ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Running CA-SYSVIEW without RACF attribut 'TRUSTED'

book

Article ID: 52616

calendar_today

Updated On:

Products

CIS COMMON SERVICES FOR Z/OS 90S SERVICES DATABASE MANAGEMENT SOLUTIONS FOR DB2 FOR Z/OS COMMON PRODUCT SERVICES COMPONENT Common Services Datacom/AD CA ecoMeter Server Component FOC EASYTRIEVE REPORT GENERATOR FOR COMMON SERVICES INFOCAI MAINTENANCE IPC UNICENTER JCLCHECK COMMON COMPONENT Mainframe VM Product Manager CHORUS SOFTWARE MANAGER CA On Demand Portal CA Service Desk Manager - Unified Self Service PAM CLIENT FOR LINUX ON MAINFRAME MAINFRAME CONNECTOR FOR LINUX ON MAINFRAME GRAPHICAL MANAGEMENT INTERFACE WEB ADMINISTRATOR FOR TOP SECRET Xpertware Compress Data Compression for MVS Compress Data Compression for Fujitsu Cross Enterprise Application Performance Management (APM) SYSVIEW Performance Management NXBRIDGE - SYSVIEW/ENDEVOR

Issue/Introduction

Description:

To match higher security standards, customers may need to avoid general authorisations as 'Trusted' or 'Operations' and replace those with qualified RACF permissions.

Solution:

  1. If you remove RACF attribut 'TRUSTED' and the profile ** of class PROGRAM has UACC=READ, you may get: 
    ICH408I USER(STCSYSV) GROUP(STC) NAME(CA-SYSVIEW ) 640IEFIB600 CL(PROGRAM) INSUFFICIENT ACCESS AUTHORITY FROM ** (G)ACCESS INTENT(READ) ACCESS ALLOWED(NONE)CSV025I PROGRAM CONTROLLED MODULE IEFIB600 NOT ACCESSED, USER UNAUTHORIZEDIEF170I 1 SYSVIEW CSV025I PROGRAM CONTROLLED MODULE IEFIB600 NOT ACCECSV028I ABEND306-30 JOBNAME=SYSVIEW STEPNAME=STARTINGIEF170I 1 SYSVIEW CSV028I ABEND306-30 JOBNAME=SYSVIEW STEPNAME=STA
    because Universal Access (UACC) is not used for RESTRICTED ids, meaning that you will need to add STCSYSV to the access list for CLASS=PROGRAM, or remove the RESTRICTED attribute from the STCSYSV id.

  2. To access logstreams, see the documentation in the INST004x jobs. 
         - LOGSTRM (as documented in the jobs)
  3. SYSVIEW needs ALTER or UPDATE access to the resource classes: 
         - DATASET xxxxx.CAPDATA.** (G)             - ALTER     - FACILITY CSVAPF.** (G)                   - UPDATE     - OPERCMDS MVS.STOP.STC.SYSVUSER.SYSVUSER  - UPDATE     - OPERCMDS MVS.MODIFY.STC.SYSVIEW.SYSVIEW  - UPDATE
  4. there may be more commands to authorize, the advantage of using this method is, that you are well aware, who is authorized.

Environment

Release:
Component: CA90S
Powered by Wolken Software