RACF violation on BPX.SMF CL(FACILITY) Web Viewer Startup task
search cancel

RACF violation on BPX.SMF CL(FACILITY) Web Viewer Startup task

book

Article ID: 263429

calendar_today

Updated On:

Products

Output Management Web Viewer

Issue/Introduction

We are seeing RACF violations in our Content Viewer Server Startup task (TOMCATVW) for users accessing reports via MTC Content Viewer to view reports.

ICH408I USER(EAXXXXX  ) GROUP(EMPLP3  ) NAME(JOE, BLOGGS

  BPX.SMF CL(FACILITY)

  INSUFFICIENT ACCESS AUTHORITY

  ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )

The RACF team are reluctant to grant universal read access to BPX.SMF profile as there is some risk.

Quote..........

"There is some risk associated with the profile and you would not typically grant a UACC of READ. We are exploring applying the STIG standards and they have a control specifically for BPX.SMF (The IBM z/OS BPX.SMF resource must be properly configured. (stigviewer.com)). If the SMF records do need to be created and we can figure out what type they are, we could at least limit the access to only that SMF type as per the link."

According to documentation..........

SMF Records
If you want
Web Viewer 
to create SMF records to monitor usage, appropriate security permissions are required for the IBM BPX1SMF service. Both the
Web Viewer 
application server and the logged in user must have permission to the BPX.SMF resource profile in the FACILITY class. Use the following commands:
 
RDEFINE FACILITY BPX.SMF UACC(NONE) PERMIT BPX.SMF CLASS(FACILITY) ID(
stcid
) ACCESS(READ) PERMIT BPX.SMF CLASS(FACILITY) ID(
userid
) ACCESS(READ) SETR RACLIST(FACILITY) REFRESH

1. Is there a way which we could limit the access to a specific SMF record type for content Viewer?

2. Can we turn off the option of creating SMF records for Content Viewer users?

 

Environment

Release : 14.0

Resolution

It is not possible to limit the access to a specific SMF record type for content Viewer.
It is not possible to turn off the option of creating SMF records for Content Viewer users.

Powered by Wolken Software