Thanks in advance
Marco
Control-M z/OS Security calls
Control-M z/OS Security calls
Hi, I'm tring to activate the security calls on a Control-M v6.20 on z/OS. I created in Racf the new facility (ex. 'SSCTMPNL3.xxxx') but notting happens. Can anyone send me some example for this issue..
Thanks in advance
Marco
Thanks in advance
Marco
Hello Marco,
if the userid is supposed to have access to the IOA Online Facility (ISPF)
then it needs the following access:
READ on FACILITY $$IOAONLINE.<env>
UPDATE on IOA LOG data set
UPDATE on IOA PROF data set
READ on all other IOA data sets
To look at the Active Jobs File ("panel 3") then you need
READ on FACILITY $$CTMPNL3.<environment>
READ on CTM CKP data set
Then for any other action you want to do (add condition etc.) there is yet other access to be given. You need to think about a policy and what types of users you have, f.ex. read-only users, operators, admins, and what actions in Control-M they would need access to.
Then for each type create a RACF group and give that group the access.
Individual users are then connected to the group. This way when people come and go or move to other teams the access is easily granted, changed or removed.
Another thing to be aware of is the different security modes. Basic Definition Mode, Extended Definition Mode and Conditional Definition Mode.
Basic Mode is like all or nothing (once you have access to it at all, you can do everything) and Extended is more granular where you can allow or deny certain things.
Conditional means you can use both, and choose what you need on a per user basis. Then you need a FACILITY $$IOAEDM.qname or $$CTxEDM.qname profile. If a user has READ access to that, Extended Mode applies.
Best regards
Leila
if the userid is supposed to have access to the IOA Online Facility (ISPF)
then it needs the following access:
READ on FACILITY $$IOAONLINE.<env>
UPDATE on IOA LOG data set
UPDATE on IOA PROF data set
READ on all other IOA data sets
To look at the Active Jobs File ("panel 3") then you need
READ on FACILITY $$CTMPNL3.<environment>
READ on CTM CKP data set
Then for any other action you want to do (add condition etc.) there is yet other access to be given. You need to think about a policy and what types of users you have, f.ex. read-only users, operators, admins, and what actions in Control-M they would need access to.
Then for each type create a RACF group and give that group the access.
Individual users are then connected to the group. This way when people come and go or move to other teams the access is easily granted, changed or removed.
Another thing to be aware of is the different security modes. Basic Definition Mode, Extended Definition Mode and Conditional Definition Mode.
Basic Mode is like all or nothing (once you have access to it at all, you can do everything) and Extended is more granular where you can allow or deny certain things.
Conditional means you can use both, and choose what you need on a per user basis. Then you need a FACILITY $$IOAEDM.qname or $$CTxEDM.qname profile. If a user has READ access to that, Extended Mode applies.
Best regards
Leila
Security (RACF) for products INCONTROL
Hello Marco,
You has define what is the level of security, if you define SECURITY EXTEND you has define all facility, in the manual security that all you has to do.
For example $$IOAEDM.*
$$IOAONLINE.*
You can easy this with the IOAICE
Rafael
You has define what is the level of security, if you define SECURITY EXTEND you has define all facility, in the manual security that all you has to do.
For example $$IOAEDM.*
$$IOAONLINE.*
You can easy this with the IOAICE
Rafael