Defining the started task to the ESM

This topic describes how to define the started tasks to the external security managers (ESMs).

To define the started task to RACF

Use the following commands to define the Security Policy Manager started task to RACF:

ADDUSER <stcUser> NOPASSWORD NOOIDCARD NAME('BMC AMI SPM') OWNER(<owner>) DFLTGRP(<groupName>)

CONNECT <stcUser> GROUP(<groupName>) OWNER(<owner>) AUTH(USE) UACC(NONE)
RDEFINE STARTED <spmSTCname>.* STDATA(USER(<stcUser>))
RDEFINE STARTED <masterSTCname>.* STDATA(USER(<stcUser>))
SETROPTS REFRESH RACLIST(STARTED)

ALTUSER <stcUser> OMVS(HOME('<pathName>'))
ALTUSER <stcUser> OMVS(PROGRAM('/bin/sh'))
ALTUSER <stcUser> OMVS(UID(<uidNumber>))

Replace the following placeholders:

<stcUser>—RACF user ID under which the Security Policy Manager started task runs
<owner>—RACF owner for the resource
<groupName>—RACF group name to which the RACF user ID belongs
<userID>—RACF user identifier that is granted access to Security Policy Manager
<spmSTCname>—Name of the Security Policy Manager procedure (for example, BASPMS)
<masterSTCname>—Name of the Security Policy Manager master address space (for example, BASPMM)
<pathName>—USS home directory for the stcUser

To define the started task to Top Secret

Use the following syntax as a guide to make sure that the BMC AMI Security Policy Manager started task has the correct Top Secret authorities:

TSS CREATE(BASPM) NAME('BMC AMI SPM') TYPE(SCA) PASSWORD(NOPW)
TSS ADD(BASPM) GROUP(<stcGroupName>) UID(<uidNumber>)
TSS ADD(BASPM) GROUP(OMVSGRP) DFLTGRP(OMVSGRP)
TSS ADDTO(BASPM) HOME(/u/baspm)OMVSPGM(/bin/sh)
TSS ADD(STC) PROCNAME(<spmMasterAddressSpaceName>) ACID(BASPM)
TSS ADD(STC) PROCNAME(<spmAddressSpaceName>) ACID(BASPM)
TSS ADD(STC) PROCNAME(<tsoAddressSpaceName>) ACID(BASPM)
TSS PERMIT(BASPM)CASECAUT(TSSUTILITY.TSSCFILE) ACCESS(USE)
TSS ADMIN(BASPM) RESOURCE(AUDIT,REPORT,INFO)MISC9(GENERIC) ACID(AUDIT,REPORT,INFO)DATA(ALL, PROFILE) MISC8(ALL)
TSS ADDTO(BASPM) FAC(STC)

Replace the following placeholders:

<stcGroupName>—Started task command group name
<uidNumber>—User identifier value in the OMVS segment
<spmMasterAddressSpaceName>—Name of the Security Policy Manager master address space
<spmAddressSpaceName>—Name of the Security Policy Manager address space
<tsoAddressSpaceName>—Name of the Security Policy Manager TSO address space

To define the ACF2 started task

Use the following syntax as a guide to make sure that the BMC AMI Security Policy Manager started task has the correct ACF2 authorities:
INSERT <stcUserId> NAME(BMC AMI Security Policy Manager) ACCOUNT AUDIT RESTRICT –
SECURITY TSO GROUP(<omvsGroup>) PREFIX(RSS) CONSOLE JCL –
OPERATOR PROMPT HOME(/u/baspm) OMVSPGM(/bin/sh) –
UID(<uid>) RULEVLD RSRCVLD
Replace the following placeholders:
- <stcUserId>—ACF2 logon ID for the started task
- <omvsGroup>—OMVS group name
- <uid>—ACF2 UID string
Select TSO option 6 and set the following global system options (GSO) record:
ACF
SET CONTROL(GSO)
INSERT STC GROUP(OMVSGRP) LOGONID(<stcUserId>) STCID(<stcName>)
F ACF2,REFRESH(STC)
Replace the following placeholders:
- <stcUserId>—ACF2 logon ID for the started task
- <stcName>—Started task name
Tip
To make sure the GSO record was successfully updated, run the following command:
SHOW STCID
Set up the logon ID for the RSS STCs because they create USS processes and retain all privileges.
This does not happen if the logon ID is set up with the STC privilege instead of an STC GSO record.
Set the following general resource access:
$KEY(BPX) TYPE(FAC)
CONSOLE UID(<stcUserId>) ALLOW
SUPERUSER UID(<stcUserId>) ALLOW

$KEY(IRR) TYPE(FAC)
RADMIN UID(<stcUserId>) ALLOW
Replace the <stcUserId> placeholder with the ACF2 logon ID for the started task.
Under ACF2 operator commands (OPERCMDS), restrict the MVS.MODIFY.STC.RSSSPM.RSSSPM resource to authorized users who maintain the software.
The ACF2 logon ID for the started task requires access to the SDSF resource, ISF.CONNECT.**, and all SDSF display commands.

Where to go from here

After defining the started task to the ESM, create a database directory.