Authorizing users to issue Take Action commands

Certain commands, known as Take Action commands, can be issued from the Tivoli® Enterprise Portal and OMEGAMON® enhanced 3270 user interface. IBM® Z OMEGAMON® AI for Networks supports two types of Take Action commands: z/OS® system commands and agent-provided commands. Users must be authorized to issue these commands.

z/OS commands

By default, Take Action commands issued by IBM® Z OMEGAMON® AI for Networks are issued as z/OS system commands.

However, a monitoring server or monitoring agent address space can be configured to redirect Take Action commands to NetView® through the program to program interface (PPI). Take Action commands that are issued in NetView make full System Authorization Facility (SAF) calls for authorization. NetView uses the Tivoli Enterprise Portal user ID to determine the NetView operator on which the command authorization is performed. If command authorization passes, the command is processed by the NetView operator. Messages are written to the NetView log to provide an audit trail of the commands and the users that issued them. If you enable NetView command authorization on the monitoring server, you must also enable NetView to execute the commands.

For more information, see Configuring NetView authorization of z/OS commands in IBM Tivoli Monitoring: Configuring the Tivoli Enterprise Monitoring Server on z/OS.

Prefixed Take Action commands

IBM® Z OMEGAMON® AI for Networks provides a set of predefined Take Action commands:

Drop
Nslookup
Ping
Tracerte

These commands, which are prefixed by N3:, are known as agent commands. A subset of these commands, commands that cannot also be run as console commands, can be issued using the Take Action feature on the Tivoli Enterprise Portal. In the OMEGAMON enhanced 3270 user interface, these commands are available in action menus.

Security for IBM® Z OMEGAMON® AI for Networks Take Action commands is based on SAF security classes and resource profile names. During product configuration you specify the name of the SAF security class that is used to validate product specific take action commands. The SAF class that is used to validate take action commands is specified in the RTE_SECURITY_CLASS parameter. You can code the KN3_SECURITY_ACTION_CLASS parameter optionally if you want to have a separate SAF security class just for IBM® Z OMEGAMON® AI for Networks commands.

After you define the SAF security class, you define resource profiles to control access to the product-specific take action commands. If no resource profiles are created to control Take Action commands, all commands are denied. The OMEGAMON enhanced 3270 user interface validates the following resource profile to see if users are authorized to issue the Take Action commands directed at z/OS Communication Server resources:

KN3.msn.TAKEACTION.*

where msn is managed system name.

At a minimum, you must create a profile by using the pattern shown in the previous sample for the global security class (RTE_SECURITY_CLASS) and give update access to the profile to all users you want to authorize to issue any Take Action commands from the enhanced 3270 user interface. The enhanced 3270 user interface address space uses SAF validation to determine whether a user is authorized to issue any Take Action commands.

SAF validation for product specific commands is performed by the monitoring agent. Create other profiles for more granular access control. For example, to control all IBM® Z OMEGAMON® AI for Networks Take Action commands on all managed systems, use the following command:

KN3.**.TAKEACTION.*

To control the ability to issue Take Action commands to an IBM® Z OMEGAMON® AI for Networks monitoring agent that is running on a system with an SMFID of TSTA and stack TCPIP, you would define a profile named:

KN3.TCPIP:TSTA.TAKEACTION.*

To control access to individual commands, you must define at least one profile with the following format in either the global security class or the override security class (KN3_SECURITY_ACTION_CLASS):

KN3.TCPIP:TSTA.TAKEACTION.commandname

KN3.**.TAKEACTION.commandname

where commandname is one of the supported IBM® Z OMEGAMON® AI for Networks Take Action commands.

To control access to the DROP command, create a profile in either the global security class or the override security class similar to the following:

KN3.**.TAKEACTION.DROP

Note: DROP commands also check the TCPIP.MVS.DROP profile of the OPERCMDS class in addition to any SAF checking done for the IBM® Z OMEGAMON® AI for Networks DROP command resource profile.

If a user attempts to issue a Take Action command without authorization, a series of messages similar to these messages here is written to the RKLVLOG:

2012.178 04:27:37.68 KN3A907I: USER=USER3    CLASS=$KOBSEC  RESOURCE=KN3.TCPIPG:SYS.TAKEACTION.PING
2012.178 04:27:37.68 KN3A908I: RACROUTE VERIFY  REG15=00000004 SAFPRRET=00000004 SAFPRREA=00000000 
  SAFPSFRC=00000000 SAFPSFRS=00000
2012.178 04:27:37.68 000
2012.178 04:27:37.68 KN3A909I: USER=USER3    RESULT: USER NOT DEFINED TO ESM

Additionally, this message is displayed in a pop-up window in the enhanced 3270 user interface:

 ________________________________________________________
|              Take Action Command Failure               |
|                                                        |
| KN3A006E RACF AUTHORIZATION ERROR                      |
|________________________________________________________|

In Tivoli Enterprise Portal or the enhanced 3270 user interface, you might also see the following messages in the Drop Connection dialog's Command Output display.

KN3A904E TAKE ACTION RACROUTE AUTH RC(FAILURE). CLASS=OPERCMDS, 
  COMMAND=VARY TCP, USER=SYSADMIN

This message indicates that the user was validated in the IBM® Z OMEGAMON® AI for Networks resource profile, but the user was not permitted to the TCPIP.MVS.DROP profile of the OPERCMDS class.

For more information, see the Enable security on the IBM® Tivoli OMEGAMON enhanced 3270 user interface topic in the IBM Tivoli OMEGAMON and Tivoli Management Services on z/OS: Common Planning and Configuration Guide. For information on issuing Take Action commands from the enhanced 3270 user interface, see the IBM® Z OMEGAMON® AI for Networks: Enhanced 3270 User Interface User’s Guide.

Restricting access to the Mainframe Networks Command Log and Response workspace

The IBM® Z OMEGAMON® AI for Networks monitoring agent has a unique workspace associated with prefixed Take Action commands: the Command and Response Log workspace. This enhanced 3270 workspace is similar to the Tivoli Enterprise Portal Command Log workspace. Commands in both workspaces are displayed in a “last in, first out” order. The Tivoli Enterprise Portal workspace displays the commands that are issued by the user ID that logged into Tivoli Enterprise Portal, unless the user is given UPDATE access to the KN3.**.TAKEACTION.ADMIN resource profile, in which case all commands and all responses issued by all users are displayed. A similar mechanism is available in the enhanced 3270 user interface workspace, an enhanced 3270-based Command and Response Log workspace.

To control display of the commands and command output in the command log, create an ADMIN resource profile in either the global security class or the override security class, similar to the following:

KN3.**.TAKEACTION.ADMIN

where ADMIN means that a user or user group has permission to view all Take Action command and responses for that user and other users. If this resource is not defined and users or groups are not permitted or granted access to this resource, a user is only be allowed to see Take Action commands and responses issued by that user. Users with UPDATE access to KN3.**.TAKEACTION.ADMIN can see commands and command responses issued by all users. For information about setting up this command profile, see the SAF appendix of the IBM® Z OMEGAMON® AI for Networks: User's Guide .

Setting up a resource profile

The authority to transmit Take Action requests from the OMEGAMON enhanced 3270 user interface or TEP to an MfN agent instance is verified by checking for access to a SAF resource named in this pattern:

KN3.<msn>.TAKEACTION

Where <msn> is a managed system name. A managed system name typically identifies a unique Tivoli Enterprise Monitoring Server agent instance. In this statement, TAKEACTION is a literal. Unless a matching SAF profile exists to control access to a given Take Action command, any request to transmit an action to the managed system name is denied.

Typically you define a resource profile that restricts the access to all users (UACC(NONE)) and then PERMIT access to these resources for user IDs or groups. The following examples show resource definitions you may wish to define:

To restrict access to issue IBM® Z OMEGAMON® AI for Networks Take Action commands from the enhanced 3270 user interface:
```
RDEFINE security_class KN3.**.TAKEACTION UACC(NONE)
```
To restrict access to issue IBM® Z OMEGAMON® AI for Networks Take Action commands from the enhanced 3270 user interface on a particular TCPIP stack and system:
```
RDEFINE security_class KN3.<msn>.TAKEACTION UACC(NONE)
```

To restrict access to IBM® Z OMEGAMON® AI for Networks Take Action Commands:

RDEFINE security_class KN3.**.TAKEACTION.* UACC(NONE)       
RDEFINE security_class KN3.**.TAKEACTION.PING UACC(NONE)    
RDEFINE security_class KN3.**.TAKEACTION.TRACERTE UACC(NONE)
RDEFINE security_class KN3.**.TAKEACTION.NSLOOKUP UACC(NONE)
RDEFINE security_class KN3.**.TAKEACTION.DROP    UACC(NONE)

To restrict access to view all Take Action commands:

RDEFINE security_class KN3.**.TAKEACTION.ADMIN   UACC(NONE)

When these resource profiles are defined, refresh the security class by using the following command:

SETROPTS RACLIST(security_class) REFRESH

Note: This comment can replace all text up to the paragraph before the first PERMIT definition.

You can define a profile named KN3.<msn>.TAKEACTION by entering these commands:

RDEFINE $KN3SEC KN3.<msn>.TAKEACTION UACC(NONE)
SETROPTS RACLIST($KN3SEC) REFRESH

More generally, you could define a profile to control all Take Action commands:

RDEFINE $KN3SEC KN3.**.TAKEACTION.* UACC(NONE) 
SETROPTS RACLIST($KN3SEC) REFRESH

Granting access to individual user IDs or groups

After the resources are defined, grant access to individual user IDs or groups by using definitions such as the ones that follow:

To enable a user ID or group to issue all IBM® Z OMEGAMON® AI for Networks Take Action commands from the enhanced 3270 user interface on any system:
```
PERMIT KN3.**.TAKEACTION ID(userid) ACCESS(UPDATE) CLASS(security_class)
```
To enable a user ID or group to issue all IBM® Z OMEGAMON® AI for Networks Take Action commands on any system:
```
PERMIT KN3.**.TAKEACTION.* ID(userid) ACCESS(UPDATE) CLASS(security_class)
```
To enable a user ID or group to issue all IBM® Z OMEGAMON® AI for Networks Take Action commands on a specific TCPIP stack and system:
```
PERMIT KN3.<msn>.TAKEACTION.* ID(userid) ACCESS(UPDATE) CLASS(security_class)
```

To enable a user ID or group to issue a specific IBM® Z OMEGAMON® AI for Networks Take Action command on any system:

PERMIT KN3.**.TAKEACTION.DROP ID(userid) ACCESS(UPDATE) CLASS(security_class)
PERMIT KN3.**.TAKEACTION.PING ID(userid) ACCESS(UPDATE) CLASS(security_class)
PERMIT KN3.**.TAKEACTION.TRACERTE ID(userid) ACCESS(UPDATE) CLASS(security_class)
PERMIT KN3.**.TAKEACTION.NSLOOKUP ID(userid) ACCESS(UPDATE) CLASS(security_class)

To enable a user ID or group to view all IBM® Z OMEGAMON® AI for Networks Take Action commands and responses issued by all users:
```
PERMIT KN3.**.TAKEACTION.ADMIN ID(userid) ACCESS(UPDATE) CLASS(security_class)
```

After you permit users to the various resource profiles, issue the following commands to ensure these permissions have taken effect.

SETROPTS GENERIC(security_class) REFRESH   
SETROPTS RACLIST(security_class) REFRESH
SETROPTS GLOBAL(*) REFRESH

You can view the current SAF class definitions and permissions by issuing the following command:

RLIST security_class * AUTHUSER

If no matching SAF profile exists to protect a Take Action command, that Take Action is denied.