Control-M/Analyzer Security

This chapter describes the procedure used to implement the Control‑M/Analyzer security interface. It is recommended that you first review the explanations below on the elements that are protected in Control‑M/Analyzer and then proceed to the step-by-step instructions.

Protecting Control-M/Analyzer Elements

The Control‑M/Analyzer security interface protects the following Control‑M/Analyzer elements:

  • Ordering balancing missions.

  • Access to the ControlM/Analyzer files.

  • Access to the Rule Activity screen.

  • Access to the ControlM/Analyzer Active Balancing Environment screen and the invocation of line commands under the Active Balancing Environment screen (hold, free, delete, and so on).

Balancing Missions

Each Control‑M/Analyzer balancing mission contains an OWNER parameter. This parameter is the user ID to which this mission belongs. If a user orders a balancing mission, the user must be authorized to access the owner of the rule. The CTBSE01 Control‑M/Analyzer security module verifies that the logged on user is authorized to order a balancing mission that belongs to the owner of the rule.

Access to IOA Files

IOA files contain Control‑M/Analyzer information for groups, variables, and variable generations. These files are accessed through the online screens, utilities and runtime environment.

The CTBSE03 Control‑M/Analyzer security module verifies the user authority each time IOA Access Method files are accessed.

Access to the Rule Activity Screen

The Rule Activity screen in Control‑M/Analyzer lists Control‑M/Analyzer rule invocations and their status. The user can view information about a rule in the list, print a rule, or perform a rollback of the rule invocation, and so on.

The CTBSE04 Control‑M/Analyzer security module verifies the user’s authority to perform various actions on the rules displayed in the Rule Activity screen.

Access to the Active Balancing Environment Screen

The Control‑M/Analyzer Active Balancing Environment screen lists the balancing missions currently being handled by Control‑M/Analyzer and their status. The user can issue inquiries about a rule within the list, or change its status.

The CTBSE08 Control‑M/Analyzer security module verifies the user’s authorization to perform actions (hold, delete, and so on) on balancing missions displayed in the Active Balancing Environment screen.

Control-M/Analyzer Basic Definition Security Calls

Table 65 Control‑M/Analyzer Basic Definition Security Calls

Protected Element

Type

Class Entity Name

Explanation

Security Module

Controlling Balancing Mission Ordering

  

SURROGAT
owner.SUBMIT

ACIDCHK
owner

FACILITY
  $SUBMIT.owner

owner is the name of the user specified in the balancing mission definition.

CTBSE01

Controlling Access to the Control‑M/Analyzer Database

  

FACILITY
  $$CTBDBA.qname.groupname

groupname contains the first characters of the requested group name (maximum: 12 characters).

CTBSE03

Controlling Access to IOA Access Method Files

  

FACILITY
$$CTBDBA.qname.groupname.
varname

groupname contains the first characters of the requested group name (maximum: 12 characters).

varname contains the first characters of the requested Database variable name (maximum: 12 characters).

varname is optional and can be used only when the object of the request is a Database variable or Database variable generation. If varname is omitted, the full name of the requested group can be used in the corresponding entity.

CTBSE03

Control‑M/Analyzer Rule Activity screen

  

FACILITY
$$CTBACT.qname.groupname.
jobname

jobname contains the requested job name.

 

Controlling Access to the Active Balancing Environment Screen

Authority to enter Active Balancing Environment screen

 

FACILITY
  $$CTBPNLB.qname

 

CTBSE08

Use of Active Balancing Environment screen

 

SURROGAT
  owner.SUBMIT

ACIDCHK
  ownerid

FACILITY
  $SUBMIT.owner

owner is the name if the user specified in the balancing mission definition.

CTBSE08

Control-M/Analyzer Extended Definition Security Calls

Table 66 Control‑M/Analyzer Extended Definition Security Calls

Protected Element

Type

Class Entity Name

Explanation

Security Module

Controlling Balancing Mission Ordering

 

FACILITY
  $$BALORD.qname.owner

owner is the name of the user specified in the balancing mission order definition.

CTBSE01

Controlling Access to the Control‑M/Analyzer Database

 

FACILITY

CREATE a group:
  $$GRPCRE.qname.groupname

UPDATE a group:
  $$GRPUPD.qname.groupname

DELETE a group:
  $$GRPDEL.qname.groupname

VIEW a group:
  $$GRPVEW.qname.groupname

VIEW Database variable in the group:
  $$GRPVWV.qname.groupname

USE a group:
  $$GRPUSE.qname.groupname

groupname contains the first characters of the requested group name (maximum: 12 characters).

CTBSE03

Controlling Access to IOA Access Method Files

 

FACILITY

CREATE a group’s Database variable:
$$VRBCRE.qname.groupname.
varname

UPDATE a group’s Database variable:
$$VRBUPD.qname.groupname.
varname

DELETE a group’s Database variable:
$$VRBDEL.qname.groupname.
varname

VIEW a group’s Database variable:
$$VRBVEW.qname.groupname.
varname

VIEW a Database variable’s generation:
  $$VRBVWG.qname.groupname.varname

CREATE a Database variable’s generation:
$$VRGCRE.qname.groupname.
varname

GET a Database variable’s generation:
$$VRGVEW.qname.groupname.
varname

UPDATE a Database variable’s generation:
$$VRGUPD.qname.groupname.
varname

DELETE a Database variable’s generation:
$$VRGDEL.qname.groupname.
varname

ROLL a Database variable’s generation:
$$VRGROL.qname.groupname.
varname

groupname contains the first characters of the requested group name (a maximum of 12 characters).

varname contains the first characters of the requested Database variable name (a maximum of 12 characters).

varname is optional and can be used only when the object of the request is a Database variable or Database variable generation. If varname is omitted, the full name of the requested group can be used in the corresponding entity.

CTBSE03

Control‑M/Analyzer Rule Activity screen

 

FACILITY

VIEW of Invocation Database variables:
$$VIEW.qname.groupname.
jobname

VIEW of Invocation Log:
$$LOG.qname.groupname.
jobname

VIEW of Invocation Report:
$$REPORT.qname.groupname.
jobname

PRINT of Invocation Report:
$$PRINT.qname.groupname.
jobname

ROLL–BACK of Invocation:
$$ROLL.qname.groupname.
jobname

jobname contains the requested job name

 

Controlling Access to the Active Balancing Environment Screen

Authority to enter the Active Balancing Environment screen

 

FACILITY
  $$CTBPNLB.qname

 

CTBSE08

Use of Active Balancing Environment screen

 

FACILITY

Hold: $$BRULHLD.qname.owner

Free: $$BRULFRE.qname.owner

Delete: $$BRULDEL.qname.owner

Log: $$BRULLOG.qname.owner

Why: $$BRULWHY.qname.owner

Zoom: $$BRULZOO.qname.owner

Save: $$BRULSAV.qname.owner

owner is the name if the user specified in the balancing mission definition.

CTBSE08

Implementing Control-M/Analyzer Security

This section details the steps required to implement the Control‑M/Analyzer security interface.

The Control-M/Analyzer security interface can be installed either as part of the customized installation path, or during the Customization process after installation. Both options use the INCONTROL Installation and Customization Engine (ICE) application. If you are not familiar with the ICE interface, see the INCONTROL for z/OS Installation Guide: Installing.

The Control‑M/Analyzer security interface cannot be implemented until IOA security is installed. Verify that IOA security is installed before proceeding with Control‑M/Analyzer security implementation.

To install the Control-M/Analyzer security interface

  1. Enter the main ICE screen.

  2. Select Customization.

  3. Enter CTB in the Product field.

  4. Select Security Customization.

  5. Perform all major and minor steps required to install the security product.

Step 1 Implement Control-M/Analyzer Security

Follow the steps below to implement Control‑M/Analyzer security.

Step 1.1 Grant Access Permissions

Collect the data you need to define the INCONTROL entities and user authorizations to the security product.

In ICE, run the steps "Control‑M/Analyzer Security Definitions (Sample)" and "Functions Security Definitions (Sample)" to create two sample jobs.

Step 1.2 Customize Security Parameters

Table 67 Control‑M/Analyzer Modes

Mode

Definition

DEFMCHKB

When choosing a definition mode as COND to any of the Control‑M/Analyzer security modules, use qname together with the value given to this parameter as the high level qualifier, to determine the real definition mode to be used.

SECTOLB

Determine the action to perform if your security product is inactive or a specific resource is not defined to the security product.Valid values are:

  • YES — Perform the action.

  • NO — Do not perform the action.

Mode Definition

Specify one of the following values to determine the Definition mode for the Control‑M/Analyzer security modules:

  • COND-Conditional Definition mode. Default.

  • BASIC-Basic Definition mode.

  • EXTEND-Extended Definition mode.

DFMB01

Definition mode for the CTBSE01 Control‑M/Analyzer security module.

DFMB03

Definition mode for the CTBSE03 Control‑M/Analyzer security module.

DFMB04

Definition mode for the CTBSE04 Control‑M/Analyzer security module.

DFMB08

Definition mode for the CTBSE08 Control‑M/Analyzer security module.

Step 1.3 Save Security Parameters into Product

This step saves all the security parameters specified for Control‑M/Analyzer.

Step 2 RACF Security Definition Samples

Step 2.1 Control-M/Analyzer Security Definitions (Optional)

Step 2.2 Functions Security Definitions (Optional)

Step 2.3 Control Program Access to Datasets (Optional)

Select these steps to edit members CTBSRAC2, CTBSRAC3, or CTBSRAC4 in the IOA INSTWORK library.

Perform the following steps to define the required permissions.

  1. Associate users with Extended Definition Mode.

    1. To define the entity $$CTBEDM.qname to RACF, use the following command:

      Copy 
      RDEFINE FACILITY $$CTBEDM.qname UACC(NONE)

    2. To authorize USERA to Extended Definition mode, use the following command:

      Copy 
      PERMIT $$CTBEDM.qname ID(USERA) CLASS(FACILITY) ACCESS(READ)

    3. Submit the job for execution.

      This job must run under a user or administrator who has authorization to enter these commands.

      Scan the output of the job for information and error messages. All job steps must end with a condition code of 0.

  2. Define entities and user authorizations.

    For information about entities and user authorizations, see Control-M/Analyzer Basic Definition Security Calls, and Control-M/Analyzer Extended Definition Security Calls.

    To authorize USERA access to a given Control‑M/Analyzer entity, use the following command:

    Copy 
    PERMIT $$CTBnnn.qname CLASS(FACILITY) ID(USERA) ACCESS(READ)

    where CTBnnn is the name of the ControlM/Analyzer entity to be accessed.

    All entity names for each Control-M/Analyzer protected element appear in Control-M/Analyzer Basic Definition Security Calls for Basic Definition mode and Control-M/Analyzer Extended Definition Security Calls for Extended definition mode.

Step 3 TopSecret Security Definition Samples

Step 3.1 ControlM/Analyzer Security Definitions (Optional)

Step 3.2 Functions Security Definitions (Optional)

Step 3.3 Control Program Access to Datasets (Optional)

Select these steps to edit members CTBSTSS2, CTBSTSS3, or CTBSTSS4 in the IOA INSTWORK library.

  1. Define Entities and User Authorizations to TopSecret.

    For information about how to define ControlM/Analyzer entities and user authorizations to TopSecret, see Control-M/Analyzer Basic Definition Security Calls, and Control-M/Analyzer Extended Definition Security Calls.

    1. Add the following command to add the resources to TopSecret:

      Copy 
      TSS ADD(sec-administrator-dept) IBMFAC($$CTB)

      Set the sec-administrator-dept parameter to the appropriate value.

      All entity names for each ControlM/Analyzer protected element appear in Control-M/Analyzer Basic Definition Security Calls for Basic Definition mode and Control-M/Analyzer Extended Definition Security Calls for Extended Definition mode.

  2. Associate users with Extended Definition Modes.

    Authorizations to access ControlM/Analyzer datasets are defined during the ControlM/Analyzer installation process. This step must be completed before proceeding with security implementation. For information about how to grant users access to ControlM/Analyzer datasets, see the ControlM/Analyzer chapter in the INCONTROL for z/OS Installation Guide: Installing.

    1. Add the following TopSecret command to define the $$CTBEDM.qname entity to TopSecret and authorize users to this entity:

      Copy 
      TSS PERMIT(USERA) IBMFAC($$CTBEDM.qname) ACC(READ)

      Do not define the $$CTBEDM.qname entity to operate in warning mode because this causes all users to operate in Extended Definition mode.

  3. Authorize ControlM/Analyzer installer to all ControlM/Analyzer facilities.

    1. Customize the following command to authorize USERA to ControlM/Analyzer facilities:

      Copy 
      TSS PERMIT(USERA) IBMFAC($$CTB) ACC(READ)

      Set the USERA parameter to the user ID of the ControlM/Analyzer installer.

    2. Submit Job CTBSTSS2

      This job must be run under the ACID of the general security administrator (SCA) who is authorized to enter these TopSecret commands.

      All job steps must end with a condition code of0.

Step 4 ACF2 Security Definition Samples

Step 4.1 ControlM/Analyzer Security Definitions (Optional)

Step 4.2 Functions Security Definitions (Optional)

Step 4.3 Control Program Access to Datasets (Optional)

Select these steps to edit members CTBSSAF2, CTBSSAF3, or CTBSSAF4 in the IOA INSTWORK library.

Perform the following steps to define the required permissions.

  1. Associating users With Extended Definition Mode.

    1. Add the following ACF2 commands to define the $$CTBEDM.qname entity to ACF2, and authorize users to this entity.

    2. Define and authorize the entity: $$CTBEDM.qname to ACF2 using the following command:

      Copy 
      SET RESOURCE(CMF)
      COMP
      $KEY($$CTBEDM.qname) TYPE(CMF)
       UID(USERA) ALLOW

  2. Define entities and user authorizations to CAACF2/SAF.

    For information about entities and user authorizations, see Control-M/Analyzer Basic Definition Security Calls, and Control-M/Analyzer Extended Definition Security Calls.

    To authorize USERA (the user ID of the ControlM/Analyzer installer) access to a given ControlM/Analyzer entity, use the following command:

    Copy 
    SET RESOURCE(CMF)
    COMP
    $KEY($$CTBnnn.qname) TYPE(CMF)
     UID(USERA) ALLOW

    where qname is the name used to assign different authorizations to different Control-M/Analyzer environments (such as Test and Production). This parameter is specified during IOA installation.

    Set the USERA parameter to the UID string of the Control-M/Analyzer installer.

    All entity names for each Control-M/Analyzer protected element appear in Control-M/Analyzer Basic Definition Security Calls for Basic Definition mode and Control-M/Analyzer Extended Definition Security Calls for Extended Definition mode.

    For samples of user authorizations, review member CTBSSAF3 in the IOA INSTWORK library.

  3. Submit the Job

    This job must be run under a user of a ACF2/SAF administrator who has authorization to enter these ACF2 commands.

    Scan the output of the job for information and error messages produced by ACF2/SAF. All job steps must end with a condition code of 0.

Control-M/Analyzer Security Interface Modules

This section describes the Control‑M/Analyzer Security Interface Modules.

Module CTBSE01

The CTBSE01 module is the security module of Control‑M/Analyzer Exit CTBX001. It is used to verify that the user is authorized to order balancing missions. A security check is issued to verify that the logged on user is allowed to order balancing missions on behalf of the user ID as specified in the OWNER field of the mission definition. The CTBSE01 module executes under the address space of the logged on TSO/ROSCOE user or under the TCB related to the logged on user when working in cross memory mode under the Online monitor. The class checked is FACILITY unless otherwise specified.

Basic Definition Mode

IOA verifies if the user is authorized to use the user ID (owner) in the balancing mission definition.

RACF Security

For this verification:

Entity Checked: owner.SUBMIT

Class: SURROGAT

where owner is the user ID specified as the owner of the Control‑M/Analyzer balancing mission.

If the logged on user is allowed to submit jobs on behalf of another user, the user is also allowed to order Control‑M/Analyzer balancing missions owned by that user.

The commands to permit USERA to order a balancing mission with an owner of USERB are:

Copy 
RDEFINE SURROGAT USERB.SUBMIT UACC(NONE)
PERMIT USERB.SUBMIT ACCESS(READ) ID(USERA) CLASS(SURROGAT)

TopSecret Security

The TopSecret Application Interface module (TSSAI) is called with the following parameters:

Resource Class: ACIDCHK

Resource Name: userid (as specified in the OWNER field)

where userid is the user ID specified as the owner of the Control‑M/Analyzer balancing mission.

If the logged on user is allowed to submit jobs on behalf of another user, it is assumed that the user is also allowed to order Control‑M/Analyzer balancing missions owned by that user.

The command to permit USERA to order a balancing mission with an ownerid of USERB is:

Copy 
TSS PERMIT(USERA) ACID(USERB)

ACF2/SAF Security

For this verification:

Entity Checked: $SUBMIT.owner

Class: FACILITY

where owner is the user ID specified as the owner of the Control‑M/Analyzer balancing mission.

The ACF2 commands to permit USERA to order a balancing mission with an owner of USERB are:

Copy 
SET RESOURCE(CMF)
COMP
$KEY($SUBMIT.USERB) TYPE(CMF)
 UID (USERA) ALLOW

Extended Definition Mode

IOA verifies if the user is authorized to specify the user ID (owner) in the rule definition.

RACF Security

The entity checked for this verification is:

Copy 
$$BALORD.qname.owner

where owner is the user ID specified as the owner of the Control‑M/Analyzer rule or balancing mission. To permit USERA to order Control‑M/Analyzer missions owned by USERB, use the following commands:

Copy 
RDEFINE FACILITY $$BALORD.qname.USERB UACC(NONE)
PERMIT $$BALORD.qname.USERB ACCESS(READ) ID(USERA) CLASS(FACILITY)

TopSecret Security

The entity checked for this verification is:

$$BALORD.qname.owner

where owner is the user ID specified as the owner of the Control‑M/Analyzer rule or balancing mission. To permit USERA to order Control‑M/Analyzer missions owned by USERB, use the following commands:

Copy 
TSS ADD(sec-administrator-dept) IBMFAC($$BALORD)
TSS PERMIT(USERA) IBMFAC($$BALORD.qname.USERB) ACC(READ)

ACF2/SAF Security

The entity checked for this verification is:

$$BALORD.qname.owner

where owner is the user ID specified as the owner of the Control‑M/Analyzer rule or balancing mission. To permit USERA to order Control‑M/Analyzer missions owned by USERB, use the following ACF2 commands:

Copy 
SET RESOURCE(CMF)
COMP
$KEY($$BALORD.qname.USERB)
 UID (USERA) ALLOW

Module CTBSE03

The CTBSE03 module is the security module of Control‑M/Analyzer Exit CTBX003. This module verifies that the user is authorized to access groups, Database variables, and Database variable generations from the Control‑M/Analyzer Database Facility, utilities and runtime environment.

IOA verifies authorization in which the CLASS checked is FACILITY and the entity checked depends on the definition mode.

Basic Definition Mode

The entity used to check authorization is:

$$CTBDBA.qname.groupname.varname

To permit USERA to use all Database variables in all groups beginning with SYS, use the following commands:

For RACF:

Copy 
RDEFINE FACILITY $$CTBDBA.qname.SYS* UACC(NONE)
PERMIT $$CTBDBA.qname.SYS* CLASS(FACILITY) ID(USERA) ACCESS(READ)

For TopSecret:

Copy 
TSS PERMIT(USERA) IBMFAC($$CTBDBA.qname.SYS) ACC(READ)

For ACF2/SAF:

Copy 
SET RESOURCE(CMF)
COMP
$KEY($$CTBDBA.qname.SYS)
 UID (USERA) ALLOW

Extended Definition Mode

The entity used to check authorization depends on the user request:

$$xxxyyy.qname.groupname.varname

To permit USERA to operate with a group and a Database variable, use the following commands:

For RACF:

Copy 
RDEFINE FACILITY $$xxxyyy.qname.groupname.varname UACC(NONE)
PERMIT $$xxxyyy.qname.groupname.varname CLASS(FACILITY) ID(USERA) ACCESS(READ)

For TopSecret:

Copy 
TSS PERMIT(USERA) IBMFAC($$xxxyyy.qname.groupname.varname) ACC(READ)

For ACF2/SAF:

Copy 
SET RESOURCE(CMF)
COMP
$KEY($$xxxyyy.qname.groupname.varname)
 UID (USERA) ALLOW

where

xxx is a three character string that defines the object of the request as follows:

Table 68 Object String Definition

String

Description

GRP

Group

VRB

Database variable

VRG

Database variable generation

yyy is a three character string that defines the request as follows:

Table 69 Request String Definition

String

Description

CRE

Create

CNF

Confirm

UPD

Update

DEL

Delete

ROL

Database variable rollback (with VRG only)

VEW

View

VWV

View Database variable in the group

VWG

View Database variable generation

USE

Use (with GRP only)

Table 70 CTBSE03 Parameters

Parameter

Description

groupname

First characters of the requested group name (a maximum of 12 characters).

varname

First characters of the requested Database variable name (a maximum of 12 characters).

Used only when the object of the request is a Database variable or Database variable generation. If varname is omitted, the full name of the requested group can be used in the corresponding entity. Optional.

When an attempt is mae to execute any of these commands, security module CTBSE03 is called to check if the command must be executed. In this case, this security module does not perform security checks for each line of the screen. For performance reasons, the check on each screen line is not performed.

Module CTBSE04

The CTBSE04 module is the security module of Control‑M/Analyzer Exit CTBX004. This module verifies that the user is authorized to access groups, jobs and invocations from the Control‑M/Analyzer Job Activity screen.

The CLASS checked is FACILITY. The entity used to check authorization depends on if Basic Definition mode or Extended Definition mode is used.

Basic Definition Mode

The entity used to check authorization is $$CTBACT.qname.groupname.jobname

For example, to permit USERA to use all jobs invocations in all groups beginning with SYS, use the following commands:

For RACF:

Copy 
RDEFINE FACILITY $$CTBACT.qname.SYS* UACC(NONE)
PERMIT $$CTBACT.qname.SYS* CLASS(FACILITY) ID(USERA) ACCESS(READ)

For TopSecret:

Copy 
TSS PERMIT(USERA) IBMFAC($$CTBACT.qname.SYS) ACC(READ)

For ACF2/SAF:

Copy 
SET RESOURCE(CMF)
COMP
$KEY($CTBACT.qname.SYS***********************)
 UID (USERA) ALLOW

Extended Definition Mode

The entity used to check authorization depends on the user request:

$$xxxxxx.qname.groupname.jobname

where

xxxxxx contains a maximum of six letters that define the request:

Table 71 CTBSE04 Request Parameters

Request

Description

FRMCNF

Confirm use of display type

RECCNF

Confirm display of each invocation

VIEW

View Invocation Database variables

LOG

View Invocation log

REPORT

View Invocation report

PRINT

Print Invocation report

ROLL

Rollback of invocation

groupname contains the first letters (maximum: 16) of the requested group name.

jobname contains the requested job name.

For example, to permit USERA to view the log of the invocation for job M999XPRD in group PRODGROUP, use the following commands:

For RACF:

Copy 
RDEFINE FACILITY $$LOG.qname.PRODGROUP.M999XPRD UACC(NONE)
PERMIT $$OLOG.qname.PRODGROUP.M999XPRD CLASS(FACILITY) ID(USERA) ACCESS(READ)

For TopSecret:

Copy 
TSS PERMIT(USERA) IBMFAC($$LOG.qname.PRODGROUP.M999XPRD) ACC(READ)

For ACF2/SAF:

Copy 
SET RESOURCE(CMF)
COMP
$KEY($$LOG.qname.PRODGROUP.M999XPRD)
 UID(USERA) ALLOW

When an attempt is made to execute any of these commands, the CTBSE04 security module is called to check if the command must be executed. In this case, this security module does not perform security checks for each line of the screen. For performance reasons, the check on each screen line is not performed.

Module CTBSE08

The CTBSE08 module is the security module of Control‑M/Analyzer Exit CTBX008. This module verifies that the user is authorized to perform actions (hold, delete, and so on) on balancing missions displayed in the Active Balancing Environment screen.

Basic Definition Mode

Initial Access to the Active Balancing Environment Screen

IOA verifies authorization for the option in which the CLASS checked is FACILITY unless otherwise specified. The entity checked is $$CTBPNLB.qname

Subsequent Operations in the Active Balancing Environment Screen

For every action that is performed on this screen, IOA verifies authorization for the action.

RACF Security

For this verification:

Entity Checked: owner.SUBMIT

Class: SURROGAT

where owner is the user ID specified as the owner of the Control‑M/Analyzer balancing mission.

If the logged on user (current user) is allowed to submit jobs on behalf of another user, the current user is also allowed to order Control‑M/Analyzer balancing missions owned by the other user.

The commands to permit USERA to order a balancing mission with an owner of USERB are:

Copy 
RDEFINE SURROGAT USERB.SUBMIT UACC(NONE)
PERMIT USERB.SUBMIT ACCESS(READ) ID(USERA) CLASS(SURROGAT)

TopSecret Security

The TopSecret Application Interface module (TSSAI) is called with the following parameters:

Resource Class: ACIDCHK

Resource Name: userid (as specified in the OWNER field)

where userid is the user ID specified as the owner of the Control‑M/Analyzer balancing mission.

If the logged on user is allowed to submit jobs on behalf of another user, it is assumed that the logged on user is also allowed to order Control‑M/Analyzer balancing missions owned by that user.

The command to permit USERA to order a balancing mission with an ownerid of USERB is:

Copy 
TSS PERMIT(USERA) ACID(USERB)

ACF2/SAF Security

For this verification:

Entity Checked: $SUBMIT.owner

Class: FACILITY

where owner is the user ID specified as the owner of the Control‑M/Analyzer balancing mission.

The ACF2 commands to permit USERA to order a balancing mission with an owner of USERB are:

Copy 
SET RESOURCE(CMF)
COMP
$KEY($SUBMIT.USERB) TYPE(CMF)
 UID (USERA) ALLOW

Extended Definition Mode

Initial Access to the Active Balancing Environment Screen

IOA verifies authorization for the option in which the CLASS checked is FACILITY and the entity checked is $$CTBPNLB.qname

Subsequent Operations in the Active Balancing Environment Screen

For every action that is performed on this screen, IOA verifies authorization for the action. The entity checked is:

$$BRULxxx.qname.owner

where owner is the user ID assigned as the owner of the balancing mission, and xxx contains 3 letters that define the request:

Table 72 CTBSE08 Request Parameters

Action

Description

ZOO

Zoom

HLD

Hold

FRE

Free

DEL

Delete

LOG

Log

SAV

Save

WHY

Why

To permit USERA to hold balancing missions that are owned by USERB, use the following command:

For RACF:

Copy 
PERMIT $$BRULHLD.qname.USERB ACCESS(READ) ID(USERA) CLASS(FACILITY)

For TopSecret:

Copy 
TSS PERMIT(USERA) IBMFAC($$BRULHLD.qname.USERB) ACC(READ)

For ACF2/SAF:

Copy 
SET RESOURCE(CMF)
COMP
$KEY($$BRULHLD.qname.USERB)
 UID(USERA) ALLOW

When Control‑M/Analyzer attempts to display a line on the Active Balancing Environment screen, it calls the CTBSE08 security module. This module can be modified to check if the line must be displayed or not. For performance reasons, the CTBSE08 sample security module performs no security checks.