Granting access to resources and actions

After identifying ESM resources and defining their protection, use the following procedure to grant permission for specific user IDs to access those resources.

To grant user access to resources

Using the IIZRPER EXEC in BBSAMP, enter the following information when prompted:

  • SAF CLASS for SAF resources for BMC II for z/OS BBI-SS ($BOOLE is the default)
  • Prefix for SAF resources for BMC II for z/OS BBI-SS (BBM is the default)
  • Subsystem ID of the BMC II for z/OS BBI-SS for which you are permitting users

  • USERID to permit access to resources

    Further define user access by responding to the following prompts:

    • Should USERID have any access to the BBI-SS subsystem ID (YES or NO)
    • Should USERID have read-authority for Rules (YES or NO)
    • Should USERID have update-authority for Rules (YES or NO)
    • Should USERID be able to issue BBI commands (YES or NO)

    • Should USERID be able to write messages to journal (YES or NO)

      Note

      Granting the ability to schedule WTOs should be the exclusive function of the USERID. In order to secure access to the system, BMC recommends that any USERID that has the ability to write messages to the journal should be limited to this access only. The ability to access additional resources with the USERID can be a security concern.

    • Do you have any more USERIDs to work with (YES or NO)

To control access to the PAS

  1. Specify the ACCESS resource as follows:prefix.ssid.BBI.ssid.ACCESS

    Specify the appropriate resource name for your ESM. Generic examples follow:

    Note

    Securing the ACCESS resource is a prerequisite to implementing security for the BMC II for z/OS SAF resource. Access to the BBI-SS PAS is always checked before access to a specific product resource is checked.

    For this ESM

    Specify resource names such as

    RACF

    BBM.*.BBI.*.ACCESS

    BBM.BB*.BBI.SYS*.ACCESS

    BBM.BBCS.BBI.SYS01.ACCESS

    CA-ACF2

    $KEY(BBM.-.BBI.-.ACCESS)

    $KEY(BBM.BB-.BBI.SYS-.ACCESS)

    $KEY(BBM.BBCS.BBI.SYS01.ACCESS)

    CA-Top Secret

    (BBM.*.BBI.*.ACCESS)

    (BBM.BB*.BBI.SYS*.ACCESS)

    (BBM.BBCS.BBI.SYS01.ACCESS)

  2. (optional) Specify the BMC II for z/OS SAF actions that you want to secure separately from other product resources.In general, SAF resource names resemble this example:

    prefix.ssid.product.ssid.suffix

    The product and suffix distinguish the resource so you can utilize the following security options:

    Specification

    Security description

    BBM.*.AAO.*.RULEREAD

    Controls the ability to display Rules

    Users with RULEREAD access cannot alter anything that would affect Rule actions.

    BBM.*.AAO.*.RULEUPD

    Controls the ability to update and create Rules

    Users with RULEUPD access can alter things that would affect Rule actions (such as enabling or disabling Rule Sets, or moving rules within a Rule Set).

    Generic examples for command resource names follow:

    To control access to

    With this ESM

    Specify this resource name

    Issuing BBI control commands (such as .RESET, .CANCEL, or .START) for any PAS

    RACF

    prefix.ssid.BBI.target.BBICMD

    If you want to secure access to BBI commands for USERIDs at the console, specify FEATURE=CONSCMD on the TYPE=BBI statement in BBSEC and use the BBICMD resource.

    If you want to secure access to BBI action commands, but allow the USERID to use BBI display commands perform the following actions:

    • Specify FEATURE=BBIDISP on the TYPE=BBI statement in BBSEC
    • Define prefix.ssid.BBI.target.BBIDISP to RACF
    • Grant authority to the USERID

    Issuing BBI control commands (such as .RESET, .CANCEL, or .START) for any PAS

    RACF (continued)

    Note

    If a particular USERID cannot issue the BBI command because authority has not been granted for the prefix.ssid.BBI.target.BBICMD resource, and the command is either Display or Help, and FEATURE=BBIDISP is specified in BBSEC then the resource prefix.ssid.BBI.target.BBIDISP will be checked for the USERID, thus giving you the option of blocking action commands while still allowing display commands.

    CA-ACF2

    $KEY(BBM.-.BBI.-.BBICMD)

    CA-Top Secret

    (BBM.*.BBI.*.BBICMD)

  3. Restrict access to the BBSEC member, where security for BMC II for z/OS SAF is controlled, by performing the following actions:
    1. Specify Universal Access NONE for any BBSEC member that resides in:
      • SYS1.PARMLIB in the logical PARMLIB concatenation
      • BBIPARM ddname in the BBI-SS JCL
    2. Grant selected users WRITE access to the BBSEC members.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*