Setting up security for the IBM Health Checker for z/OS started task
You must set up security for IBM Health Checker for z/OS the same
way you would for any other started task. To do this task with RACF®, do the following steps:
- Create a user
ID for IBM Health Checker for z/OS and
connect the superuser user ID to a group. Define the user ID with:
- Superuser authority using either:
- UID(0) explicitly assigned to the user ID.
- Access to the BPX.SUPERUSER resource. The advantage
of this method is that it might be more audit friendly, because you
avoid having a user profile with UID(0) explicitly assigned to it.
At runtime, IBM® Health Checker for z/OS® dynamically switches to (and stays in) an effective UID(0) superuser authority using the defined BPX.SUPERUSER access.
- A home directory of HOME('/')
- A program of PROGRAM('/bin/sh')
- Using UID(0), you might use the following commands to
define the user ID as follows:
ADDUSER hcsuperid OMVS(UID(0) HOME('/') PROGRAM('/bin/sh')) NOPASSWORD ADDGROUP OMVSGRP OMVS(GID(xx)) CONNECT hcsuperid GROUP(OMVSGRP)
- Using access to the BPX.SUPERUSER resource, you might use the following commands to define the
user ID as follows:
ADDUSER hcsuperid OMVS(UID(yy) HOME(’/’) PROGRAM(’/bin/sh’)) NOPASSWORD ADDGROUP OMVSGRP OMVS(GID(xx)) CONNECT hcsuperid GROUP(OMVSGRP) RDEFINE FACILITY BPX.SUPERUSER UACC(NONE) SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY) PERMIT BPX.SUPERUSER CLASS(FACILITY) ID(hcsuperid) ACCESS(READ) SETROPTS RACLIST(FACILITY) REFRESH
For more information, see:Note: Once you start IBM Health Checker for z/OS with its associated User ID, changes you make to the UID for the User ID won't usually take effect until the IBM Health Checker for z/OS address space is stopped and restarted. - Superuser authority using either:
- Associate the superuser User ID, hcsuperid,
with the IBM Health Checker for z/OS started
task, HZSPROC. For example:
SETROPTS GENERIC(STARTED) RDEFINE STARTED HZSPROC.* STDATA(USER(hcsuperid) GROUP(OMVSGRP)) SETROPTS CLASSACT(STARTED) SETROPTS RACLIST(STARTED)
If you had already RACLISTed the STARTED class, the last statement would have to be SETROPTS RACLIST(STARTED) REFRESH.
For more information, see: - Give the IBM Health Checker for z/OS started
task super User ID access to the HZSPDATA data set on each system
where you'll run IBM Health Checker for z/OS. For example,
you might specify the following:
ADDSD 'SYS1.PRODSYS.HZSPDATA' UACC(NONE) PERMIT SYS1.PRODSYS.HZSPDATA CLASS(DATASET) ID(hcsuperid) ACCESS(UPDATE)
- Give IBM Health Checker for z/OS started
task super User ID READ access to the HZSPRMxx parmlib member(s).
For example, you might specify the following:
ADDSD 'SYS1.PARMLIB' UACC(NONE) PERMIT 'SYS1.PARMLIB' CLASS(DATASET) ID(hcsuperid) ACCESS(READ)
- If you will be using a log stream, you must define UPDATE access
for the IBM Health Checker for z/OS started
task super User ID to each RESOURCE(logstreamname)
CLASS(LOGSTRM). IBM Health Checker for z/OS connects
directly to the defined log stream or streams. For example, you might
specify the following:
If you had already RACLISTed the LOGSTRM class, the last statement would have to be SETROPTS RACLIST(LOGSTRM) REFRESH.RDEFINE LOGSTRM logstreamname UACC(NONE) PERMIT logstreamname CLASS(LOGSTRM) ID(hcsuperid) ACCESS(UPDATE) SETROPTS CLASSACT(LOGSTRM) RACLIST(LOGSTRM) SETROPTS RACLIST(LOGSTRM)
See the "LOGR parameters for administrative data utility section of z/OS MVS Setting Up a Sysplex.
- REXX health checks support input and output datasets and the checks have a REXXHLQ (REXX dataset high level qualifier) attribute. Be prepared to grant the appropriate access rights for REXX datasets to the user ID that is associated with the Health Checker address space.
- If the SERVAUTH class is activated and a profile
is defined for the EZB.STACKACCESS.sysname.tcpprocname resource,
you must grant the user ID that is associated with the Health Checker
address space READ access to the profile.
PERMIT EZB.STACKACCESS.sysname.tcpprocname CLASS(SERVAUTH) ID(hcsuperid) ACCESS(READ) SETROPTS GENERIC(SERVAUTH) REFRESH SETROPTS RACLIST(SERVAUTH) REFRESH
- In order for check (IBMUSS,ZOSMIGREC_ROOT_FS_SIZE) to run successfully, give the Health Checker user ID READ access to the OPERCMDS MVS™.DISPLAY.OMVS resource.
- In order for check (IBMRACF,RACF_RRSF_Resources) to run successfully, give the
Health Checker user ID READ access to:
- the IRR.RADMIN.EXTRACT.RRSF profile in the FACILITY class (required to use r-Admin to extract RRSF information)
- <subsystem>.TARGET.LIST in the OPERCMDS class, if this resource is protected.
- In order for check ZOSMIGV2R2_NEXT_IXG_REMOVE_DRXRC to run successfully, grant the
user ID associated with the IBM Health checker address space READ access to the MVSADMIN.LOGR
resource profile at the time you activate the FACILITY class and define the profile. For example,
you might specify the following:
If you previously RACLISTed the FACILITY class, the last statement must be:RDEFINE FACILITY MVSADMIN.LOGR UACC(NONE) PERMIT MVSADMIN.LOGR CLASS(FACILITY) ID(hcsuperid) ACCESS(READ) SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY) SETROPTS RACLIST(FACILITY)
See the section on LOGR keywords and parameters for the administrative data utility in z/OS MVS Setting Up a Sysplex for more details.SETROPTS RACLIST(FACILITY) REFRESH