Running CA-SYSVIEW without RACF attribut 'TRUSTED'

book

Article ID: 52616

calendar_today

Updated On:

Products

CA CIS CA Common Services for z/OS CA 90s Services CA Database Management Solutions for DB2 for z/OS CA Common Product Services Component CA Common Services CA Datacom/AD CA ecoMeter Server Component FOC CA Easytrieve Report Generator for Common Services CA Infocai Maintenance CA IPC Unicenter CA-JCLCheck Common Component CA Mainframe VM Product Manager CA Chorus Software Manager CA On Demand Portal CA Service Desk Manager - Unified Self Service CA PAM Client for Linux for zSeries CA Mainframe Connector for Linux on System z CA Graphical Management Interface CA Web Administrator for Top Secret CA CA- Xpertware CA Compress Data Compression for MVS CA Compress Data Compression for Fujitsu CA Cross Enterprise Application Performance Management (APM) CA SYSVIEW Performance Management NXBRIDGE - SYSYVIEW/ENDEVOR

Issue/Introduction

Description:

To match higher security standards, customers may need to avoid general authorisations as 'Trusted' or 'Operations' and replace those with qualified RACF permissions.

Solution:

  1. If you remove RACF attribut 'TRUSTED' and the profile ** of class PROGRAM has UACC=READ, you may get: 
    ICH408I USER(STCSYSV) GROUP(STC) NAME(CA-SYSVIEW ) 640IEFIB600 CL(PROGRAM) INSUFFICIENT ACCESS AUTHORITY FROM ** (G)ACCESS INTENT(READ) ACCESS ALLOWED(NONE)CSV025I PROGRAM CONTROLLED MODULE IEFIB600 NOT ACCESSED, USER UNAUTHORIZEDIEF170I 1 SYSVIEW CSV025I PROGRAM CONTROLLED MODULE IEFIB600 NOT ACCECSV028I ABEND306-30 JOBNAME=SYSVIEW STEPNAME=STARTINGIEF170I 1 SYSVIEW CSV028I ABEND306-30 JOBNAME=SYSVIEW STEPNAME=STA
    because Universal Access (UACC) is not used for RESTRICTED ids, meaning that you will need to add STCSYSV to the access list for CLASS=PROGRAM, or remove the RESTRICTED attribute from the STCSYSV id.

  2. To access logstreams, see the documentation in the INST004x jobs. 
         - LOGSTRM (as documented in the jobs)
  3. SYSVIEW needs ALTER or UPDATE access to the resource classes: 
         - DATASET xxxxx.CAPDATA.** (G)             - ALTER     - FACILITY CSVAPF.** (G)                   - UPDATE     - OPERCMDS MVS.STOP.STC.SYSVUSER.SYSVUSER  - UPDATE     - OPERCMDS MVS.MODIFY.STC.SYSVIEW.SYSVIEW  - UPDATE
  4. there may be more commands to authorize, the advantage of using this method is, that you are well aware, who is authorized.

Environment

Release:
Component: CA90S
Powered by Wolken Software