Step 3. RACF Security Definition Samples (Optional)

Note: To activate the IOA to XBM interface, XBM must be active and at least one of the following parameters: ZIIPXBMO, ZIIPXBMP, or ZIIPXBMA must be set to Y.

A RACF call is made by XBM on the initial request to determine if a user is authorized to perform the requested function. The following RACF profile is used:

BMCXBM.<XBM_SSID>.ZIIP

If this profile is not defined, permission will be granted. More detailed information can be found in the XBM documentation.

Step 3.1 IOA Security Definitions (Optional)

IOA security definition samples are found in the IOASRAC2 member of the IOA INSTWORK library. This member is created in the IOA INSTWORK library after selecting this step.

1. Associate users with extended definition mode.
   1. When using Conditional Definition mode, define the entity $$IOAEDM.qname using the following command:

      RDEFINE FACILITY $$IOAEDM.qname UACC(NONE)

      Force USERA to work in the Extended Definition mode by using the following command:

      PERMIT $$IOAEDM.qname ID(USERA) CLASS(FACILITY) ACCESS(READ)

      Users who have read authority to this entity will work in the Extended Definition mode. Users who are not authorized to access this entity work in the Basic Definition mode.

   2. Submit the job for execution.
2. Verify that the SURROGAT class is active.
   1. Use the following command to list the active classes:

      SETROPTS LIST

   2. To activate the SURROGAT class, use the following command:

      SETROPTS CLASSACT(SURROGAT)

Step 3.2 Function Security Definitions (Optional)

The IOASRAC3 job in the IOA INSTWORK library is optional. It contains some definition samples for various entities. Customize this job according to your requirements and submit the job.

Define entities and user authorizations.

For information about defining IOA entities and user authorizations, see Basic Definition Security Calls, and Extended Definition Security Calls.

Examples

The IOASRAC4 job in the IOA INSTWORK library contains a sample of the definitions required to define Program Pathing access authorizations to IOA datasets. Review the definitions and modify them according to the requirements of your site.

Note: Before submitting this job, BMC recommends that the security administrator read Limiting Access to Specific Programs and read about protecting entities through Program Pathing in the manual of your security product.

• To control access to the IOA Online facility, specify the following command:

  RDEFINE FACILITY $$IOAONLINE.qname

  where qname is used to assign different authorizations to different IOA environments (such as Test and Production). This parameter is specified during IOA installation.

• To define and authorize all conditions beginning with SYS, use the following command:

  RDEFINE FACILITY $$IOARES.qname.SYS*
  PERMIT $$IOARES.qname.SYS* CLASS(FACILITY) ID(USERA) ACCESS(READ)

• To authorize USERA access to a given IOA entity, use the following command:

  PERMIT $$IOAnnn.qname CLASS(FACILITY) ID(USERA) ACCESS(READ)

  All entity names for each IOA protected element appear in Basic Definition Security Calls for Basic Definition mode and Extended Definition Security Calls, for Extended Definition mode.

Step 3.3 Control Program Access to IOA Datasets (Optional)

The IOASRAC4 job in the IOA INSTWORK library contains a sample of the definitions required to define Program Pathing access authorizations to IOA datasets. Review the definitions and modify them according to the requirements of your site.

Note: Before submitting this job, BMC recommends that the security administrator read Limiting Access to Specific Programs and read about protecting entities through Program Pathing in the manual of your security product.