Security requirements

This topic lists IBM RACF security requirements for BMC AMI Ops Monitor for Java Environments. If you are running a security product other than IBM RACF, see your security product documentation for more information.

To grant superuser authority for the OMVS segment

Click here to expand...

Use one of the following methods:

For the user ID, grant authorized read access to BPX.SUPERUSER (the Facility class resource).
Information
Example
permit BPX.SUPERUSER CLASS(FACILITY) ACCESS(READ) ID(<userID>)
For the user ID, grant authorized read access to SUPERUSER.PROCESS.GETPSENT (the UNIXPRIV class resource).
Information
Example
permit SUPERUSER.PROCESS.GETPSENT CLASS(UNIXPRIV) ACCESS(READ) ID(<userID>)
When you use this method on z/OS 2.5 and PTF UJ95913 is applied, you might receive the following message:
ICH408I (<userID>)(<groupID>)(<startedTaskname>) 751
751 CL(PROCESS )
751 INSUFFICIENT AUTHORITY TO SETUID
751 EFFECTIVE UID(<userIDnumber>) EFFECTIVE GID(<groupIDnumber>)
If you receive this message, this method is no longer available, so use the first method.

Important

The following conditions apply to assigning UID:

To activate the new definitions, you might need to refresh the updated class.
The segment requires a nonzero user ID and a home path.

For more information, see OMVS-segment-requirements-and-ESM-definitions

To grant read access to BPX.JOBNAME

Click here to expand...

For the user ID, grant authorized read access to BPX.JOBNAME (the Facility class resource).

Example

permit BPX.JOBNAME CLASS(FACILITY) ACCESS(READ) ID(<userID>)

To activate the new definitions, you might need to refresh the updated class.

For more information, see Managing security for BMC AMI Ops products.

To grant read access to z/OS Connect EE

Click here to expand...

For the z/OS Connect EE user ID, grant authorized read access to BPX.SMF (the Facility class resource).
PERMIT BPX.SMF CLASS(FACILITY) ACCESS(READ) ID(<userID>)
For userID, specify the z/OS Connect EE user ID.
For the BMC AMI Ops Monitor for Java Environments user ID, grant authorized read access to BBGZDFLT.ZOS (the APPL class resource).
PE <BBGZDFLT> ID(<userID>) CLASS(APPL) ACCESS(READ)
For userID, specify the PAS user ID. The PAS must have the appropriate security certificates associated with its user ID.
For BBGZDFLT, specify the APPL class security prefix for the server.

To grant read access to the Liberty server

Click here to expand...

For the BMC AMI Ops Monitor for Java Environments user ID, grant authorized read access to the Liberty server (the EJBROLE class resource).

PERMIT <serverProfilePrefix>.com.ibm.ws.management.security.resource.Administrator ID(<userID>) ACCESS(READ) CLASS(EJBROLE)
PERMIT <serverProfilePrefix>.com.ibm.ws.management.security.resource.Reader ID(<userID>) ACCESS(READ) CLASS(EJBROLE)

For userID, specify the PAS user ID. The PAS must have the appropriate security certificates associated with its user ID.

For serverProfilePrefix, specify profile prefix for the Liberty server.

For more information, view the Quick CourseSet MVJE and Liberty servers to gather JMX data using the REST interface.

To grant RACF read access to MVS.MCSOPER.** CL(OPERCMDS)

Click here to expand...

For the user ID, grant authorized read access to MVS.MCSOPER.** CL(OPERCMDS):

PERMIT MVS.MCSOPER.** CL(OPERCMDS) ID(<userID>) ACCESS(READ)

Specifying ** grants general access to MVS.MCSOPER.

Alternatively, you can grant specific access to the BMC AMI OpsMJE console. The default console name is OPSMJExx when the following conditions exist:

The default console name prefix is OPSMJE. The console name prefix is specified in the EMCSPREF keyword in MJEINIxx.
The console name suffix given by a PAS (xx) is a value from 01 through 99.

Security requirements

To grant superuser authority for the OMVS segment

To grant read access to BPX.JOBNAME

To grant read access to z/OS Connect EE

To grant read access to the Liberty server

To grant RACF read access to MVS.MCSOPER.** CL(OPERCMDS)

BMC AMI Ops Monitor for Java Environments 4.1

On this page