Running CA-SYSVIEW without RACF attribut 'TRUSTED'

Article Id: 52616
Status: Published
Updated On: 14-02-2018 06:43
Legacy Id: TEC509423
Products:
CA CIS , CA Common Services for z/OS , CA 90s Services , CA Database Management Solutions for DB2 for z/OS , CA Common Product Services Component , CA Common Services , CA Datacom/AD , CA ecoMeter Server Component FOC , CA Easytrieve Report Generator for Common Services , CA Infocai Maintenance , CA IPC , Unicenter CA-JCLCheck Common Component , CA Mainframe VM Product Manager , CA Chorus Software Manager , CA On Demand Portal , CA Service Desk Manager - Unified Self Service , CA PAM Client for Linux for zSeries , CA Mainframe Connector for Linux on System z , CA Graphical Management Interface , CA Web Administrator for Top Secret , CA CA- Xpertware , CA Compress Data Compression for MVS , CA Compress Data Compression for Fujitsu , CA Cross Enterprise Application Performance Management (APM) , CA SYSVIEW Performance Management , NXBRIDGE - SYSYVIEW/ENDEVOR
Issue/Introduction:

Description:

To match higher security standards, customers may need to avoid general authorisations as 'Trusted' or 'Operations' and replace those with qualified RACF permissions.

Solution:

  1. If you remove RACF attribut 'TRUSTED' and the profile ** of class PROGRAM has UACC=READ, you may get: 
    ICH408I USER(STCSYSV) GROUP(STC) NAME(CA-SYSVIEW ) 640IEFIB600 CL(PROGRAM) INSUFFICIENT ACCESS AUTHORITY FROM ** (G)ACCESS INTENT(READ) ACCESS ALLOWED(NONE)CSV025I PROGRAM CONTROLLED MODULE IEFIB600 NOT ACCESSED, USER UNAUTHORIZEDIEF170I 1 SYSVIEW CSV025I PROGRAM CONTROLLED MODULE IEFIB600 NOT ACCECSV028I ABEND306-30 JOBNAME=SYSVIEW STEPNAME=STARTINGIEF170I 1 SYSVIEW CSV028I ABEND306-30 JOBNAME=SYSVIEW STEPNAME=STA
    because Universal Access (UACC) is not used for RESTRICTED ids, meaning that you will need to add STCSYSV to the access list for CLASS=PROGRAM, or remove the RESTRICTED attribute from the STCSYSV id.

  2. To access logstreams, see the documentation in the INST004x jobs. 
         - LOGSTRM (as documented in the jobs)
  3. SYSVIEW needs ALTER or UPDATE access to the resource classes: 
         - DATASET xxxxx.CAPDATA.** (G)             - ALTER     - FACILITY CSVAPF.** (G)                   - UPDATE     - OPERCMDS MVS.STOP.STC.SYSVUSER.SYSVUSER  - UPDATE     - OPERCMDS MVS.MODIFY.STC.SYSVIEW.SYSVIEW  - UPDATE
  4. there may be more commands to authorize, the advantage of using this method is, that you are well aware, who is authorized.

Environment:

Release:
Component: CA90S