Authorizing users to issue Prefixed Take Action commands
You can authorize users for a set of predefined Take Action commands called 'agent commands'. Agent commands are prefixed by M5. Agent commands cannot also be run as console commands.
A subset of agent commands can be issued using the Take Action feature on the Tivoli Enterprise Portal. In the OMEGAMON Enhanced 3270 user interface, the complete set of commands is available in action menus. Security for IBM® Z OMEGAMON® AI for z/OS® Take Action commands is based on SAF security classes and resource profile names. If no resource profiles are created to control Take Action commands, all commands are denied.
KM5.msn.TAKEACTION
At a minimum, you
must create a profile using this pattern for the global security class (RTE_SECURITY_CLASS) and give
update access to the profile to all users you want to authorize to issue IBM® Z OMEGAMON® AI for z/OS® Take Action commands. You can also create
other profiles for more granular access control. KM5.**.TAKEACTION
KM5.IBMTEST:TSTA:MVSSYS.TAKEACTION
KM5.**.TAKEACTION.commandname
This can be either a generic
profile, or a command-specific profile. For example, to control access to all commands, create a
profile like the following:KM5.**.TAKEACTION.*
To control access to the KILL
command, create a profile with the following form:KM5.**.TAKEACTION.KILL
To
control access to the KILL command on a specific managed system, create a profile with the following
form:KM5.msn.TAKEACTION.KILL
where msn
is the managed system name of the target system. (For information on managed system names, see Authorizing access to managed systems on the enhanced 3270 user interface.)CANCEL
CANCELDUMP
CANCELRESTART
CANCELDUMPRESTART
KILL
RESETSC
QUIESCE
RESUME
CHANGETIMELIMIT
SWAPIN
MARKSWAPPABLE
MARKNONSWAPPABLE
The KM5 override security class parameter (KM5_SECURITY_ACTION_CLASS, in PARMGEN) allows you
to specify a separate security class to control individual IBM® Z OMEGAMON® AI for z/OS® Take Action commands. However, you must
still create the KM5.**.TAKEACTION
resource profile discussed previously for the
global security class.
Users must be given UPDATE access to the profiles. In addition, an SAF Pass Ticket profile must be defined to allow the OMEGAMON Enhanced 3270 user interface to authenticate between the interface and the hub monitoring server. For more information, see the Configuring section of the IBM® Tivoli® OMEGAMON® and Tivoli Management Services on z/OS®: Shared documentation.
For information on issuing Take Action commands from the Tivoli Enterprise Portal, see the IBM Tivoli IBM® Z OMEGAMON® AI for z/OS®: User’s Guide.