SYSVIEW Security How to use Restricting Command Access to Only Specific Feature Group Commands Using Command Groups

book

Article ID: 208042

calendar_today

Updated On:

Products

CA SYSVIEW Performance Management

Issue/Introduction

I have updated the SECURITY COMMAND GROUP section to contain the entry GSVCICS A to allow all CICS commands.

That does not seem to prevent other commands from being issued, such as PRISM, LINKLIST, etc.

I see in the COMMANDS SECTION that I can set the access column to fail or allow any command and this does work without a problem.

I would like to have for example certain CICS commands and certain MVS commands be available but not all commands.

Is there another way to accomplish without having to update the access setting for each entry in the list? What is the best way to accomplish this?

 

Environment

Release : 16.0 

Component : SYSVIEW

Resolution

Note:   You need to  be attached to the SYSVIEW ADMIN security group in order to use the SECURITY command in SYSVIEW for the following command restrictions.  

Note:   All SYSVIEW commands are listed in each command group.   The feature group like CICS or MVS commands are included for that feature group (i.e. Include with a value of YES).  All others are marked with an include value of NO. 

Scenario:  The Customer creates two command groups,  CICSCMDS and MVSCMDS, by copying command groups GSVCICS and GSVMVS.   He would like to restrict his user to ONLY these two sets of feature commands with some of the these commands to also be restricted.   If a command is not included ( i.e. Include set to NO) in either group, allow is by default set in the the Commands Section of the User Group.   To allow the user to only have allow to the CICSCMDS included commands and the MVSCMDS included commands and not have access to any other commands in any other feature groups, please follow the steps documented below.   

 

  • Assign both Command Groups CICSCMDS and MVSCMDS to the User Group's Command Group Section with access status of Allow by default.   Note:  This will allow commands other than CICS and MVS commands to be allowed to a user id. 
  • Add the Command Group GSVALL to the User Group's Command Group Section with access of Fail.      Note:  Please leave all commands as included (i.e. Include with a value of YES ) in THIS command group!
  • In the Commands Section, you can also change any individual CICSCMDS and/or MVSCMDS to Fail so that they cannot be used by the user id that has these command groups assigned to it.  
  • Update the Miscellaneous Section of the User Group and change 'Fail command if failed in any CMDGROUP' from YES to NO.

This should result in all commands NOT in the CICS or MVS command groups being failed (since they will be failed by group GSVALL) except for commands in CICSCMDS and MVSCMDS unless they are specifically marked as Fail in the Commands Section.  

Any feature command groups can be Allowed without allowing all commands if this process is followed. 

 

Additional Information

Additional information on SYSVIEW Security using command groups can be found at the following link:

https://techdocs.broadcom.com/us/en/ca-mainframe-software/performance-and-storage/ca-sysview-performance-management/16-0/security/security-groups.html