Authorizing users to issue Take Action commands
Certain commands, known as Take Action commands, can be issued from the Tivoli® Enterprise Portal and OMEGAMON® enhanced 3270 user interface. IBM® Z OMEGAMON® AI for Networks supports two types of Take Action commands: z/OS® system commands and agent-provided commands. Users must be authorized to issue these commands.
z/OS commands
By default, Take Action commands issued by IBM® Z OMEGAMON® AI for Networks are issued as z/OS system commands.
However, a monitoring server or monitoring agent address space can be configured to redirect Take Action commands to NetView® through the program to program interface (PPI). Take Action commands that are issued in NetView make full System Authorization Facility (SAF) calls for authorization. NetView uses the Tivoli Enterprise Portal user ID to determine the NetView operator on which the command authorization is performed. If command authorization passes, the command is processed by the NetView operator. Messages are written to the NetView log to provide an audit trail of the commands and the users that issued them. If you enable NetView command authorization on the monitoring server, you must also enable NetView to execute the commands.
For more information, see Configuring NetView
authorization of z/OS commands
in IBM
Tivoli Monitoring: Configuring the Tivoli Enterprise Monitoring Server on z/OS.
Prefixed Take Action commands
Drop
Nslookup
Ping
Tracerte
These commands, which are
prefixed by N3:, are known as agent commands. A subset of these commands, commands that cannot also
be run as console commands, can be issued using the Take Action feature on the Tivoli Enterprise Portal. In the OMEGAMON enhanced 3270 user interface, these commands are available in action menus. Security for IBM® Z OMEGAMON® AI for Networks Take Action
commands is based on SAF security classes and resource profile names. During product configuration
you specify the name of the SAF security class that is used to validate product specific take action
commands. The SAF class that is used to validate take action commands is specified in the
RTE_SECURITY_CLASS
parameter. You can code the
KN3_SECURITY_ACTION_CLASS
parameter optionally if you want to have a separate SAF
security class just for IBM® Z OMEGAMON® AI for Networks
commands.
KN3.msn.TAKEACTION.*
where msn is
managed system name.At a minimum, you must create a profile by using the pattern shown in the previous sample for the global security class (RTE_SECURITY_CLASS) and give update access to the profile to all users you want to authorize to issue any Take Action commands from the enhanced 3270 user interface. The enhanced 3270 user interface address space uses SAF validation to determine whether a user is authorized to issue any Take Action commands.
KN3.**.TAKEACTION.*
KN3.TCPIP:TSTA.TAKEACTION.*
KN3.TCPIP:TSTA.TAKEACTION.commandname
or
KN3.**.TAKEACTION.commandname
where
commandname is one of the supported IBM® Z OMEGAMON® AI for Networks Take Action commands.KN3.**.TAKEACTION.DROP
2012.178 04:27:37.68 KN3A907I: USER=USER3 CLASS=$KOBSEC RESOURCE=KN3.TCPIPG:SYS.TAKEACTION.PING
2012.178 04:27:37.68 KN3A908I: RACROUTE VERIFY REG15=00000004 SAFPRRET=00000004 SAFPRREA=00000000
SAFPSFRC=00000000 SAFPSFRS=00000
2012.178 04:27:37.68 000
2012.178 04:27:37.68 KN3A909I: USER=USER3 RESULT: USER NOT DEFINED TO ESM
Additionally,
this message is displayed in a pop-up window in the enhanced 3270 user
interface: ________________________________________________________
| Take Action Command Failure |
| |
| KN3A006E RACF AUTHORIZATION ERROR |
|________________________________________________________|
In
Tivoli Enterprise Portal or the enhanced 3270 user
interface, you might also see the following messages in the Drop Connection dialog's Command Output
display.
KN3A904E TAKE ACTION RACROUTE AUTH RC(FAILURE). CLASS=OPERCMDS,
COMMAND=VARY TCP, USER=SYSADMIN
This
message indicates that the user was validated in the IBM® Z OMEGAMON® AI for Networks resource profile, but the user was not
permitted to the TCPIP.MVS.DROP profile of the OPERCMDS class.For more information, see the Enable security on the IBM®
Tivoli
OMEGAMON enhanced 3270 user interface
topic in the
IBM
Tivoli
OMEGAMON and Tivoli Management Services on z/OS: Common Planning and
Configuration Guide. For information on issuing Take Action commands from the enhanced 3270
user interface, see the IBM® Z OMEGAMON® AI for Networks: Enhanced 3270 User Interface
User’s Guide.
Restricting access to the Mainframe Networks Command Log and Response workspace
The IBM® Z OMEGAMON® AI for Networks monitoring agent has a
unique workspace associated with prefixed Take Action commands: the Command and Response Log
workspace. This enhanced 3270 workspace is similar to the Tivoli Enterprise Portal Command Log workspace. Commands in both workspaces are displayed in a
“last in, first out” order. The Tivoli
Enterprise Portal workspace displays the commands that are issued by the user ID that logged into
Tivoli Enterprise Portal, unless the user is given UPDATE
access to the KN3.**.TAKEACTION.ADMIN
resource profile, in which case all commands
and all responses issued by all users are displayed. A similar mechanism is available in the
enhanced 3270 user interface workspace, an enhanced 3270-based Command and Response Log
workspace.
KN3.**.TAKEACTION.ADMIN
where ADMIN means that a user or user group
has permission to view all Take Action command and responses for that user and other users. If this
resource is not defined and users or groups are not permitted or granted access to this resource, a
user is only be allowed to see Take Action commands and responses issued by that user. Users with
UPDATE
access to KN3.**.TAKEACTION.ADMIN
can see commands and
command responses issued by all users. For information about setting up this command profile, see
the SAF appendix of the IBM® Z OMEGAMON® AI for Networks: User's Guide .Setting up a resource profile
KN3.<msn>.TAKEACTION
Where <msn>
is a managed system name. A managed system name typically identifies
a unique Tivoli Enterprise
Monitoring Server agent instance. In this statement, TAKEACTION is
a literal. Unless a matching SAF profile exists to control access
to a given Take Action command, any request to transmit an action
to the managed system name is denied.- To restrict access to issue IBM® Z OMEGAMON® AI for Networks
Take Action commands from the enhanced 3270 user
interface:
RDEFINE security_class KN3.**.TAKEACTION UACC(NONE)
- To restrict access to issue IBM® Z OMEGAMON® AI for Networks
Take Action commands from the enhanced 3270 user interface on a particular TCPIP stack and
system:
RDEFINE security_class KN3.<msn>.TAKEACTION UACC(NONE)
- To restrict access to IBM® Z OMEGAMON® AI for Networks Take
Action
Commands:
RDEFINE security_class KN3.**.TAKEACTION.* UACC(NONE) RDEFINE security_class KN3.**.TAKEACTION.PING UACC(NONE) RDEFINE security_class KN3.**.TAKEACTION.TRACERTE UACC(NONE) RDEFINE security_class KN3.**.TAKEACTION.NSLOOKUP UACC(NONE) RDEFINE security_class KN3.**.TAKEACTION.DROP UACC(NONE)
- To restrict access to view all Take Action commands:
RDEFINE security_class KN3.**.TAKEACTION.ADMIN UACC(NONE)
SETROPTS RACLIST(security_class) REFRESH
KN3.<msn>.TAKEACTION
by
entering these commands: RDEFINE $KN3SEC KN3.<msn>.TAKEACTION UACC(NONE)
SETROPTS RACLIST($KN3SEC) REFRESH
RDEFINE $KN3SEC KN3.**.TAKEACTION.* UACC(NONE)
SETROPTS RACLIST($KN3SEC) REFRESH
Granting access to individual user IDs or groups
- To enable a user ID or group to issue all IBM® Z OMEGAMON® AI for Networks Take Action commands from the enhanced
3270 user interface on any
system:
PERMIT KN3.**.TAKEACTION ID(userid) ACCESS(UPDATE) CLASS(security_class)
- To enable a user ID or group to issue all IBM® Z OMEGAMON® AI for Networks Take Action commands on any
system:
PERMIT KN3.**.TAKEACTION.* ID(userid) ACCESS(UPDATE) CLASS(security_class)
- To enable a user ID or group to issue all IBM® Z OMEGAMON® AI for Networks Take Action commands on a specific TCPIP
stack and
system:
PERMIT KN3.<msn>.TAKEACTION.* ID(userid) ACCESS(UPDATE) CLASS(security_class)
- To enable a user ID or group to issue a specific IBM® Z OMEGAMON® AI for Networks Take Action command on any
system:
PERMIT KN3.**.TAKEACTION.DROP ID(userid) ACCESS(UPDATE) CLASS(security_class) PERMIT KN3.**.TAKEACTION.PING ID(userid) ACCESS(UPDATE) CLASS(security_class) PERMIT KN3.**.TAKEACTION.TRACERTE ID(userid) ACCESS(UPDATE) CLASS(security_class) PERMIT KN3.**.TAKEACTION.NSLOOKUP ID(userid) ACCESS(UPDATE) CLASS(security_class)
- To enable a user ID or group to view all IBM® Z OMEGAMON® AI for Networks Take Action commands and responses
issued by all
users:
PERMIT KN3.**.TAKEACTION.ADMIN ID(userid) ACCESS(UPDATE) CLASS(security_class)
SETROPTS GENERIC(security_class) REFRESH
SETROPTS RACLIST(security_class) REFRESH
SETROPTS GLOBAL(*) REFRESH
RLIST security_class * AUTHUSER
If no matching SAF profile exists to protect a Take Action command, that Take Action is denied.