- Control‑M Application Server can be installed without setting up special security requirements, except as noted below for RACF, CA-ACF2 and CA-TOP SECRET.
If you are using RACF, ACF2 or TOP SECRET, define the started task Control‑M/EM as a valid started task under the relevant security system.
- All Control‑M functions that the user specifies by Control‑M Application Server are performed in Control‑M by Control‑M Application Server
To enable Control‑M Application Server to perform these functions as required, provide Control‑M Application Server with READ and UPDATE authority for all data sets for which the Control‑M monitor is authorized.
- When authorized, users of Control‑M Application Server have the option of performing the Edit JCL function. This function is executed by Control‑M Application Server. Accordingly, Control‑M Application Server should have UPDATE authority for all JCL libraries for which any Control‑M Application Server user has EDIT authority.
- Control‑M Application Server performs actions on jobs that are contained in the Active Jobs file and that are displayed in the Active Environment screen (Screen 3). The CTMSE08 Control‑M security module verifies a user’s authorization to perform actions on these jobs.
If security for Control‑M is enabled, you must authorize Control‑M Application Server to perform all operations in Control‑M Screen 3.
For more information about the CTMSE08 module, see the Control‑M chapter in the INCONTROL for z/OS Security Guide.
- The following special users must be authorized.
- User GCSERV: When global conditions are added from the Control‑M/EM Global Conditions Server, they are added under user ID GCSERV. The GCSERV user therefore must be defined in security.
The GCSERV user is the user ID of the Control‑M/EM Global Conditions Server that distributes global condition transactions from any data center to another. This user should have the authorization to access IOA Condition file facilities. This user ID must be GCSERV, specified with uppercase letters.
- User CTMAS: The user ID that was assigned to the CTMAS monitor that actually performs all Control‑M/EM requests in the mainframe data center. This user ID is not necessarily CTMAS, but whatever user ID the system assigns to the CTMAS monitor. This value can be changed.
- User CTMSYNC: The user ID through which Control-M/EM requests automatic synchronization between the folder libraries in Control-M (specified by SYNCLIBS for synchronization) and the Control-M/EM database. This user must have dataset access authorization to all the libraries specified in the SYNCLIBS parameter member, and to the calendar libraries pointed to by DD names DACAL and DARBC. In addition, in Extended Definition mode, CTMSYNC must have authorization to the $$ECSVWF facility. Note that CTMSYNC is the default user name which is customizable in Control-M/EM, so if it changed the new user name must be authorized in this step.
- User BIMUSER: BMC Batch Impact Manager requires a user name to connect to Control-M/EM. In Control-M for z/OS, you must add a user that will be used by BMC Batch Impact Manager. By default, BMC Batch Impact Manager uses the BIMUSER user name.
Ensure that the BIMUSER user name has the following privileges:
- Order
- Force
- Rerun
- Hold
- Log
- Zoom-and-Save
- Kill job
For information on setting the privileges for the user name, see the INCONTROL for z/OS Security Guide.
