Default language.

Commands and transactions (FEATURE=CMD)

By specifying additional BMC AMI Ops Automation product security with the command (CMD) feature, you can secure the ability to issue specific commands and transactions from BMC AMI Ops Automation terminal sessions.

Related topic

Additional-resources-for-BMC-AMI-Ops-Automation

Before you can implement this 

BMC AMI Ops Automation

 CMD-level security, you must implement security for these resources:

  • prefix.ssid.BBI.target.ACCESS
  • prefix.ssid.BBI.target.BBICMD
  • prefix.ssid.AAO.target.MVSCMD
  • prefix.ssid.AAO.target.CICSTRAN
  • prefix.ssid.AAO.target.IMSTRAN
  • prefix.ssid.AAO.target.IMSMSG
  • prefix.ssid.AAO.target.RESAUTH

Additionally, you can secure the resources that are listed in the following table for greater granularity in securing commands and transactions. For a list of CLISTs that you can use to identify resources for CMD-level security, see Using CLISTs to identify resources.

BMC AMI Ops Automation command-level security

What you can secure

Description

Invoking CICS transactions

Secures invoking of specific CICS transactions from a BMC AMI Ops Automation terminal session by CICS transaction name.

You must create a separate security definition for each CICS transaction that you secure.

Resource name: prefix.ssid.AAO.target.CICSTRAN.command

The resource name can include a command name that is more than eight characters long, but security checking checks only the first eight characters of the name.

Invoking IMS transactions

Secures invoking of specific IMS transactions from a BMC AMI Ops Automation terminal session by IMS transaction name.

You must create a separate security definition for each IMS transaction that you secure.

Resource name: prefix.ssid.AAO.target.IMSTRAN.command

The resource name can include a transaction name that is more than eight characters long, but security checking checks only the first eight characters of the command and the first eight bytes of each parameter (if any).

Invoking IMS and IMSplex commands

Secures invoking of specific IMS and IMSplex commands from a BMC AMI Ops Automation terminal session by command name and up to eight parameters.

Important

If you are securing these resources in a security class of DATASET, the ESM does not check the value of the parameters. Because a resource name in CLASS=DATASET is limited to the length of a data set name, only the command name is checked.

To secure all IMS and IMSplex commands, create a generic security definition. To secure specific commands, create a separate security definition for each IMS or IMSplex command and parameter combination.

Generic resource name: prefix.ssid.AAO.target.IMSCMD.*

Command-specific resource name: prefix.ssid.AAO.target.IMSCMD.command.parameter.parameter...

The number of command parameters that are checked is controlled by the IMS subparameter of FEATURE=(CMD). To use the IMS subparameter, specify:

TYPE=AAO,SS=ssid,FEATURE=(CMD(IMS= n))

The variable n is a value from 1 to 9 that represents the number of nodes to check after the IMSCMD node in the resource name. For example, if you specify IMS=4, security checking checks the command plus three parameters. If you do not specify the IMS subparameter with CMD, a default value of 3 is used (the command plus two parameters).

The resource name can include command names and parameter names that are more than eight characters long, but security checking checks only the first eight characters of the command and the first eight bytes of each parameter (if any).

To prevent IMS generic commands from failing when the default RACF class is defined with UACC(NONE), specify the IMS subparameter of FEATURE=(CMD) with TruncGen (or TG).

For example:

TYPE=AAO,SS=ssid,FEATURE=(CMD(IMS=TG))

TYPE=AAO,SS=ssid,FEATURE=(CMD(IMS=TruncGen))

TYPE=AAO,SS=ssid,FEATURE=(CMD(IMS=n,TruncGen))

Using the TrunGen parameter requires BMC AMI Ops Automation. When you specify the TruncGen parameter, you should be aware of the following situations:

Before using the SAF interface to check the authority of the user, RACF processing truncates SAF resource names for IMS generic commands as soon as it detects one of the following RACF generic characters: an asterisk (*), a percent sign (%) or an ampersand sign (&).

If you do not specify TruncGen, RACF processing does not strip out the generic characters and tries to match the resource name to a generic profile that is defined with the same characters. If RACF does not have this generic profile defined, the IMS generic command fails the security check.

Specifying the TrunGen parameter does not affect how the IMSGEN feature works. When IMSGEN is specified with the TYPE=AAO statement, the SAF interface still checks the user authority against all resolved IMS resource names.

The following shows examples with TruncGen:

IMS command entered: /DBR DATABASE LK++000*

Resource name checked: prefix. ssid.AAO.target.IMSCMD.DBR.DATABASE.LK++000

IMS command entered: /DIS DB PROD12% TESTDB

Resource name checked: prefix.ssid.AAO.target.IMSCMD.DIS.DB.PROD12

Invoking MVS commands

Secures invoking of specific MVS commands from a BMC AMI Ops Automation terminal session by MVS command name and one parameter.

Important

If you are securing these resources in a security class of DATASET, the ESM will not check the value of the command and the parameter. Only the command name is checked.

You must create a separate security definition for each MVS command and parameter that you secure.

Resource name: prefix.ssid.AAO.target.MVSCMD.command.parameter

This resource name may include command names and parameter names that are more than eight characters long, but security checking checks only the first eight characters of the command name and additional parameter names.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*