXTERNAL_SECURITY_FUNCTION_CHECK viewing server configuration parameter, you must specify SAF for the EXTERNAL_SECURITY_DDIO_METHOD viewing server configuration parameter.

    The function value for dump directory line commands against transaction report entries is DDIRTx. Abend-AID Viewer generates the following resource names based on this function:

    prefix.DDIRTx.servername.applid_of_CICS_region.tranid_of_entry_in_directory

    where x is the one-character command identifier associated with the line command (for example, D for the Delete line command.)

    The minimum authority you must grant users for this function is READ.

  • Batch reports
    Using this method, you can control access to specific entries (reports) in report databases without requiring data set-level access to the file. In addition to specifying the DIRCMDS subparameter for the EXTERNAL_SECURITY_FUNCTION_CHECK viewing server configuration parameter, you must specify SAF for the EXTERNAL_SECURITY_DDIO_METHOD viewing server configuration parameter.

    The function value for dump directory line commands against batch report entries is DDIRBx. The Abend-AID Viewer generates the following resource names based on this function:

    prefix.DDIRBx.servername.jobname_of_address_space_in_report

    where x is the one-character command identifier associated with the line command (for example, D for the Delete line command.

    The minimum authority you must grant users for this function is READ.

  • Region dumps
    Using this method, you can control access to specific entries (dumps) in dump databases without requiring data set-level access to the file. In addition to specifying the DIRCMDS subparameter for the EXTERNAL_SECURITY_FUNCTION_CHECK viewing server configuration parameter, you must specify SAF for the EXTERNAL_SECURITY_DDIO_METHOD viewing server configuration parameter.

    The function value for dump directory line commands against region dump entries is DDIRSx. The Abend-AID Viewer generates the following resource names based on this function:

    prefix.DDIRSx.servername.jobname_of_address_space_in_dump

    where x is the one-character command identifier associated with the line command (for example, D for the Delete line command.

    Warning

    Note

    The jobname_of_address_space_in_dump value is INFO if the Abend-AID Directory entry describes an INFO entry instead of a dump data set.

    The minimum authority you must grant users for this function is READ.

  • Importing region dumps

    To control user access to the IMPORT function, you must specify the IMPORT subparameter of the EXTERNAL_SECURITY_FUNCTION_CHECK viewing server configuration parameter.

    The function value for the import function is IMPORT. You must write the appropriate rules for your external security package, based on the following resource name the Abend-AID Viewer generates for the import function:

    prefix.SERVER.IMPORT.servername

    The minimum authority you must grant users for this function is READ. In addition, users must have a minimum of READ access to the data set that they want to import.

  • Issuing IPCS commands against region dumps
    To control user access to the IPCS Command Facility function, you must specify the IPCS subparameter of the EXTERNAL_SECURITY_FUNCTION_CHECK viewing server configuration parameter.

    The function value for the IPCS command facility is IPCSCMD. You must write the appropriate rules for your external security package, based on the following resource name the Abend-AID Viewer generates for the IPCS command facility function:

    prefix.SERVER.IPCSCMD.servername

    The minimum authority you must grant users for this function is READ.

  • Issuing the SHUTDOWN and LOGSPOOL commands
    To restrict access to the viewing server, BDCAS, or transaction dump capture address space SHUTDOWN command, you must specify the SHUTDOWN subparameter of the EXTERNAL_SECURITY_FUNCTION_CHECK viewing server configuration parameter.

    To restrict access to the viewing server, BDCAS, or transaction dump capture address space LOGSPOOL command, you must specify the LOGSPOOL subparameter of the EXTERNAL_SECURITY_FUNCTION_CHECK viewing server configuration parameter.

    Refer to the Advanced-configuration for a description of the SHUTDOWN and LOGSPOOL commands.

    The function value for the SHUTDOWN and LOGSPOOL commands is CONTROL. You must write the appropriate rules for your external security package, based on the following resource name the Abend-AID Viewer generates for this function:

    prefix.SERVER.CONTROL.servername

    The minimum authority you must grant users for this function is READ.

  • Invoking the REXX API

    To control user access to the Abend-AID Viewer REXX application program interface (API) function, you must specify the REXX subparameter of the EXTERNAL_SECURITY_FUNCTION_CHECK viewing server configuration parameter.

    The function value for the REXX API is REXXAPI. You must write the appropriate rules for your external security package, based on the following resource name the Abend-AID Viewer generates for the REXX API function:

    prefix.SERVER.REXXAPI.servername

    The minimum authority you must grant users for this function is READ.

Using the CSS security exit (CWASSECU)

Warning

Note

The following information was provided for users migrating to the Abend-AID Viewer from batch Abend-AID or Abend-AID for CICS. This method is not recommended unless you transitioned to the Abend-AID Viewer from batch Abend-AID or Abend-AID for CICS and want to continue to use your BMC AMI Common Shared Services (CSS) security exit with the Abend-AID Viewer.

Refer to the BMC AMI Common Shared Services User/Reference Guide for a complete description of the BMC AMI Common Shared Services (CSS) Security Exit program. This user-coded program allows you to restrict access to some of the Abend-AID Directory functions for report/transaction databases and source listing files/source listing shared directories. For example, you can use the CSS Security Exit program to restrict access to individual reports or listings within these files.

The CSS Security Exit is enabled for use by the Abend-AID Viewer by specifying CSS for the EXTERNAL_SECURITY_DDIO_METHOD viewing server configuration parameter. If this value is specified, the Abend-AID Viewer calls the CSS security module, CWASSECU, at exit points supported by the CSS Security Exit program. The Abend-AID Viewer restricts or allows access to the requested function as specified by the exit module.

You can use external security in conjunction with the CSS Security Exit program to control access to functions that are not supported by the CSS exit program.

Perform the following steps to use the CSS Security Exit program:

  • Specify CSS for the EXTERNAL_SECURITY_DDIO_METHOD viewing server configuration parameter. Refer to the Advanced-configuration for a description of this viewing server configuration parameter.
  • Follow the instructions for coding module CWASSECU provided in the BMC AMI Common Shared Services User/Reference Guide.
  • Include module CWASSECU in a library in the Abend-AID viewing server’s FDBDRPL concatenation.



 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI DevX Abend-AID 17.02