Task 4.3: External Security Considerations

Task 4.3.1: StrobeStarted Tasks

Your site’s z/OS security administrator should review and implement the following security requirements:

1. The STRTSM started task requires a user ID defined to your security product and ALTER access to the Strobe Log dataset. The Session Manager must be able to read and write to the StrobeQueue, System Message and Request Group datasets. For the StrobeLog dataset, the session manager must have WRITE access and be able to create a dataset (when Log datasets defined as GDGs). To use the automatic Performance Profile option, the session manager must have the authority to:

   • Submit jobs on behalf of any Strobeuser.
   • Read sample datasets created by any Strobeuser.
   • Create a print file on behalf of any Strobeuser.

   For z/OS systems, the Session Manager address space must also have UPDATE access to the BPX.SERVER profile in the FACILITY class so that Strobecan display the USS processes on the Active Process Section List panel. The Session Manager Address Space must have a UID of zero (UID(0)) specified in the rules of the security package (RACF, CA Top Secret, CA ACF2) you are using. This rule gives Strobethe authority to collect process information for all processes. For more information, refer to the IBM manual z/OS UNIX System Services Planning.
   To enable the StrobeSession Manager (running as a superuser) to successfully call the z/OS UNIX System Service BPX1SEU, define user BPXROOT to RACF, ACF2, or CA Top Secret. This action prevents Strobefrom issuing message STR6429W.
   Always define the StrobeSession Manager to CA ACF2 as a Multiple-User Single Address Space System (MUSASS).

2. The STRTMSAS started task requires a user ID/ACF2 logon ID defined to your security product; and if using RACF, it must have a RACF ID in the RACF started task group. Create an associated owner ID with an OMVS segment to allow use of TCP/IP for communications for the MSAS. Sample datasets are dynamically allocated and cataloged from this address space. Define any prefix used for the sample datasets to be allocated, read, written, and cataloged from the MSAS.
   Upon measurement initiation, the MSAS started task creates a dataset and requires authority of ACC(ALL) if using CA Top Secret or ALTER ACCESS under RACF. The dataset name is composed of two Strobeparameter values found in the hlq.SSTRPARM library, plus the job name of the job being measured.
   DSNAME=TSOESA /* SAMPLE DATASET NAME PREFIX */
   DSNSUFX=ACME1 /* SAMPLE DATASET NAME SUFFIX */
   Use DSNAME=STROBE to specify the first node of the dataset name and DSNSUFX= to specify the last node of the dataset name. If the measured job name is ABC1234Z, then ABC1234Z is used as the second level node for the dataset name.
3. The STRTSSA started task requires a user ID/ACF2 logon ID defined to your security product; and if using RACF, it must have a RACF ID in the RACF started task group (required for Strobefor Db2/DDF licensed users).
4. The STRTMNAS started task requires a user ID/ACF2 logon ID defined to your security product; and if using RACF, it must have a RACF ID in the RACF started task group. Create an associated owner ID with an OMVS segment to allow use of TCP/IP for communications for the MNAS.

Task 4.3.2: User IDs

1. Any user ID that plans to generate StrobePerformance Profiles requires ALLOCATE, READ, WRITE, and CATALOG access to the sample dataset naming conventions, similar to the STRTMSAS started task.
2. Strobeusers require READ access to the StrobeLog dataset and the Strobeunauthorized load library (hlq.SSTRLOAD). They must also be able to read and write to the StrobeHistory and AutoStrobe datasets.
3. To further control user access to Strobe, see the section entitled Configuring Access Filter Security. This security interface allows you to control security considerations such as the following:
   • Who can use Strobeto measure jobs
   • Systems on which those measurement requests can run
   • Whether users can measure any job or just their own
   • Who is authorized to start Strobeas a batch job
   • Who has privileges to administer Strobe.