Define Take Action profiles to control access to data actions in the e3270UI

To control authorization for Take Action commands in the OMEGAMON® enhanced 3270 user interface, the security administrator must define SAF resource profiles, as described in this topic.

Before you begin

Authorization to transmit Take Action requests from the OMEGAMON enhanced 3270 user interface (enhanced 3270UI) to a product agent instance is controlled by a Take Action profile named for the specific Take Action command. Enhanced 3270UI Take Action authorization is performed at both the enhanced 3270UI and the agent. Consequently, security configuration must be performed for both the enhanced 3270UI and the OMEGAMON agent.

For related considerations, refer to the agent security configuration documentation, including the following topics:

About this task

The enhanced 3270UI verifies the authority for a user to transmit Take Action commands by checking for access to a SAF resource named in the following pattern: 
Kpp.msn.TAKEACTION
where:
Kpp
Is the product code of the agent instance. (See Product codes.)
msn
Is a managed system name. A managed system name typically identifies a unique Tivoli Enterprise Monitoring Server agent instance. Note that the form of managed system names differs from product to product. Check the agent-specific documentation for information about the form used for managed system names.
TAKEACTION
Is a literal.

At a minimum, a SAF profile using this resource pattern must be defined in the global security class (RTE_SECURITY_CLASS) and UPDATE access authority to the profile must be given to the users allowed to issue Take Action commands for the agent. Other profiles can be created for more granular access control.

To control access to individual Take Action commands, a profile must be defined for each Take Action command. If there is no matching profile for a particular Take Action command, a request to transmit the action to the managed system name is denied.
Note: The format of the resource pattern for a specific Take Action command differs from product to product. Typically, the format of the resource pattern is as follows:
Kpp.msn.TAKEACTION.commandname
where commandname is the name of the Take Action command.

For details about defining the profiles for specific Take Action commands, refer to the agent-specific documentation.

Example

To control the ability to issue all Take Action commands to an OMEGAMON for z/OS® agent, define the following profile by entering the following commands:

RDEFINE $KOBSEC KM5.**.TAKEACTION UACC(NONE)
SETROPTS RACLIST($KOBSEC) REFRESH

To control the ability to issue a Take Action command to an OMEGAMON for z/OS agent running on sysplex IBMTEST on sysplex member TSTA, in a SAF class named $KOBSEC, define a profile named KM5.IBMTEST:TSTA:MVSSYS.TAKEACTION by entering the following commands: 

RDEFINE $KOBSEC KM5.IBMTEST:TSTA:MVSSYS.TAKEACTION UACC(NONE)
SETROPTS RACLIST($KOBSEC) REFRESH

What to do next

  • After the Take Action profile has been defined, the security administrator must assign UPDATE access authority to the profile for the allowed users. For more information, see Permit access to profiles.
  • To control access to individual Take Action commands, a profile for each Take Action command must be defined. For more information, see the agent-specific documentation.