Step 4.1 IOA Security Definitions (Optional)

IOA security definition samples are found in the IOASTSS2 member of the IOA INSTWORK library. The IOASTSS2 member is created in the IOA INSTWORK library after selecting this step.

1. Define IOA monitors in the TopSecret Facility Matrix

   IOASTSS2 contains the necessary command to dynamically define IOA in TopSecret Facility Matrix.

   1. Modify USER1 in the facility definition command to a free entry in the Facility Matrix, as follows:

      TSS MODIFY FAC(USER1=NAME=IOA)

      This command defines IOA in the Facility Matrix until the next IPL.

   2. Update the TopSecret parameter member, usually called TSSPARM0, to permanently define the facility.
   3. Copy the IOA facility definition from the IOASTSS5 member in the IOA BASE INSTALL library to the TSSPARM0 member.
   4. Update the Facility Matrix entry name to the same name that is specified in the TSS MODIFY command.
2. Define IOA ACID to TopSecret

   Change the DEPT parameter value from security administrator, department to the appropriate ACID:

   TSS CRE(IOA) NAME (...) DEPT(sec-administrator-dept)

3. Define IOA procedures (started tasks) to TopSecret

   Change the ACID definition in the following commands to the appropriate ACID:

   TSS ADD(STC) PROC(IOAOMON1) ACID(IOA)
   TSS ADD(STC) PROC(IOAVMON) ACID(IOA)

4. Connect the appropriate profile to the IOA ACID in the following command:

   TSS ADD(IOA) PROF(profile-name)

   IOAOMON must be authorized to any datasets that are accessed by online users.

5. Connect usera to the IOA ACID in the following command:

   TSS ADD(usera) FAC(IOA)

6. Define IOA entities and user authorizations to TopSecret

For information about how to define IOA entities and user authorizations to TopSecret, see Basic Definition Security Calls, and Extended Definition Security Calls.

Modify the following command to establish resource ownership in TopSecret to the appropriate owner:

TSS ADD(sec-administrator-dept) IBMFAC($$IOA)

For samples of user authorizations, review member IOASTSS3 in the IOA INSTWORK library.

All entity names for each IOA protected element appear in Basic Definition Security Calls, for Basic Definition mode and Extended Definition Security Calls , for Extended Definition mode.

1. Associate users with Extended Definition modes

   Customize the following TopSecret command to establish Extended Definition mode for the IOA installer.

   TSS PERMIT (USERA) IBMFAC($$IOAEDM.qname) ACC(READ)

   Change USERA to the UID of IOA installer.

   When an IOA security module is customized to CONDitional mode without access to this entity, the user works in Basic Definition mode. With access, the user works in Extended Definition mode.

   Do not define the $$IOAEDM entity to operate in warning mode since this causes all users to operate in Extended Definition mode.

2. Authorize the IOA installer to use IOA facilities.
   1. Customize the following command to authorize USERA access to the Online monitor:

      TSS ADD(USERA) FACILITY(IOA)

   2. Change USERA to the user ID of the IOA installer.
   3. Customize the following command to authorize the IOA installer to use IOA facilities:

      TSS PERMIT(USERA) IBMFAC($$IOA) ACC(READ)

   4. Submit the job.

      This job must be run under the ACID of the general security administrator (SCA) who has authorization to enter TopSecret commands.

      All job steps must end with a condition code of zero.