Defining the security parameters
Security for BMC II for z/OS is administered externally through a member named BBSEC. Use the following procedure to create BBSEC and specify security parameters as control statements in BBSEC.
To define security parameters
- Copy the BBSAMP member IIZBBSEC to one of the following locations:
- SYS1.PARMLIB (the last member of the MVS Logical Parmlib)
- BBIPARM ddname in the BBI-SS PAS JCL
- Change the copied member's name to BBSEC.
Edit BBSEC to contain a valid TYPE statement.The basic format of the TYPE statement is as follows:
TYPE=product,SS=ssid[,PREFIX=prefix],CLASS=name],FEATURE=feature
Replace the variables as follows:
- product activates security for the specified product or group of products. A TYPE=BBI statement is required for BMC II for z/OS.
ssid is the subsystem ID (from one through four characters) of the BBI-SS PAS where the specified resources are to be protected.
The SSID is part of the resource name that defines resources to your ESM. Each SSID that is used in a resource name must be specified on a separate TYPE statement in BBSEC. The TYPE statement can contain wildcards for the SSID. For example, you can specify all SSIDs that start with P as SS=P*.
- (optional) prefix is the prefix for all product resource names, which can be from one through eight characters long. The default is BBM.
- (optional) name is the security class name that is used to identify product resources, which can be from one through eight characters long. The default is $BOOLE.
- (optional) feature is used to security BBI action and display commands. The following values are allowed:
- CONSCMD for BBI command security when the command is issued from a console.
- BBIDISP to allow BBI Display commands when action commands are denied.
Observe the following syntax rules when creating or updating BBSEC:
- You can use a plus sign (+) or an asterisk (*) as a wildcard:
- + represents one position that can be a blank or any character.
- * represents any number (including zero) of nonblank characters.
- To specify a TYPE statement, you can use positions 1 through 72, on one or more lines.
- To continue a TYPE statement on the next line, place a comma at the end of the line to be continued.
- Specify comments on separate lines with an asterisk (*) in column 1. Comments are not supported on the same line as a TYPE statement.
The following image shows a sample IIZBBSEC member.
Sample IIZBBSEC member
* Activates security for common resources:
*
TYPE=BBI,SS=SYSB,PREFIX=BB1,CLASS=$BMC II for z/OS
*
* Activates security for BBI-SS BIIZ PAS where SSID begins
* with P, using default CLASS and PREFIX TYPE=BBI,SS=P*Sample valid TYPE statement
* THE FOLLOWING PROVIDES FOR SECURITY CHECKING OF A BBI COMMAND
* ISSUED FROM THE CONSOLE AND A SEPARATE CHECK FOR BBI DISPLAY
* COMMAND PERMISSION WHEN BBI COMMANDS FROM EITHER THE CONSOLE OR
* A BBI TERMINAL SESSION ARE DENIED
TYPE=BBI,SSID=SYS1,PREFIX=BAOJDB,CLASS=AAOSAF,
FEATURE=(CONSCMD,BBIDISP)- Define SAF resources and permit access as needed:
- BBSAMP(IIZRDEF) is a sample EXEC that contains the necessary RACF RDEFINE commands to define resources for the BMC II for z/OS BBI-SS.
- BBSAMP(IIZPER) is a sample EXEC that contains the necessary RACF PERMIT commands to grant a user access to those resources.
- Save the updated BBSEC member.
- Test your security parameters:
- Copy BBSEC into the BBPARM data set for a BBI-SS PAS.
- Warm start the BBI-SS PAS to read the new BBSEC member.
- Test product access at the BBI-SS PAS level to make sure that it provides the security that you want.
(optional) When you are satisfied with the way that security is working at the BBI-SS PAS level, copy or move BBSEC to SYS1.PARMLIB and bounce the PAS.Alternatively, you can copy or move BBSEC to the BBIPARM JCL for other PASs.