RACF Profiles

The Resident Security Server (RSS) provides the core server functionality on which custom applications and other BMC AMI Security products are supported. RACF profiles are required to control which users can use the various Resident Security Server (RSS) services. Additional RACF profiles may be required by the applications or products themselves.
As a minimum, the RACF profiles are required to:

  • Connect to the RSS HTTP interface
  • View the RSS Audit Log
  • Use the RSS Tools facility
  • Use the RSS Batch interface

RACF Profiles for RSS Server

The following RACF profiles control access to RSS and the initial menu selection available. The profiles by default must be defined in the FACILITY class or the class defined in the RSS configuration parameters:

Parameter

Description

RSM.RSS.LOGIN

READ Access

Required for all users who are authorized to log in to the RSS HTTP interface.

RSM.RSS.AUDITLOG

READ Access

Required for all users who are authorized to search, view, and download the RSS Audit Log.

RSM.RSS.TOOLS

READ Access

Required for all users who are authorized to use the RSS tools. These allow users to issue RSS commands and drive RSS REXX from the browser.

RSM.RSS.BATCH

READ Access

Required for all users who are authorized to submit batch jobs to interface with RSS.


RACF Profiles for Security Administrator

Once a user has logged on to the RSS interface for BMC AMI Security Administrator, all activities will be checked according to the access to the following resources:

Parameter

Description

RSM.RSS.ADDUSER

READ Access
Add new users to the system.

RSM.RSS.COMMAND

READ Access
Issue RACF commands from the command window.

RSM.RSS.USERS

READ Access
Administer RACF users.

RSM.RSS.GROUPS

READ Access
Administer RACF Groups.

RSM.RSS.SPECIAL

READ Access
Append parameters to the generated command in the Command Confirmation window and use the Replicate facility to issue the RACF command on multiple systems.

Here is a sample of the RACF commands required to create the RACF resources for RSS and authorize a user (RSSADM) to it who can perform all RSS activities:

RDEFINE FACILITY RSM.RSS.LOGIN UACC(NONE)
 RDEFINE FACILITY RSM.RSS.TOOL UACC(NONE)
 RDEFINE FACILITY RSM.RSS.AUDITLOG UACC(NONE)
 RDEFINE FACILITY RSM.RSS.ADMIN UACC(NONE)
 RDEFINE FACILITY RSM.RSS.BGLASS UACC(NONE)
 RDEFINE FACILITY RSM.RSS.ZDETECT UACC(NONE)
 RDEFINE FACILITY RSM.RSS.ADDUSER UACC(NONE)
 RDEFINE FACILITY RSM.RSS.COMMAND UACC(NONE)
 RDEFINE FACILITY RSM.RSS.USERS UACC(NONE)
 RDEFINE FACILITY RSM.RSS.GROUPS UACC(NONE)
 RDEFINE FACILITY RSM.RSS.SPECIAL UACC(NONE)
 PERMIT RSM.RSS.LOGIN CLASS(FACILITY) ID(RSSADM) ACCESS(READ)
 PERMIT RSM.RSS.AUDITLOG CLASS(FACILITY) ID(RSSADM) ACCESS(READ)
 PERMIT RSM.RSS.T00LS CLASS(FACILITY) ID(RSSADM) ACCESS(READ)

 SETROPTS CLASSACT(FACILITY)
 SETROPTS RACLIST(FACILITY) REFRESH 

After the user logged on, the menu options provided to each RSS user are automatically configured according to the RACF resources to which they have READ access.

Related topics

Installing

Configuring-after-installation

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*