SIMULATE
Administration z/OS® | Manager for RACF® z/VM® | Compliance and Auditing z/OS | Adapters for SIEM | ||||
Admin | Visual | Audit for RACF | Audit for ACF2 | Audit for TSS | Alert | ||
• | • | • | • | • | • | • | • |
Use the SIMULATE
statement,
or its abbreviation SIM
, to change specific settings
or to add features globally in the CKRCARLA run.
You can use this statement to test certain scenarios without actually
making changes in the security database.
The SIMULATE
command can be used
as a stand-alone command or as a keyword within STANDARD
/ ENDSTANDARD
.
SIMULATE
statement supports
several subtypes. The subtype is entered as the first positional parameter
on the statement. Table 1 gives an
overview of the supported options:
Option | Description |
---|---|
ACCESS_FALLBACK_DEFAULT | Perform access simulation in the absence of a matching CKFREEZE data set. |
CA1OPT | Simulate SAF resource checking for online profile or password values. |
CLASS | Specify resources by SAF class for which access is determined. For other resource types, see RESOURCE_TYPE. |
CKGRACF
CNGRACF |
Specify use of CKGRACF scoping profiles. |
DMSPARMS | Specify DMS processing options. |
POLICY | Select zSecure audit policy to determine priority. |
PRIV_USER_GROUPS | Specify which RACF groups are for privileged users. |
RACF_ACCESS | Specify which profile to use for Access Monitor reports. |
RDEFINE | Select enhanced or basic program control mode. |
RESOURCE_TYPE RESTYPE |
Specify resource types other than SAF for which access is determined. For resources by SAF class, see CLASS. |
RESTRICT | CKRCARLA acts as if only PADS access to data sets. |
SENSITIVE | Specify sensitive data sets. |
SETROPTS | Change certain RACF settings. |
SHARED / NONSHARED | Override DASD sharing. |
SMF | Application use of SMF records. |
SUBSYS | Specify subsystem security options. |
TODAY | Run reports for another day. |
- ACCESS_FALLBACK_DEFAULT
- This keyword applies only to RACF systems. You
can use this keyword to perform access simulation of events in an
Access data set even if a CKFREEZE data set is not available for the
system identified by the SMFid in the access monitor records. The
ACCESS_FALLBACK_DEFAULT keyword specifies that the necessary RACF
options from the default system are used. Examples of such RACF options
are EGN, and CLASSACT or RACLIST of the RACF resource classes.
If this keyword is not specified, access monitor records from a system without a matching CKFREEZE data set are not processed during access simulation. For more information about use of the DEFAULT statement to specify the default system, see DEFAULT.
- CA1OPT [PSWD=[YES|Y|NO|N]]
- You can simulate SAF resource checking for online profile or password values that are defined in TMOSECxx with PSWD=Y. Or you can switch it off with PSWD=N.
- CLASS=class [{SENSITIVITY|SENSTYPE}={Site<text> | predefinedtype } [ACCESS={ALTER|CONTROL|READ|UPDATE}] [ID=S<id> |PRIO={2|3|4|5|6|7|8|9} [ID=S<id> ] CONCERN='concern text']] [{RESOURCE_LOCATION|RESLOC}=name] [MASKTYPE=[EGN|ACF2]] RESOURCE=(name, ...)
-
The purpose of this kind of SIMULATE command
is to add resources to sensitive resource reporting. Use
SIMULATE CLASS
to specify resources by SAF class. For other resource type specifications, see RESOURCE_TYPE.Analysis of sensitive resources for SAF classes applies only to RACF and ACF2 systems. It applies to the
CLASS
andRESOURCE
fields in those newlist types that support fieldsSENSTYPE
orPRIV_SENSTYPE
. For theSENSDSN
newlist, theSIMULATE
statement is effective only for queries that read the entire CKFREEZE file. When this option is specified, the program uses resource simulation to show which permit is used for which resource for RACLIST-merged grouping and member profiles. ForCLASS=DATASET
, this statement adds a sensitive resource and optionally adds resource locations if locations are reported byNEWLIST TYPE=REPORT_
*.For the command syntax,
CLASS
must be the first parameter andRESOURCE
the last parameter. TheRESOURCE
parameter can contain a list of resource names separated by commas or blanks. Resource names are case sensitive. TheSIMULATE
command can be combined with theSUPPRESS AUTO_RESOURCE
command so that only the resources specified onSIMULATE
commands are included in the output. See theSUPPRESS
command.If the
SENSITIVITY
was defined on aDEFSENS
statement that applies to the CLASS, then ACCESS, PRIO, CONCERN, and ID properties are inherited. If applicableDEFSENS
statements exist for multiple risk levels, then all risk levels (and associated properties) are inherited if ACCESS is omitted. Through ID, the CONCERN and PRIO properties are even inherited from a differentDEFSENS
statement. If properties are specified again, they must match. See DEFSENS for further details. Properties are not inherited fromSIMULATE
toDEFSENS
or betweenSIMULATE
statements. To ensure consistent properties and minimal typing, put the properties onDEFSENS
and only define the RESOURCEs onSIMULATE
.To influence how many resources get reported, use the
REPORT RESOURCE
command to automatically include sensitive general resources, or use theREPORT DATASET
command to automatically include sensitive data sets, or use theREPORT RESOURCE DATASET
command to include both. Before using theREPORT
commands, consider how much output you require, especially when including theDATASET
option. If you do not specify any additional selection criteria (SELECT
command), adding many resources by using theSIMULATE
command combined with the use of theRESOURCE
field inNEWLIST TYPE=RACF_ACCESS
can result in an exceedingly high volume of output. The amount of output generated equals the product of the number of resources in system multiplied by the number of permits in the profiles that protect the resources.The following classes assign a nonstandard meaning to the member list and are not supported for resource simulation:
CONNECT, DIGTNMAP, DIGTCERT, DIRACC, DIRAUTH, FSSEC, FSOBJ, GLOBAL, GMBR, GROUP, IDIDMAP, NDSLINK, NODES, NODMBR, NOTELINK, PMBR, RACFVARS, RVARSMBR, SCDMBR, SECDATA, SECLABEL, SECLMBR, UNIXMAP, USER, VMBR, VMEVENT, VMXEVENT
, andVXMBR
.The following definitions of the optional subparameters for the
SIMULATE CLASS
command provide descriptions, syntax, and processing considerations.- [ACCESS={ALTER|CONTROL|READ|UPDATE}]
- The minimum access level associated with the RISK field. READ is the default.
- {SENSITIVITY|SENSTYPE}={Site<text> | predefinedtype }
- An 11-character
string that denotes the sensitive resource type. There are different kinds of sensitivity types
that can be used on the SIMULATE command:
- Regulation-defined sensitivities
- As-is or suffixed with an extra site-defined string; see Predefined sensitivity types related to SIMULATE CLASS SENSITIVITY
- Site-defined
- Start with
Site
- IBM-defined DEFSENS types
- Do not start with
Site
and end with an underscore (_)
- PRIO={2|3|4|5|6|7|8|9}
- Audit priority is a number in the range of 2–9 that determines the display sort order of the
audit concern. Priority 2 represents the lowest priority. Priority 1 is reserved for inactive
userids that have been revoked or suspended. Priority 9 is very high, system-wide systems programmer
privilege. The default priority for CICS resources is 2, but the PRIO parameter can be used to
increase the CICS audit priority. If the optional PRIO parameter is specified, the
CONCERN
andSENSITIVITY
parameters must also be specified or inherited. - ID=S<id>
- The ID=parm can be specified on the
LANGUAGE
statement that specifies the translation. The ID must start with an 'S' and its maximum length is 8 characters. If the optionalID
parameter is specified, theCONCERN, PRIO
, andSENSITIVITY
parameters must also be specified or inherited. - CONCERN=['text' | "text" | `text` ]
- Audit concern description that explains the authority granted by the
sensitive access level defined in the
ACCESS
field. TheCONCERN
parameter is reported inNEWLIST TYPE=TRUSTED
. The maximum length is 64 characters. The description text must be enclosed in quotes. If the optionalCONCERN
parameter is specified, thePRIO
andSENSITIVITY
parameters must also be specified or inherited. - RESLOC=<resloc> | RESOURCE_LOCATION=<resloc>
- Optional specification of the location of the
CLASS RESOURCE
. TheCLASS_RESOURCE
location is returned in various reports in theRESOURCE_LOCATION
field. The maximum length is 35 characters. The text is converted to uppercase. - MASKTYPE=[EGN|ACF2]
- Mask type to use for interpreting a generic specification of the RESOURCE value. This parameter is optional. If MASKTYPE is not specified, the last setting of OPTION MASKTYPE in the CARLa input before this SIMULATE statement is used. If no OPTION MASKTYPE is used, the default mask type for the product entitlements is used.
- RESOURCE=(name, ...)
- The
RESOURCE
parameter specifies a list of resource names separated by commas or blanks. End-of-line characters between parentheses are ignored. If a single resource name is specified, the parentheses can be omitted. Resource names are case sensitive except for class DATASET. You can use single quotes, double quotes, or left quotes around each name. Only quoted names can wrap across multiple lines.For class=DATASET, the resource name can be a generic specification that is interpreted according to the mask type that is specified in MASKTYPE. A mask must start with a prefix of at least three (3) non-generic characters.
- CKGRACF [COMPLEX=complex] [CLASS=class]
CNGRACF [COMPLEX=complex] [CLASS=class] - These command subtypes apply only to RACF systems running
on z/OS. You can use these subtypes to influence the CKGRACF
scope determined by the program.
SIMULATE CKGRACF
causes resources of the form CKG.** to be checked.SIMULATE CNGRACF
causes resources of the form $CNG.** to be checked. The two command subtypes are mutually exclusive on the complex level. If theCOMPLEX=
keyword is used, only the specified complex is affected by the command. If theCOMPLEX=
keyword is omitted, all complexes that are not the target of a specificSIMULATE CNGRACF
orSIMULATE CKGRACF
command are affected. A complex that is the target of neither is processed like forSIMULATE CKGRACF
, unless it contains an UNLOAD file made by an old version of the product that still used the $CNG.** resources, in which caseSIMULATE CNGRACF
processing applies. The CLASS= keyword specifies the general resource class to be checked. If omitted, CKG.** resources are checked in the class specified in the CKRSITE module (or XFACILIT if there is none), whereas $CNG.** resources are by default checked in FACILITY. These command subtypes are not supported in restricted mode.
- DMSPARMS prm+val
- This command
subtype can be used to simulate the effect of changing DMS parameter settings, or, if they are
missing from the CKFREEZE file, to tell the program how they are set. The parameter name and value
are specified without intervening blanks, as in the DMS option members. The following parameters are
supported and used. The parameter names start with the ESM they apply to, except
for Top Secret, which is represented as TOP.
- ACF2SUPP
- Must be Y to secure data sets in CA-Disk with ACF2 in an ACF2 system.
- RACFALWZ
- Always-call must be Y to process data sets that are not RACF-indicated.
- RACFBKUP
- Determines the way discretes are processed.
- RACFPRED
- Determines whether an existing discrete will be used or deleted when a data set is restored.
- RACFSUPP
- Support must be Y to support RACF-indicated data sets.
- RACFPROC
- Process RACF profiles can be Y to be able to process data sets that have lost their discrete profiles.
- RACFNEWN
- Process
NEWNAME
must be N for a safe system. - RACFDVOL
- Volume for discretes
- RACFUSID
- High-level qualifier for archive data sets.
- SECURVOL
- Determines whether DASDVOL profile are checked first.
- TOPSUPP
- Must be Y to secure data sets in CA-Disk with CA Top Secret in a Top Secret system.
- POLICY
- This option is only used in the zSecure Audit and zSecure Manager for RACF
z/VM products.
It sets the policy against which settings are checked. It causes additional
audit concerns to be raised. Also, it increases priority for direct
violations of the policy to be at least 40. It is by no means a complete
check on all requirements for the policy.
The policy can be one of the levels C1, C2, or B1 from the US standard DOD 5200.28-STD, usually called 'orange book'. C2 is equivalent to the Protection Profile CS1 (Commercial Security 1) of the Common Criteria. If no explicit policy is requested, the built-in IBM® Security zSecure audit policy will be used, somewhere between C1 and C2 but with more emphasis on auditing.
- PRIV_USER_GROUPS=list
- This option applies only to RACF systems. Use
this field to define a set of group names to report on. The names
are converted to upper case. Each group name can be no longer than
8 characters. It can be a single group or a list of groups enclosed
in parentheses and separated by commas. Blanks and new lines between
the parentheses are allowed. Although there is no maximum on the number
of groups specified, there are limits for the fields where they are
used and for the output file formats. Multiple specifications of
PRIV_USER_GROUPS
will be combined into a single list. - RACF_ACCESS
- This option applies only to RACF systems. This
option controls under which profile, profile member, and access list
entry the Access Monitor records will be reported in
RACF_ACCESS NEWLIST
.When
SIMULATE RACF_ACCESS
is not specified, the result fields in the Access Monitor records are used to locate the profile name in the current RACF input source and if the profile exists, occurrences are counted towards that profile.When
SIMULATE RACF_ACCESS
is specified, the result fields of the Access Monitor records are not used, and a simulation is done of what RACF would do given the current RACF input source. The profile resulting from that simulation is used for recording and counting purposes. This option also determines whether the Access Monitor records are counted as success, violation, or unexpected.Note that specifying the
RACF_ACCESS NEWLIST
option without using theSIMULATE RACF_ACCESS
option precludes the use of theSIM*
fields inRACF_ACCESS NEWLIST
. That is, when you set up a reporting query using both theRACF_ACCESS
andACCESS NEWLIST
types together, you must specify theSIMULATE RACF_ACCESS
option to include SIM* field data in the report results. If you do not specify this option, theSIM*
fields will be empty. - RDEFINE FACILITY IRR.PGMSECURITY APPLDATA('mode')
- This option applies only to RACF systems running on
z/OS. It simulates that
FACILITY
profileIRR.PGMSECURITY
hasAPPLDATA('mode'
). This simulates the mode in which RACF Program Control runs. The following modes are supported.-
BASIC
for basic security mode -
ENHWARN
for Enhanced-Warning security mode -
ENHANCED
for Enhanced security mode
VERIFY PADS
(see VERIFY PADS). You can evaluate the commands that are generated by VERIFY PADS before configuring RACF in the mode.The RDEFINE keyword can also be abbreviated to RDEF.
-
- { RESOURCE_TYPE=UNIXFILE | RESTYPE=UNIXFILE } [ACCESS={READ-NX|WRIT-NX}] [SENSITIVITY=Site<text> PRIO={2|3|4|5|6|7|8|9} [ID=S<id>] CONCERN='concern text'] RESOURCE=(name, ...)
-
This option allows you to specify UNIX files as sensitive. This applies to zSecure Audit for RACF, ACF2, and Top Secret. It is similar to SIMULATE CLASS.
The resource names that are specified are resolved within the file system (for each system). The sensitivities show up in the PRIV_* fields in
TYPE=UNIX
. Note that other hard links (path names) to the same file (identified by its device and inode) are also tagged. If SECLABEL substitution applies, a single specification might tag multiple device and inode combinations on the same system.The access level is reflected in PRIV_ACCESS. The sensitivity is reflected in PRIV_SENSTYPE. The concern and priority are reflected in PRIV_CONCERN and PRIV_PRIORITY.
The syntax is the same as the general SIMULATE CLASS syntax, except for the following:- The RESOURCE_TYPE specification is not case-sensitive and can be specified as UNIXFILE. In contrast, when using the SIMULATE CLASS syntax, you would have to specify the mixed case value 'UNIXfile'c for the CLASS. SIMULATE RESOURCE_TYPE currently only supports UNIXFILE. For the resource, specify an absolute path name.
- The access levels ALTER and CONTROL are not supported.
- The access level UPDATE is not supported but WRIT-NX is. (This indicates 'write' access; WRITE would be used for 'write' plus 'execute', but is not currently allowed.)
- The access level READ is not supported but READ-NX is. (This indicates 'read' access: READ would be used for 'read' plus 'execute', but is not currently allowed.)
- The RESOURCE_LOCATION keyword is not allowed.
- The RESOURCE names can be up to 1023 characters (instead of 246).
If a resource name contains a quote, comma, or closing bracket, you must quote the entire name using (a different type of) quotes (single, double, or left quotes). Only quoted names can wrap across multiple lines.
For more information, see CLASS.
Although it is technically possible to specify RESOURCE_TYPE simulations using the
CLASS
keyword, the preferred method is to use theRESOURCE_TYPE
keyword described here. - RESTRICT
- This option applies only to RACF and ACF2 systems. It causes IBM Security zSecure to behave as if it were called in restricted mode. This can be used before introducing restricted mode to study the effect. There are no further parameters to the command.
- SENSITIVE {LINKLIST|PROCLIB}
SENSITIVE {READ|UPDATE} class dsname [EGN|ACF2] - This option of the
SIMULATE
statement applies only to z/OS systems. It uses either of two formats. The first format is used to automatically add certain system data sets to the list of integrity sensitive data sets. The second format is used to add the specified data set by name. The data set sensitivities are reported as part of theREPORT SENSITIVE
statement and in newlists that support fieldsSENSTYPE
orPRIV_SENSTYPE
. ForSENSDSN
, theSIMULATE
statement is effective only for queries that read the entire CKFREEZE file. The data sets are reported with the sensitivity types InstSpecRd and InstSpecUpd for READ and UPDATE, respectively. To add a concern text or priority or a more specific sensitivity starting with Site, use theSIMULATE CLASS=DATASET
command.The supported keywords are:- LINKLIST
- Obsolete option that is retained only to prevent syntax errors on existing CARLa. Non-APF data sets in the current linklist are always considered to be sensitive for update.
- PROCLIB
- Obsolete option that is retained only to prevent syntax errors on existing CARLa. JES2/JES3 non-STC/TSU procedure libraries are always considered to be sensitive.
- {READ|UPDATE}
- The access level that is considered sensitive. The access level values can be abbreviated to R and U.
- class
- The class must be DATASET, DSN, DA, or D.
- dsname
- A single, nonquoted, fully qualified data set name. The data set name can be a generic specification that is interpreted according to the MASKTYPE value (see [EGN|ACF2]). A mask must start with a prefix of at least three (3) non-generic characters.
- [EGN|ACF2]
- Optional mask type that is used to interpret a generic specification in dsname. If the mask type is not specified, the last setting of OPTION MASKTYPE in the CARLa input before this SIMULATE statement is used. If no OPTION MASKTYPE is used, the default mask type for the product entitlements is used.
- SETROPTS options
- This keyword applies only to RACF systems running on
z/OS. It allows simulating the effect of changing selected system-wide
RACF options. The syntax of the rest of the statement is similar to
the
RACF SETROPTS
command. TheSETROPTS
options that are supported are MODEL, TAPEDSN, PROTECTALL, EGN, ERASE, and WHEN with their respective subparameters and opposites. TheSIMULATE SETROPTS
statement can also be used to simulate most resource class options.The SIMULATE SETROPTS statement is not supported in restricted mode. It can be abbreviated to SIMULATE SETR.
- AUDIT(list of classes)
- This parameter simulates that all classes in the RACF Class Descriptor
Table (CDT) with the same POSIT number as the specified classes have
auditing active. Simulation is not done for a class that does not
have a CDT entry. The AUDIT keyword can be used only once on a
SIMULATE SETROPTS
statement, but multipleSIMULATE SETROPTS
statements with this parameter can be used. - CLASSACT(list of classes)
- This parameter simulates that all classes in the RACF Class Descriptor
Table (CDT) with the same POSIT number as the specified classes are
active. Simulation is not done for a class that does not have a CDT
entry. The
CLASSACT
keyword can be used only once on aSIMULATE SETROPTS
statement, but multipleSIMULATE SETROPTS
statements with this parameter can be used. - GENERIC(list of classes)
- This parameter simulates that for all classes in the RACF Class
Descriptor Table (CDT) with the same POSIT number as the specified
classes generic checking is performed. Simulation is not done for
a class that does not have a CDT entry. The
GENERIC
keyword can be used only once on aSIMULATE SETROPTS
statement, but multipleSIMULATE SETROPTS
statements with this parameter can be used. - GENCMD(list of classes)
- This parameter simulates that all classes in the RACF Class Descriptor
Table (CDT) with the same POSIT number as the specified classes allow
commands for generic profiles. Simulation is not done for a class
that does not have a CDT entry. The
GENCMD
keyword can be used only once on aSIMULATE SETROPTS
statement, but multipleSIMULATE SETROPTS
statements with this parameter can be used. - RACLIST(list of classes)
- This parameter simulates that all classes in the RACF Class Descriptor
Table (CDT) with the same POSIT number as the specified classes are
RACLISTED before authorization checking. Simulation is not done for
a class that does not have a CDT entry. For simplicity reasons, this
statement can also be used for classes that normally would only be
globally RACLISTed. The
RACLIST
keyword can be used only once on aSIMULATE SETROPTS
statement, but multipleSIMULATE SETROPTS
statements with this parameter can be used. - NOAUDIT(list of classes)
- This parameter simulates that all classes in the RACF Class Descriptor
Table (CDT) with the same POSIT number as the specified classes have
auditing inactive. Simulation is not done for a class that does not
have a CDT entry. The
NOAUDIT
keyword can be used only once on aSIMULATE SETROPTS
statement, but multipleSIMULATE SETROPTS
statements with this parameter can be used. - NOCLASSACT(list of classes)
- This parameter simulates that all classes in the RACF Class Descriptor
Table (CDT) with the same POSIT number as the specified classes are
inactive. Simulation is not done for a class that does not have a
CDT entry. The
NOCLASSACT
keyword can be used only once on aSIMULATE SETROPTS
statement, but multipleSIMULATE SETROPTS
statements with this parameter can be used. - NOGENERIC(list of classes)
- This parameter simulates that all classes in the RACF Class Descriptor
Table (CDT) with the same POSIT number as the specified classes do
not perform generic checking. Simulation is not done for a class that
does not have a CDT entry. The
NOGENERIC
keyword can be used only once on aSIMULATE SETROPTS
statement, but multipleSIMULATE SETROPTS
statements with this parameter can be used. - NOGENCMD(list of classes)
- This parameter simulates that all classes in the RACF Class Descriptor
Table (CDT) with the same POSIT number as this class do not allow
commands for generic profiles. Simulation is not done for a class
that does not have a CDT entry. The
NOGENCMD
keyword can be used only once on aSIMULATE SETROPTS
statement, but multipleSIMULATE SETROPTS
statements with this parameter can be used. - NORACLIST(list of classes)
- This parameter simulates that all classes in the RACF Class Descriptor
Table (CDT) with the same POSIT number as the specified classes are
not RACLISTED before authorization checking. Simulation is not done
for a class that does not have a CDT entry. For simplicity reasons,
this statement can also be used for classes that
normally would only be globally RACLISTed. The
NORACLIST
option overrides a global RACLIST. The NORACLIST keyword can be used only once on aSIMULATE SETROPTS
statement, but multipleSIMULATE SETROPTS
statements with this parameter can be used.
- SHARED [SYSTEM=list] [VOLUME=list]
NONSHARED [SYSTEM=list] [VOLUME=list] - This
command subtype applies only to z./OS systems. It can be used
to override the default shared DASD layout interpretation (which is
based on the UCB settings). The command accepts two optional parameters:
SYSTEM
andVOLUME
. Both parameters accept a single value or a list of values enclosed in parentheses and separated by commas. The scope of theSHARED / NONSHARED
command is determined by these two parameters. If absent, the statement applies to all systems and all volumes. If no volume is included, the statement applies to all volumes in the systems mentioned. If no system is included, the statement applies to all systems for the volumes mentioned. If multiple commands apply to the same volume and/or system, the order of priority for each system/volume combination is shown in the following list:- Sim (non)shared System= Volume=
- Sim (non)shared Volume=
- Sim (non)shared System=
- Sim (non)shared
- Use Shared setting from UCB
If the system and volume parameters are both omitted, the command must be terminated by a semicolon.
The
SHARED
keyword can also be specified asSHARE
. TheNONSHARED
keyword can be specified as eitherNOTSHARED, UNSHARED, NOSHARED, NOSHARE, NONSHARE
, orNOTSHARE
. TheSYSTEM
keyword can be specified asSYSTEMS, SYST, or SYS
, and theVOLUME
keyword can be specified asVOLSER
orVOL
. - SMF=number
[SYSTEM=smfid]
[FORMAT=fmt]
[SECURITY_RELEVANT]
[DESC=string] - This specification applies only to z/OS systems. It specifies to interpret the
indicated SMF record number as a record of type fmt, or to
declare the SMF type security-relevant, or to define or replace the record type description. This
specification might be needed in either of the following situations:
- You do not have an appropriate CKFREEZE for the system that you want to analyze fmt records from (leave out the SYSTEM).
- You want the SEC_REL_* fields of TYPE=SMFOPT to be populated for more SMF record types.
- You want to set the record type description by default.
If a CKFREEZE is present, the program should automatically select the proper format. When no smfid is specified, the command affects all systems. Otherwise, a CKFREEZE with the smfid specified must be present, or the command will be ignored.
When multiple record numbers are specified (maybe one from a
CKFREEZE
and one fromSIMULATE
) for one format, all will be interpreted as being of that specific format.The following formats are supported.- ACF2
- AIM
- HSM0
- HSM1
- OMEG
- RMMAUD
- RMMSEC
- SECURPASS
- SUPSESS
- TLMS
- TPX
- SUBSYS security_options
- This option can be used to simulate
subsystem options. The first two parameters of the SIMULATE SUBSYS statement are mandatory. The
first parameter is the subsystem type; the second parameter is the subsystem name. The
specific-keywords parameters are optional and depend on the simulated subsystem:
SUBSYS subsys-type subsys-name specific-keywords
Refer to the following sections for details:- Db2
- This parameter applies only to RACF systems running on z/OS. The subsys-name
can be either a Db2 subsystem name or a group attach name. The specified value is converted to
uppercase. The specific-keywords for the Db2 subsystem are specified with the
following syntax:
The[ACCESS_CNTL(CLASSOPT=n CLASSNMT=xxx CHAROPT=s)]
ACCESS_CNTL
parameter consists of a list of suboptions in an arbitrary order. The suboptions are:- CLASSOPT
- Specifies a single digit indicating the classification option (1 or 2).
- CLASSNMT
- Specifies the class name root (converted to uppercase).
- CHAROPT
- Specifies the class name suffix (converted to uppercase).
The order of the options within the
ACCESS_CNTL
parameter list is free, but all three options are required.TheSIMULATE SUBSYS
Db2 statement simulates the presence of a Db2 DSNX@XAC exit that is compiled with the specified customization settings for the indicated Db2 subsystem. Use of this statement also simulates that all resulting resource classes are:- Added to the Class Descriptor Table
- Enabled for generic profile checking
- Set to audit changes
- Active
- RACLISted
Here is an example statement:
SIMULATE SUBSYS DB2 DBAG ACCESS_CNTL(CLASSOPT=1 CLASSNMT=DBX CHAROPT=3)
- BMC MainView
- To simulate an active MainView environment, use MAINVIEW as the
subsys-type:
SIMULATE SUBSYS MAINVIEW system [WINCLASS=class] [SSID=ssid]
The system is the system on which MainView products are running. This is the SMF ID of the system as represented, for example, by the SYSTEM field in newlist type SYSTEM. The specified value is converted to uppercase. For each MainView environment, only one set of options can be specified.
The specific-keywords for the MainView environment are optional and are specified with the following syntax:[WINCLASS=class] [SSID=ssid]
- WINCLASS
- Specifies the effective class for resources that is used by the MainView products that run in windows mode. In MainView, this is represented by the NEXT class parameter and it defaults to FACILITY.
- SSID
- Specifies the CAS address space identifier which uniquely identifies a running MainView environment and it defaults to BBCS.
For a description of the NEXT class parameter and SSID, refer to the BMC MainView documentation.
The order of the options is free and their values are converted to uppercase.
When the SIMULATE SUBSYS MAINVIEW statement is used, zSecure detects MainView resources that are checked in the DISA STIG ZMVZ0020 control, and assigns them a sensitivity.
Here is an example statement:SIMULATE SUBSYS MAINVIEW ZS34 WINCLASS=MV@TEST SSID=CAS1
- Advantage CA-Roscoe
- To simulate an active Roscoe environment, use ROSCOE as the subsys-type.
The subsys-name is the name of the Roscoe MVS subsystem, which is a four-character string. The specified value is converted to uppercase. For each Roscoe subsystem, only one set of options can be specified.
The specific-keywords for the Roscoe subsystem are optional and are specified with the following syntax:[RESHLQ=ROSID] [ROSID=rosid]
- RESHLQ
- The Roscoe initialization parameter. RESHLQ is by default not set, and thus the resource names are not prefixed. It must be set to ROSID in order to have the rosid variable prefixed to the names of the Roscoe resources.
- ROSID
- Specifies the four-character Roscoe identification code which uniquely identifies a running Roscoe subsystem. The default value is ROS1.
For a description of RESHLQ and ROSID, refer to the Advantage CA-Roscoe documentation.
The order of the options is free and their values are converted to uppercase.
When the SIMULATE SUBSYS ROSCOE statement is used, zSecure detects Roscoe resources that are checked in the DISA STIG ZROS0020 control, and assigns them a sensitivity.
Here is an example statement:SIMULATE SUBSYS ROSCOE ROSA RESHLQ=ROSID ROSID=ROSA
- Compuware Abend-AID
- To simulate an active Abend-AID environment, use ABENDAID as the subsys-type:
SIMULATE SUBSYS ABENDAID jobname [CLASS=class] [PREFIX=prefix]
The jobname is the Abend-AID Viewing Server jobname. The program of this job, specified through the PGM= keyword on the EXEC statement, is equal to FDBMMPLU. The specified value is converted to uppercase. For each Abend-AID environment, only one set of options can be specified.
The specific-keywords for the Abend-AID environment are optional and are specified with the following syntax:[CLASS=class] [PREFIX=prefix]
- CLASS
- Specifies the SAF resource class that is used by Abend-AID to restrict access to Abend-AID functions. It reflects the value of the EXTERNAL_SECURITY_RESOURCE_CLASS Abend-AID parameter and it defaults to the DATASET class.
- PREFIX
- Specifies the prefix for the Abend-AID resources. It reflects the value of the EXTERNAL_SECURITY_PREFIX and it defaults to COMPWARE.
For a description of EXTERNAL_SECURITY_RESOURCE_CLASS and EXTERNAL_SECURITY_PREFIX, refer to the Compuware Abend-AID documentation.
The order of the options is free and their values are converted to uppercase.
When the SIMULATE SUBSYS ABENDAID statement is used, zSecure detects Abend-AID resources that are checked in the DISA STIG ZAID0020 control, and assigns them a sensitivity.
Here is an example statement:SIMULATE SUBSYS ABENDAID AAVIEW CLASS=AA@TEST PREFIX=AAPREF
- Rocket Software Catalog Solution
- To simulate an active Catalog Solution environment, use CATSOLN as the
subsys-type:
SIMULATE SUBSYS CATSOLN system VER=(lvl,sublvl)
The system is the system on which Catalog Solution is running. This is the SMF ID of the system as represented, for example, by the SYSTEM field in newlist type SYSTEM. The specified value is converted to uppercase. For each Catalog Solution environment, only one set of options can be specified.
The specific-keywords for the Catalog Solution environment are specified with the following syntax:VER=(lvl,sublvl)
- VER
- Specifies the version of the product. This parameter is mandatory.
When the SIMULATE SUBSYS CATSOLN statement is used, zSecure detects Catalog Solution resources that are checked in the DISA STIG ZCSL0020 control, and assigns them a sensitivity.
Here is an example statement:SIMULATE SUBSYS CATSOLN ZS34 VER=(9,10)
- IBM Z NetView
- To simulate an active IBM Z NetView environment, use NETVIEW as the
subsys-type:
SIMULATE SUBSYS NETVIEW netid LUNAME=luname
The netid and luname values reflect IBM Z NetView. You can determine the netid and luname values for your systems using the NetView LISTVAR command, or the REXX functions NETID() and DOMAIN() in a command list.
For a description of netid and luname, refer to the IBM Z NetView documentation. The values are converted to uppercase.
Here is an example statement:SIMULATE SUBSYS NETVIEW NETA LUNAME=CNM01
When the SIMULATE SUBSYS NETVIEW statement is used, zSecure detects NetView resources that are checked in the DISA STIG ZNET0020 control, and assigns them a sensitivity.
- TODAY=date
- This
parameter can be used to turn out reports as if it were the specified
date. The supported format for date values can be found in Date fields.
This is especially useful for regression testing, and answering what-if questions. The main area of impact is output that depends on a comparison of date values with the current date (like revoke status). The datestamp printed on the output will also list the simulated date, except the first (or all) pages in the SYSPRINT file. Faked time stamps might be recognized when they display the time as well as the date, because the time has been set to the impossible
HH:MM:SS.CC
value99:00:00.00
. The date value can also be used to recognize unloads that have been unloaded with a simulated today value. The parameter is not supported in restricted mode.