EXECs (FEATURE=EXEC)
By choosing the EXEC feature of BMC AMI Ops Automation advanced security, you are choosing to secure a user's ability to schedule EXECs by EXEC name from the COMMAND line during a user’s terminal session.
The resource name is prefix. ssid.AAO. target.EXEC. execname.
With this resource, you are also securing a user’s ability to access the EXEC from within the EXEC Manager application, which limits:
- Selecting a specific EXEC for testing
- Scheduling a specific EXEC
- Browsing a specific EXEC
- Disabling a specific EXEC
- Scheduling an EXEC from a cell
When securing EXECs, it is important to note that the actions scheduled within the EXEC are generally not secured. For example, you might secure the ability to issue MVS commands from a specific user. However, if you allow the user to have access to an EXEC that issues an MVS command, the EXEC and the MVS command will be allowed to run completely.
However, there are exceptions to this rule about actions within EXECs:
If you secure the ability to access CICS services through the BBI-SS PAS (as described in BMC-AMI-Ops-Monitor-for-CICS-and-the-BMC-AMI-Ops-Automation-for-CICS)
Some CICS action services have IMFEXEC CICS statements for the BMC AMI Ops Automation for CICS option. Those IMFEXEC CICS statements can be secured and, if they are, the restrictions are valid in an EXEC that uses those statements.
If you secure BMC AMI Ops SYSPROG Services
You can invoke BMC AMI Ops SYSPROG Services in an EXEC with an IMFEXEC RES statement. If the service is secured, the restrictions are valid in an EXEC that uses those statements.
If you issue MainView API commands within an EXEC
IMFEXEC MV and IMFEXEC MVX commands require READ access to the following resources: TERMINAL(VBAPI) and PROGRAM(BBM0IA10). If access to these resources is not available, the IMFEXEC command fails with an IMFCC code of 8.
For a list of CLISTs that you can use to identify resources for EXEC-level security, see Create resource names for BMC AMI Ops Automation.