SIMULATE

Use the SIMULATE statement, or its abbreviation SIM, to change specific settings or to add features globally in the CKRCARLA run. You can use this statement to test certain scenarios without actually making changes in the security database.

The SIMULATE command can be used as a stand-alone command or as a keyword within STANDARD / ENDSTANDARD.

ACCESS_FALLBACK_DEFAULT

This keyword applies only to RACF systems. You can use this keyword to perform access simulation of events in an Access data set even if a CKFREEZE data set is not available for the system identified by the SMFid in the access monitor records. The ACCESS_FALLBACK_DEFAULT keyword specifies that the necessary RACF options from the default system are used. Examples of such RACF options are EGN, and CLASSACT or RACLIST of the RACF resource classes.

If this keyword is not specified, access monitor records from a system without a matching CKFREEZE data set are not processed during access simulation. For more information about use of the DEFAULT statement to specify the default system, see DEFAULT.

CA1OPT [PSWD=[YES|Y|NO|N]]

You can simulate SAF resource checking for online profile or password values that are defined in TMOSECxx with PSWD=Y. Or you can switch it off with PSWD=N.

CLASS=class [{SENSITIVITY|SENSTYPE}={Site<text> | predefinedtype } [ACCESS={ALTER|CONTROL|READ|UPDATE}] [ID=S<id> |PRIO={2|3|4|5|6|7|8|9} [ID=S<id> ] CONCERN='concern text']] [{RESOURCE_LOCATION|RESLOC}=name] [MASKTYPE=[EGN|ACF2]] RESOURCE=(name, ...)

The purpose of this kind of SIMULATE command is to add resources to sensitive resource reporting. Use SIMULATE CLASS to specify resources by SAF class. For other resource type specifications, see RESOURCE_TYPE.

Analysis of sensitive resources for SAF classes applies only to RACF and ACF2 systems. It applies to the CLASS and RESOURCE fields in those newlist types that support fields SENSTYPE or PRIV_SENSTYPE. For the SENSDSN newlist, the SIMULATE statement is effective only for queries that read the entire CKFREEZE file. When this option is specified, the program uses resource simulation to show which permit is used for which resource for RACLIST-merged grouping and member profiles. For CLASS=DATASET, this statement adds a sensitive resource and optionally adds resource locations if locations are reported by NEWLIST TYPE=REPORT_*.

For the command syntax, CLASS must be the first parameter and RESOURCE the last parameter. The RESOURCE parameter can contain a list of resource names separated by commas or blanks. Resource names are case sensitive. The SIMULATE command can be combined with the SUPPRESS AUTO_RESOURCE command so that only the resources specified on SIMULATE commands are included in the output. See the SUPPRESS command.

If the SENSITIVITY was defined on a DEFSENS statement that applies to the CLASS, then ACCESS, PRIO, CONCERN, and ID properties are inherited. If applicable DEFSENS statements exist for multiple risk levels, then all risk levels (and associated properties) are inherited if ACCESS is omitted. Through ID, the CONCERN and PRIO properties are even inherited from a different DEFSENS statement. If properties are specified again, they must match. See DEFSENS for further details. Properties are not inherited from SIMULATE to DEFSENS or between SIMULATE statements. To ensure consistent properties and minimal typing, put the properties on DEFSENS and only define the RESOURCEs on SIMULATE.

To influence how many resources get reported, use the REPORT RESOURCE command to automatically include sensitive general resources, or use the REPORT DATASET command to automatically include sensitive data sets, or use the REPORT RESOURCE DATASET command to include both. Before using the REPORT commands, consider how much output you require, especially when including the DATASET option. If you do not specify any additional selection criteria (SELECT command), adding many resources by using the SIMULATE command combined with the use of the RESOURCE field in NEWLIST TYPE=RACF_ACCESS can result in an exceedingly high volume of output. The amount of output generated equals the product of the number of resources in system multiplied by the number of permits in the profiles that protect the resources.

The following classes assign a nonstandard meaning to the member list and are not supported for resource simulation: CONNECT, DIGTNMAP, DIGTCERT, DIRACC, DIRAUTH, FSSEC, FSOBJ, GLOBAL, GMBR, GROUP, IDIDMAP, NDSLINK, NODES, NODMBR, NOTELINK, PMBR, RACFVARS, RVARSMBR, SCDMBR, SECDATA, SECLABEL, SECLMBR, UNIXMAP, USER, VMBR, VMEVENT, VMXEVENT, and VXMBR.

The following definitions of the optional subparameters for the SIMULATE CLASS command provide descriptions, syntax, and processing considerations.

[ACCESS={ALTER|CONTROL|READ|UPDATE}]

The minimum access level associated with the RISK field. READ is the default.

{SENSITIVITY|SENSTYPE}={Site<text> | predefinedtype }

An 11-character string that denotes the sensitive resource type. There are different kinds of sensitivity types that can be used on the SIMULATE command:

Regulation-defined sensitivities

As-is or suffixed with an extra site-defined string; see Predefined sensitivity types related to SIMULATE CLASS SENSITIVITY

Site-defined

Start with Site

IBM-defined DEFSENS types

Do not start with Site and end with an underscore (_)

The case of the text string is preserved from the first occurrence, but strings that only differ in case are considered the same sensitivity.

PRIO={2|3|4|5|6|7|8|9}

Audit priority is a number in the range of 2–9 that determines the display sort order of the audit concern. Priority 2 represents the lowest priority. Priority 1 is reserved for inactive userids that have been revoked or suspended. Priority 9 is very high, system-wide systems programmer privilege. The default priority for CICS resources is 2, but the PRIO parameter can be used to increase the CICS audit priority. If the optional PRIO parameter is specified, the CONCERN and SENSITIVITY parameters must also be specified or inherited.

ID=S<id>

The ID=parm can be specified on the LANGUAGE statement that specifies the translation. The ID must start with an 'S' and its maximum length is 8 characters. If the optional ID parameter is specified, the CONCERN, PRIO, and SENSITIVITY parameters must also be specified or inherited.

CONCERN=['text' | "text" | `text` ]

Audit concern description that explains the authority granted by the sensitive access level defined in the ACCESS field. The CONCERN parameter is reported in NEWLIST TYPE=TRUSTED. The maximum length is 64 characters. The description text must be enclosed in quotes. If the optional CONCERN parameter is specified, the PRIO and SENSITIVITY parameters must also be specified or inherited.

RESLOC=<resloc> | RESOURCE_LOCATION=<resloc>

Optional specification of the location of the CLASS RESOURCE. The CLASS_RESOURCE location is returned in various reports in the RESOURCE_LOCATION field. The maximum length is 35 characters. The text is converted to uppercase.

MASKTYPE=[EGN|ACF2]

Mask type to use for interpreting a generic specification of the RESOURCE value. This parameter is optional. If MASKTYPE is not specified, the last setting of OPTION MASKTYPE in the CARLa input before this SIMULATE statement is used. If no OPTION MASKTYPE is used, the default mask type for the product entitlements is used.

RESOURCE=(name, ...)

The RESOURCE parameter specifies a list of resource names separated by commas or blanks. End-of-line characters between parentheses are ignored. If a single resource name is specified, the parentheses can be omitted. Resource names are case sensitive except for class DATASET. You can use single quotes, double quotes, or left quotes around each name. Only quoted names can wrap across multiple lines.

For class=DATASET, the resource name can be a generic specification that is interpreted according to the mask type that is specified in MASKTYPE. A mask must start with a prefix of at least three (3) non-generic characters.

CKGRACF [COMPLEX=complex] [CLASS=class]
CNGRACF [COMPLEX=complex] [CLASS=class]

These command subtypes apply only to RACF systems running on z/OS. You can use these subtypes to influence the CKGRACF scope determined by the program. SIMULATE CKGRACF causes resources of the form CKG.** to be checked. SIMULATE CNGRACF causes resources of the form $CNG.** to be checked. The two command subtypes are mutually exclusive on the complex level. If the COMPLEX= keyword is used, only the specified complex is affected by the command. If the COMPLEX= keyword is omitted, all complexes that are not the target of a specific SIMULATE CNGRACF or SIMULATE CKGRACF command are affected. A complex that is the target of neither is processed like for SIMULATE CKGRACF, unless it contains an UNLOAD file made by an old version of the product that still used the $CNG.** resources, in which case SIMULATE CNGRACF processing applies. The CLASS= keyword specifies the general resource class to be checked. If omitted, CKG.** resources are checked in the class specified in the CKRSITE module (or XFACILIT if there is none), whereas $CNG.** resources are by default checked in FACILITY. These command subtypes are not supported in restricted mode.

DMSPARMS prm+val

This command subtype can be used to simulate the effect of changing DMS parameter settings, or, if they are missing from the CKFREEZE file, to tell the program how they are set. The parameter name and value are specified without intervening blanks, as in the DMS option members. The following parameters are supported and used. The parameter names start with the ESM they apply to, except for Top Secret, which is represented as TOP.

ACF2SUPP

Must be Y to secure data sets in CA-Disk with ACF2 in an ACF2 system.

RACFALWZ

Always-call must be Y to process data sets that are not RACF-indicated.

RACFBKUP

Determines the way discretes are processed.

RACFPRED

Determines whether an existing discrete will be used or deleted when a data set is restored.

RACFSUPP

Support must be Y to support RACF-indicated data sets.

RACFPROC

Process RACF profiles can be Y to be able to process data sets that have lost their discrete profiles.

RACFNEWN

Process NEWNAME must be N for a safe system.

RACFDVOL

Volume for discretes

RACFUSID

High-level qualifier for archive data sets.

SECURVOL

Determines whether DASDVOL profile are checked first.

TOPSUPP

Must be Y to secure data sets in CA-Disk with CA Top Secret in a Top Secret system.

POLICY

This option is only used in the zSecure Audit and zSecure Manager for RACF z/VM products. It sets the policy against which settings are checked. It causes additional audit concerns to be raised. Also, it increases priority for direct violations of the policy to be at least 40. It is by no means a complete check on all requirements for the policy.

The policy can be one of the levels C1, C2, or B1 from the US standard DOD 5200.28-STD, usually called 'orange book'. C2 is equivalent to the Protection Profile CS1 (Commercial Security 1) of the Common Criteria. If no explicit policy is requested, the built-in IBM® Security zSecure audit policy will be used, somewhere between C1 and C2 but with more emphasis on auditing.

PRIV_USER_GROUPS=list

This option applies only to RACF systems. Use this field to define a set of group names to report on. The names are converted to upper case. Each group name can be no longer than 8 characters. It can be a single group or a list of groups enclosed in parentheses and separated by commas. Blanks and new lines between the parentheses are allowed. Although there is no maximum on the number of groups specified, there are limits for the fields where they are used and for the output file formats. Multiple specifications of PRIV_USER_GROUPS will be combined into a single list.

RACF_ACCESS

This option applies only to RACF systems. This option controls under which profile, profile member, and access list entry the Access Monitor records will be reported in RACF_ACCESS NEWLIST.

When SIMULATE RACF_ACCESS is not specified, the result fields in the Access Monitor records are used to locate the profile name in the current RACF input source and if the profile exists, occurrences are counted towards that profile.

When SIMULATE RACF_ACCESS is specified, the result fields of the Access Monitor records are not used, and a simulation is done of what RACF would do given the current RACF input source. The profile resulting from that simulation is used for recording and counting purposes. This option also determines whether the Access Monitor records are counted as success, violation, or unexpected.

Note that specifying the RACF_ACCESS NEWLIST option without using the SIMULATE RACF_ACCESS option precludes the use of the SIM* fields in RACF_ACCESS NEWLIST. That is, when you set up a reporting query using both the RACF_ACCESS and ACCESS NEWLIST types together, you must specify the SIMULATE RACF_ACCESS option to include SIM* field data in the report results. If you do not specify this option, the SIM* fields will be empty.

RDEFINE FACILITY IRR.PGMSECURITY APPLDATA('mode')

This option applies only to RACF systems running on z/OS. It simulates that FACILITY profile IRR.PGMSECURITY has APPLDATA('mode'). This simulates the mode in which RACF Program Control runs. The following modes are supported.

• BASIC for basic security mode
• ENHWARN for Enhanced-Warning security mode
• ENHANCED for Enhanced security mode

This command is used with VERIFY PADS (see VERIFY PADS). You can evaluate the commands that are generated by VERIFY PADS before configuring RACF in the mode.

The RDEFINE keyword can also be abbreviated to RDEF.

{ RESOURCE_TYPE=UNIXFILE | RESTYPE=UNIXFILE } [ACCESS={READ-NX|WRIT-NX}] [SENSITIVITY=Site<text> PRIO={2|3|4|5|6|7|8|9} [ID=S<id>] CONCERN='concern text'] RESOURCE=(name, ...)

This option allows you to specify UNIX files as sensitive. This applies to zSecure Audit for RACF, ACF2, and Top Secret. It is similar to SIMULATE CLASS.

The resource names that are specified are resolved within the file system (for each system). The sensitivities show up in the PRIV_* fields in TYPE=UNIX. Note that other hard links (path names) to the same file (identified by its device and inode) are also tagged. If SECLABEL substitution applies, a single specification might tag multiple device and inode combinations on the same system.

The access level is reflected in PRIV_ACCESS. The sensitivity is reflected in PRIV_SENSTYPE. The concern and priority are reflected in PRIV_CONCERN and PRIV_PRIORITY.

The syntax is the same as the general SIMULATE CLASS syntax, except for the following:

• The RESOURCE_TYPE specification is not case-sensitive and can be specified as UNIXFILE. In contrast, when using the SIMULATE CLASS syntax, you would have to specify the mixed case value 'UNIXfile'c for the CLASS. SIMULATE RESOURCE_TYPE currently only supports UNIXFILE. For the resource, specify an absolute path name.
• The access levels ALTER and CONTROL are not supported.
• The access level UPDATE is not supported but WRIT-NX is. (This indicates 'write' access; WRITE would be used for 'write' plus 'execute', but is not currently allowed.)
• The access level READ is not supported but READ-NX is. (This indicates 'read' access: READ would be used for 'read' plus 'execute', but is not currently allowed.)
• The RESOURCE_LOCATION keyword is not allowed.
• The RESOURCE names can be up to 1023 characters (instead of 246).

If a resource name contains a quote, comma, or closing bracket, you must quote the entire name using (a different type of) quotes (single, double, or left quotes). Only quoted names can wrap across multiple lines.

For more information, see CLASS.

Although it is technically possible to specify RESOURCE_TYPE simulations using the CLASS keyword, the preferred method is to use the RESOURCE_TYPE keyword described here.

RESTRICT

This option applies only to RACF and ACF2 systems. It causes IBM Security zSecure to behave as if it were called in restricted mode. This can be used before introducing restricted mode to study the effect. There are no further parameters to the command.

SENSITIVE {LINKLIST|PROCLIB}
SENSITIVE {READ|UPDATE} class dsname [EGN|ACF2]

This option of the SIMULATE statement applies only to z/OS systems. It uses either of two formats. The first format is used to automatically add certain system data sets to the list of integrity sensitive data sets. The second format is used to add the specified data set by name. The data set sensitivities are reported as part of the REPORT SENSITIVE statement and in newlists that support fields SENSTYPE or PRIV_SENSTYPE. For SENSDSN, the SIMULATE statement is effective only for queries that read the entire CKFREEZE file. The data sets are reported with the sensitivity types InstSpecRd and InstSpecUpd for READ and UPDATE, respectively. To add a concern text or priority or a more specific sensitivity starting with Site, use the SIMULATE CLASS=DATASET command.

The supported keywords are:

LINKLIST

Obsolete option that is retained only to prevent syntax errors on existing CARLa. Non-APF data sets in the current linklist are always considered to be sensitive for update.

PROCLIB

Obsolete option that is retained only to prevent syntax errors on existing CARLa. JES2/JES3 non-STC/TSU procedure libraries are always considered to be sensitive.

{READ|UPDATE}

The access level that is considered sensitive. The access level values can be abbreviated to R and U.

class

The class must be DATASET, DSN, DA, or D.

dsname

A single, nonquoted, fully qualified data set name. The data set name can be a generic specification that is interpreted according to the MASKTYPE value (see [EGN|ACF2]). A mask must start with a prefix of at least three (3) non-generic characters.

[EGN|ACF2]

Optional mask type that is used to interpret a generic specification in dsname. If the mask type is not specified, the last setting of OPTION MASKTYPE in the CARLa input before this SIMULATE statement is used. If no OPTION MASKTYPE is used, the default mask type for the product entitlements is used.

SETROPTS options

This keyword applies only to RACF systems running on z/OS. It allows simulating the effect of changing selected system-wide RACF options. The syntax of the rest of the statement is similar to the RACF SETROPTS command. The SETROPTS options that are supported are MODEL, TAPEDSN, PROTECTALL, EGN, ERASE, and WHEN with their respective subparameters and opposites. The SIMULATE SETROPTS statement can also be used to simulate most resource class options.

The SIMULATE SETROPTS statement is not supported in restricted mode. It can be abbreviated to SIMULATE  SETR.

AUDIT(list of classes)

This parameter simulates that all classes in the RACF Class Descriptor Table (CDT) with the same POSIT number as the specified classes have auditing active. Simulation is not done for a class that does not have a CDT entry. The AUDIT keyword can be used only once on a SIMULATE SETROPTS statement, but multiple SIMULATE SETROPTS statements with this parameter can be used.

CLASSACT(list of classes)

This parameter simulates that all classes in the RACF Class Descriptor Table (CDT) with the same POSIT number as the specified classes are active. Simulation is not done for a class that does not have a CDT entry. The CLASSACT keyword can be used only once on a SIMULATE SETROPTS statement, but multiple SIMULATE SETROPTS statements with this parameter can be used.

GENERIC(list of classes)

This parameter simulates that for all classes in the RACF Class Descriptor Table (CDT) with the same POSIT number as the specified classes generic checking is performed. Simulation is not done for a class that does not have a CDT entry. The GENERIC keyword can be used only once on a SIMULATE SETROPTS statement, but multiple SIMULATE SETROPTS statements with this parameter can be used.

GENCMD(list of classes)

This parameter simulates that all classes in the RACF Class Descriptor Table (CDT) with the same POSIT number as the specified classes allow commands for generic profiles. Simulation is not done for a class that does not have a CDT entry. The GENCMD keyword can be used only once on a SIMULATE SETROPTS statement, but multiple SIMULATE SETROPTS statements with this parameter can be used.

RACLIST(list of classes)

This parameter simulates that all classes in the RACF Class Descriptor Table (CDT) with the same POSIT number as the specified classes are RACLISTED before authorization checking. Simulation is not done for a class that does not have a CDT entry. For simplicity reasons, this statement can also be used for classes that normally would only be globally RACLISTed. The RACLIST keyword can be used only once on a SIMULATE SETROPTS statement, but multiple SIMULATE SETROPTS statements with this parameter can be used.

NOAUDIT(list of classes)

This parameter simulates that all classes in the RACF Class Descriptor Table (CDT) with the same POSIT number as the specified classes have auditing inactive. Simulation is not done for a class that does not have a CDT entry. The NOAUDIT keyword can be used only once on a SIMULATE SETROPTS statement, but multiple SIMULATE SETROPTS statements with this parameter can be used.

NOCLASSACT(list of classes)

This parameter simulates that all classes in the RACF Class Descriptor Table (CDT) with the same POSIT number as the specified classes are inactive. Simulation is not done for a class that does not have a CDT entry. The NOCLASSACT keyword can be used only once on a SIMULATE SETROPTS statement, but multiple SIMULATE SETROPTS statements with this parameter can be used.

NOGENERIC(list of classes)

This parameter simulates that all classes in the RACF Class Descriptor Table (CDT) with the same POSIT number as the specified classes do not perform generic checking. Simulation is not done for a class that does not have a CDT entry. The NOGENERIC keyword can be used only once on a SIMULATE SETROPTS statement, but multiple SIMULATE SETROPTS statements with this parameter can be used.

NOGENCMD(list of classes)

This parameter simulates that all classes in the RACF Class Descriptor Table (CDT) with the same POSIT number as this class do not allow commands for generic profiles. Simulation is not done for a class that does not have a CDT entry. The NOGENCMD keyword can be used only once on a SIMULATE SETROPTS statement, but multiple SIMULATE SETROPTS statements with this parameter can be used.

NORACLIST(list of classes)

This parameter simulates that all classes in the RACF Class Descriptor Table (CDT) with the same POSIT number as the specified classes are not RACLISTED before authorization checking. Simulation is not done for a class that does not have a CDT entry. For simplicity reasons, this statement can also be used for classes that normally would only be globally RACLISTed. The NORACLIST option overrides a global RACLIST. The NORACLIST keyword can be used only once on a SIMULATE SETROPTS statement, but multiple SIMULATE SETROPTS statements with this parameter can be used.

SHARED [SYSTEM=list] [VOLUME=list]
NONSHARED [SYSTEM=list] [VOLUME=list]

This command subtype applies only to z./OS systems. It can be used to override the default shared DASD layout interpretation (which is based on the UCB settings). The command accepts two optional parameters: SYSTEM and VOLUME. Both parameters accept a single value or a list of values enclosed in parentheses and separated by commas. The scope of the SHARED / NONSHARED command is determined by these two parameters. If absent, the statement applies to all systems and all volumes. If no volume is included, the statement applies to all volumes in the systems mentioned. If no system is included, the statement applies to all systems for the volumes mentioned. If multiple commands apply to the same volume and/or system, the order of priority for each system/volume combination is shown in the following list:

1. Sim (non)shared System= Volume=
2. Sim (non)shared Volume=
3. Sim (non)shared System=
4. Sim (non)shared
5. Use Shared setting from UCB

If the system and volume parameters are both omitted, the command must be terminated by a semicolon.

The SHARED keyword can also be specified as SHARE. The NONSHARED keyword can be specified as either NOTSHARED, UNSHARED, NOSHARED, NOSHARE, NONSHARE, or NOTSHARE. The SYSTEM keyword can be specified as SYSTEMS, SYST, or SYS, and the VOLUME keyword can be specified as VOLSER or VOL.

SMF=number
[SYSTEM=smfid]
[FORMAT=fmt]
[SECURITY_RELEVANT]
[DESC=string]

This specification applies only to z/OS systems. It specifies to interpret the indicated SMF record number as a record of type fmt, or to declare the SMF type security-relevant, or to define or replace the record type description. This specification might be needed in either of the following situations:

• You do not have an appropriate CKFREEZE for the system that you want to analyze fmt records from (leave out the SYSTEM).
• You want the SEC_REL_* fields of TYPE=SMFOPT to be populated for more SMF record types.
• You want to set the record type description by default.

If a CKFREEZE is present, the program should automatically select the proper format. When no smfid is specified, the command affects all systems. Otherwise, a CKFREEZE with the smfid specified must be present, or the command will be ignored.

When multiple record numbers are specified (maybe one from a CKFREEZE and one from SIMULATE) for one format, all will be interpreted as being of that specific format.

The following formats are supported.

• ACF2
• AIM
• HSM0
• HSM1
• OMEG
• RMMAUD
• RMMSEC
• SECURPASS
• SUPSESS
• TLMS
• TPX

SUBSYS security_options

This option can be used to simulate subsystem options. The first two parameters of the SIMULATE SUBSYS statement are mandatory. The first parameter is the subsystem type; the second parameter is the subsystem name. The specific-keywords parameters are optional and depend on the simulated subsystem:

SUBSYS subsys-type subsys-name specific-keywords

Refer to the following sections for details:

• Db2
• Advantage CA-Roscoe
• Compuware Abend-AID
• Rocket Software Catalog Solution
• BMC MainView
• IBM Z NetView

Db2

This parameter applies only to RACF systems running on z/OS. The subsys-name can be either a Db2 subsystem name or a group attach name. The specified value is converted to uppercase. The specific-keywords for the Db2 subsystem are specified with the following syntax:

   [ACCESS_CNTL(CLASSOPT=n CLASSNMT=xxx CHAROPT=s)]

The ACCESS_CNTL parameter consists of a list of suboptions in an arbitrary order. The suboptions are:

CLASSOPT

Specifies a single digit indicating the classification option (1 or 2).

CLASSNMT

Specifies the class name root (converted to uppercase).

CHAROPT

Specifies the class name suffix (converted to uppercase).

The order of the options within the ACCESS_CNTL parameter list is free, but all three options are required.

The SIMULATE SUBSYS Db2 statement simulates the presence of a Db2 DSNX@XAC exit that is compiled with the specified customization settings for the indicated Db2 subsystem. Use of this statement also simulates that all resulting resource classes are:

• Added to the Class Descriptor Table
• Enabled for generic profile checking
• Set to audit changes
• Active
• RACLISted

Here is an example statement:

SIMULATE SUBSYS DB2 DBAG ACCESS_CNTL(CLASSOPT=1 CLASSNMT=DBX CHAROPT=3)

BMC MainView

To simulate an active MainView environment, use MAINVIEW as the subsys-type:

SIMULATE SUBSYS MAINVIEW system [WINCLASS=class] [SSID=ssid]

The system is the system on which MainView products are running. This is the SMF ID of the system as represented, for example, by the SYSTEM field in newlist type SYSTEM. The specified value is converted to uppercase. For each MainView environment, only one set of options can be specified.

The specific-keywords for the MainView environment are optional and are specified with the following syntax:

[WINCLASS=class] [SSID=ssid]

WINCLASS

Specifies the effective class for resources that is used by the MainView products that run in windows mode. In MainView, this is represented by the NEXT class parameter and it defaults to FACILITY.

SSID

Specifies the CAS address space identifier which uniquely identifies a running MainView environment and it defaults to BBCS.

For a description of the NEXT class parameter and SSID, refer to the BMC MainView documentation.

The order of the options is free and their values are converted to uppercase.

When the SIMULATE SUBSYS MAINVIEW statement is used, zSecure detects MainView resources that are checked in the DISA STIG ZMVZ0020 control, and assigns them a sensitivity.

Here is an example statement:

SIMULATE SUBSYS MAINVIEW ZS34 WINCLASS=MV@TEST SSID=CAS1

Advantage CA-Roscoe

To simulate an active Roscoe environment, use ROSCOE as the subsys-type.

The subsys-name is the name of the Roscoe MVS subsystem, which is a four-character string. The specified value is converted to uppercase. For each Roscoe subsystem, only one set of options can be specified.

The specific-keywords for the Roscoe subsystem are optional and are specified with the following syntax:

[RESHLQ=ROSID] [ROSID=rosid]

RESHLQ

The Roscoe initialization parameter. RESHLQ is by default not set, and thus the resource names are not prefixed. It must be set to ROSID in order to have the rosid variable prefixed to the names of the Roscoe resources.

ROSID

Specifies the four-character Roscoe identification code which uniquely identifies a running Roscoe subsystem. The default value is ROS1.

For a description of RESHLQ and ROSID, refer to the Advantage CA-Roscoe documentation.

The order of the options is free and their values are converted to uppercase.

When the SIMULATE SUBSYS ROSCOE statement is used, zSecure detects Roscoe resources that are checked in the DISA STIG ZROS0020 control, and assigns them a sensitivity.

Here is an example statement:

SIMULATE SUBSYS ROSCOE ROSA RESHLQ=ROSID ROSID=ROSA

Compuware Abend-AID

To simulate an active Abend-AID environment, use ABENDAID as the subsys-type:

SIMULATE SUBSYS ABENDAID jobname [CLASS=class] [PREFIX=prefix]

The jobname is the Abend-AID Viewing Server jobname. The program of this job, specified through the PGM= keyword on the EXEC statement, is equal to FDBMMPLU. The specified value is converted to uppercase. For each Abend-AID environment, only one set of options can be specified.

The specific-keywords for the Abend-AID environment are optional and are specified with the following syntax:

[CLASS=class] [PREFIX=prefix]

CLASS

Specifies the SAF resource class that is used by Abend-AID to restrict access to Abend-AID functions. It reflects the value of the EXTERNAL_SECURITY_RESOURCE_CLASS Abend-AID parameter and it defaults to the DATASET class.

PREFIX

Specifies the prefix for the Abend-AID resources. It reflects the value of the EXTERNAL_SECURITY_PREFIX and it defaults to COMPWARE.

For a description of EXTERNAL_SECURITY_RESOURCE_CLASS and EXTERNAL_SECURITY_PREFIX, refer to the Compuware Abend-AID documentation.

The order of the options is free and their values are converted to uppercase.

When the SIMULATE SUBSYS ABENDAID statement is used, zSecure detects Abend-AID resources that are checked in the DISA STIG ZAID0020 control, and assigns them a sensitivity.

Here is an example statement:

SIMULATE SUBSYS ABENDAID AAVIEW CLASS=AA@TEST PREFIX=AAPREF

Rocket Software Catalog Solution

To simulate an active Catalog Solution environment, use CATSOLN as the subsys-type:

SIMULATE SUBSYS CATSOLN system VER=(lvl,sublvl)

The system is the system on which Catalog Solution is running. This is the SMF ID of the system as represented, for example, by the SYSTEM field in newlist type SYSTEM. The specified value is converted to uppercase. For each Catalog Solution environment, only one set of options can be specified.

The specific-keywords for the Catalog Solution environment are specified with the following syntax:

VER=(lvl,sublvl)

VER

Specifies the version of the product. This parameter is mandatory.

When the SIMULATE SUBSYS CATSOLN statement is used, zSecure detects Catalog Solution resources that are checked in the DISA STIG ZCSL0020 control, and assigns them a sensitivity.

Here is an example statement:

SIMULATE SUBSYS CATSOLN ZS34 VER=(9,10)

IBM Z NetView

To simulate an active IBM Z NetView environment, use NETVIEW as the subsys-type:

SIMULATE SUBSYS NETVIEW netid LUNAME=luname

The netid and luname values reflect IBM Z NetView. You can determine the netid and luname values for your systems using the NetView LISTVAR command, or the REXX functions NETID() and DOMAIN() in a command list.

For a description of netid and luname, refer to the IBM Z NetView documentation. The values are converted to uppercase.

Here is an example statement:

SIMULATE SUBSYS NETVIEW NETA LUNAME=CNM01

When the SIMULATE SUBSYS NETVIEW statement is used, zSecure detects NetView resources that are checked in the DISA STIG ZNET0020 control, and assigns them a sensitivity.

TODAY=date

This parameter can be used to turn out reports as if it were the specified date. The supported format for date values can be found in Date fields.

This is especially useful for regression testing, and answering what-if questions. The main area of impact is output that depends on a comparison of date values with the current date (like revoke status). The datestamp printed on the output will also list the simulated date, except the first (or all) pages in the SYSPRINT file. Faked time stamps might be recognized when they display the time as well as the date, because the time has been set to the impossible HH:MM:SS.CC value 99:00:00.00. The date value can also be used to recognize unloads that have been unloaded with a simulated today value. The parameter is not supported in restricted mode.