Migrate security definitions for HCM users

Description: With z/OS V2R1 Hardware Configuration Definition (HCD) uses the application ID CBDSERVE to verify any user that logs on to the HCD agent, that is, any user that uses Hardware Configuration Manager (HCM) to perform hardware configuration definitions. If you have the APPL class active in your external security manager, for example in RACF, and you have a generic profile in that class that covers the new HCD application ID CBDSERVE, you need to permit all HCM users READ access to that profile. Otherwise, the users of HCM are no longer able to log on to HCD.

Element or feature:

HCD

When change was introduced:

z/OS V2R1

Applies to migration from:

z/OS V1R13 and z/OS V1R12.

Timing:

Before installing z/OS V2R1.

Is the migration action required?

Yes, if you use HCM to perform hardware configuration definitions, have the APPL security class active in your security product, and have a APPL profile that covers the application ID CBDSERVE.

Target system hardware requirements:

None.

Target system software requirements:

None.

Other system (coexistence or fallback) requirements:

None.

Restrictions:

None.

System impacts:

None.

Related IBM Health Checker for z/OS check:

None.

Steps to take: You can either give all HCM users READ access to your existing APPL profile that covers the HCD application ID CBDSERVE, or you can define a specific profile for the new HCD application ID and permit all HCM users to that profile. Sample definitions for a new profile and a user HCDUSER for RACF are similar to the following:

RDEFINE APPL CBDSERVE UACC(NONE)
PERMIT CBDSERVE CLASS(APPL) ID(HCDUSER) ACCESS(READ)

Reference information: See the following information:

For information about protecting applications and the security definitions in RACF, see z/OS Security Server RACF Security Administrator's Guide.
For information about setting up the HCD agent for use by HCD and HCM users, see z/OS HCD User's Guide.