Authorizing users to issue agent predefined Take Action commands on the enhanced 3270 user interface

Security for OMEGAMON® for Messaging on z/OS® Take Action commands that are issued on OMEGAMON enhanced 3270 user interface is based on SAF security classes and resource profile names. If no resource profiles are created to control Take Action commands, all commands are denied.

The IBM MQ Monitoring agent provides a set of predefined Take Action commands. These predefined commands, which are prefixed by MQ:, are known as the agent commands. On the OMEGAMON enhanced 3270 user interface, the complete set of commands is available in action menus.

Remember: The enhanced 3270 user interface for IBM® MQ monitoring is designed to work with IBM MQ Monitoring agent version 7.1 and later. The enhanced 3270 user interface for IBM Integration Bus monitoring is designed to work with IBM Integration Bus Monitoring agent version 7.3 fix pack 2 and later. Use with previous version agents is not supported.

The OMEGAMON enhanced 3270 user interface validates the KMQ.msn.TAKEACTION resource profile to check whether users are authorized to issue the Take Action commands that are directed to the IBM MQ Monitoring agent, where msn is the managed system name of the target system. For information about the managed system names, see Authorizing users to access product managed systems on the enhanced 3270 user interface.

At a minimum, you must create a profile by using this pattern for the RTE_SECURITY_CLASS global security class and give UPDATE access to the profile to all users that you want to authorize to issue the OMEGAMON for Messaging on z/OS Take Action commands. You can also create other profiles for more granular access control.

  • To control all OMEGAMON for Messaging on z/OS Take Action commands on all managed systems, use the KMQ.**.TAKEACTION profile.
  • To restrict the authority to issue commands to a specific managed system, specify the managed system name.
    For example, to control the ability to issue Take Action commands to a queue manager named M70A running on the LPAR SYSG system, define a profile named KMQ.M70A:SYSG:MQESA.TAKEACTION.

OMEGAMON for Messaging on z/OS provides the following set of predefined Take Action commands:

  • change qmgr
  • change queue
  • clear queue
  • forward message
  • ping channel
  • purge queue
  • start channel
  • stop channel

Users must be given UPDATE access to the profiles. In addition, an SAF Pass Ticket profile must be defined to allow the OMEGAMON enhanced 3270 user interface to authenticate between the interface and the hub monitoring server. For more information, see the Overview, Planning, and Configuring sections of the OMEGAMON Shared Documentation.