Identifying and protecting resources that need security

Use the following procedure to identify and protect resources that need to be secured with an ESM for BMC II for z/OS and BMC II for z/OS System Access Facility (SAF).

You can select resources that you want to protect whether they reside within BMC II for z/OS or the SAF element of z/OS.

To identify and protect resources

  1. Specify the resources that you want to protect by designating their names as follows:

    Resources for BMC II for z/OS

    To protect the ability to

    Use this resource name

    Issue BBI control commands (such as .RESET, .CANCEL, .STOP, .START)

    prefix.ssid.BBI.target.BBICMD

    Additionally, if you want to secure access to BBI commands from users at the console, specify FEATURE=CONSCMD on the TYPE=BBI statement in BBSEC.

    Alternatively, you can secure access to BBI action commands but allow users to use BBI display commands. To do so, specify FEATURE=BBIDISP on the TYPE=BBI statement, and define the resource name to IBM RACF as prefix.ssid.BBI.target.BBIDISP.

    Note

    You can also block action commands while still allowing display commands (such as Display or Help) for any user who does not have the authority for the prefix.ssid.BBI.target.BBICMD resource. By specifying FEATURE=BBIDISP in BBSEC, the resource prefix.ssid.BBI.target.BBIDISP will be checked for the user.

    Write messages to the BBI journal log

    prefix.ssid.BBI.ssid.JRNLMSG

    Display the Rules Processor application to access and display Rules within the Rules Processor

    Note

    Users with display-only access cannot alter anything that would affect Rule actions.

    prefix.ssid.AAO.ssid.RULEREAD

    Update the Rules Processor application to update and create new Rules in the Rules Processor application

    Users with update access can alter anything that would affect Rule actions, such as enable or disable Rule Sets, move Rules within a Rule Set, or change search strategy.

    prefix.ssid.AAO.ssid.RULEUPD

  2. To identify the BMC II for z/OS SAF resources that you want to secure with an ESM, use the CLISTs that are provided in the BBSAMP data set.For example, to define resources to RACF, run the IIZRDEF CLIST (once for every BBI-SS PAS and for every target that you are securing). The IIZRDEF CLIST prompts you to enter the following information:
    • SAF resource class to use (where $BOOLE is the default)
    • Prefix to use as the high-level qualifier for each resource name (where BBM is the default)
    • BMC II for z/OS BBI-SS subsystem ID for which you are defining resources
    • Default universal access (UACC) for all resources (READ or NONE)

Where to go from here

After identifying resources to protect, you can grant access to specific users. For more information, see Granting-access-to-resources-and-actions.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*