Authorizing users to issue Prefixed Take Action commands

You can authorize users for a set of predefined Take Action commands called 'agent commands'. Agent commands are prefixed by M5. Agent commands cannot also be run as console commands.

A subset of agent commands can be issued using the Take Action feature on the Tivoli Enterprise Portal. In the OMEGAMON Enhanced 3270 user interface, the complete set of commands is available in action menus. Security for IBM® Z OMEGAMON® AI for z/OS® Take Action commands is based on SAF security classes and resource profile names. If no resource profiles are created to control Take Action commands, all commands are denied.

The OMEGAMON Enhanced 3270 user interface validates for the following resource profile to see if users are authorized to issue the Take Action commands directed at z/OS resources:

KM5.msn.TAKEACTION

At a minimum, you must create a profile using this pattern for the global security class (RTE_SECURITY_CLASS) and give update access to the profile to all users you want to authorize to issue IBM® Z OMEGAMON® AI for z/OS® Take Action commands. You can also create other profiles for more granular access control.

For example, to control all IBM® Z OMEGAMON® AI for z/OS® Take Action commands on all managed systems, use the following profile:

KM5.**.TAKEACTION

To restrict authority to issue commands to a specific managed system, specify the managed system name. For example, to control the ability to issue Take Action commands to an IBM® Z OMEGAMON® AI for z/OS® agent running on Sysplex IBMTEST on Sysplex member TSTA, you would define a profile named

KM5.IBMTEST:TSTA:MVSSYS.TAKEACTION

To control access to individual commands, you must define at least one profile with the following format in either the global security class or the override security class (KM5_SECURITY_ACTION_CLASS):

KM5.**.TAKEACTION.commandname

This can be either a generic profile, or a command-specific profile. For example, to control access to all commands, create a profile like the following:

KM5.**.TAKEACTION.*

To control access to the KILL command, create a profile with the following form:

KM5.**.TAKEACTION.KILL

To control access to the KILL command on a specific managed system, create a profile with the following form:

KM5.msn.TAKEACTION.KILL

where msn is the managed system name of the target system. (For information on managed system names, see Authorizing access to managed systems on the enhanced 3270 user interface.)

IBM® Z OMEGAMON® AI for z/OS® provides the following set of predefined Take Action commands:

CANCEL
CANCELDUMP
CANCELRESTART
CANCELDUMPRESTART
KILL
RESETSC
QUIESCE
RESUME
CHANGETIMELIMIT
SWAPIN
MARKSWAPPABLE
MARKNONSWAPPABLE

The KM5 override security class parameter (KM5_SECURITY_ACTION_CLASS, in PARMGEN) allows you to specify a separate security class to control individual IBM® Z OMEGAMON® AI for z/OS® Take Action commands. However, you must still create the KM5.**.TAKEACTION resource profile discussed previously for the global security class.

Users must be given UPDATE access to the profiles. In addition, an SAF Pass Ticket profile must be defined to allow the OMEGAMON Enhanced 3270 user interface to authenticate between the interface and the hub monitoring server. For more information, see the Configuring section of the IBM® Tivoli® OMEGAMON® and Tivoli Management Services on z/OS®: Shared documentation.

For information on issuing Take Action commands from the Tivoli Enterprise Portal, see the IBM Tivoli IBM® Z OMEGAMON® AI for z/OS®: User’s Guide.