BMC AMI Security Policy Manager (SPM) helps mainframe teams maintain a continuously secure and compliant z/OS environment. It automates rule-based compliance checks, detects inconsistencies in near real time, and streamlines audit readiness — all within the BMC AMI Security ecosystem.
Here are some answers to the most frequently asked questions about the BMC AMI Security Policy Manager product.
For information about using this documentation portal, see About this documentation. For a PDF of the product documentation, see PDFs.
What is SPM?
SPM is a security policy engine that collects real-time system and subsystem data, identifies events that violate security or compliance standards (and requirements when applicable), and presents results through intuitive dashboards and reports.
Who should use SPM?
SPM supports:
- System Programmers managing z/OS environments and RSS framework operations
- Security Administrators responsible for compliance, auditing, and policy enforcement
- Application Developers validating application environments against corporate controls
How does SPM integrate with BMC AMI Resident Security Server (RSS)?
SPM runs under the RSS framework. In SPM 2.3, the RSS High Level Manager (RSSPMHLM) initiates and manages SPM for improved performance and availability.
What types of security data does SPM analyze?
SPM monitors key events across z/OS, RACF, ACF2, Top Secret, CICS, USS, Db2, and IMS as examples to identify compliance gaps and policy violations.
Does SPM support industry security frameworks?
Yes. SPM provides rules for DISA STIG, CIS, and PCI DSS, helping organizations align with established security baselines.
How does SPM manage and evaluate rules?
Rules are defined as SQL-based or REXX-based queries. An INDEX sets execution frequency, category, references, and allowlist definitions. Teams can add custom rules to enforce internal standards.
How frequently can rules run?
Rules can run:
- On a fixed schedule (seconds, minutes, hours, days)
- At SPM startup
- Triggered by system events
- Manually via the SPM interface
What does the SPM dashboard provide?
The Compliance Overview dashboard displays:
- Compliant rule counts per system
- Non compliant categories
- Highest failing rules
- DISA STIG compliance
Can SPM forward data to SIEM platforms?
Yes. SPM results can be forwarded to an external SIEM for enterprise wide visibility and correlation.
How do users access the SPM interface?
Authorized users access SPM through a browser using the configured HTTP/S port. Authentication is enforced through the external security manager (ESM). MFA configurations are supported.
What are the core runtime components needed?
Each LPAR requires:
- One Master Address Space
- One SPM Server Address Space.
The address spaces communicate using XCF and RSSID settings.
How is SPM installed?
SPM is delivered as part of the BMC AMI Resident Security Server suite. Installation includes:
- Uploading the binary package
- Running TSO RECEIVE
- Executing the INSTALL procedure
- Defining ESM resources and started tasks
Does SPM support IBM z/OSMF installation workflows?
Yes. BMC provides z/OSMF deployment workflows for SPM 2.3.01 to streamline installation and setup.
What post installation steps are required?
Administrators typically:
- Configure SPM parameters (HTTP server, data sets, RSS settings)
- Create database directories and checkpoint data sets
- ESM Security set up to give appropriate access
- Review and customize JCL procedures
Can SPM be customized for internal policy requirements?
Yes. Organizations can define custom SQL rules, create REXX based logic, and use categories and references to integrate SPM with internal policy frameworks.
Does BMC provide documentation and PDFs for SPM?
The SPM 2.3 documentation space includes ready made PDFs (e.g., SPE2501/SPE2410) and tools for creating custom PDF bundles.
Where can I find version support and technical advisories?
BMC’s support site provides version listings, technical bulletins, and product advisories for SPM 2.3 under Full Support.
