Setting up security for the IBM Health Checker for z/OS started task

You must set up security for IBM Health Checker for z/OS the same way you would for any other started task. To do this task with RACF®, do the following steps:

Create a user ID for IBM Health Checker for z/OS and connect the superuser user ID to a group. Define the user ID with:
- Superuser authority using either:
  - UID(0) explicitly assigned to the user ID.
  - Access to the BPX.SUPERUSER resource. The advantage of this method is that it might be more audit friendly, because you avoid having a user profile with UID(0) explicitly assigned to it.
    At runtime, IBM® Health Checker for z/OS® dynamically switches to (and stays in) an effective UID(0) superuser authority using the defined BPX.SUPERUSER access.
- A home directory of HOME('/')
- A program of PROGRAM('/bin/sh')
Examples:
- Using UID(0), you might use the following commands to define the user ID as follows:
```
ADDUSER hcsuperid 
        OMVS(UID(0) HOME('/') PROGRAM('/bin/sh'))
        NOPASSWORD
ADDGROUP OMVSGRP OMVS(GID(xx))
CONNECT hcsuperid GROUP(OMVSGRP)
```
- Using access to the BPX.SUPERUSER resource, you might use the following commands to define the user ID as follows:
```
ADDUSER hcsuperid OMVS(UID(yy) HOME(’/’) PROGRAM(’/bin/sh’)) NOPASSWORD 
ADDGROUP OMVSGRP OMVS(GID(xx)) 
CONNECT hcsuperid GROUP(OMVSGRP) 
RDEFINE FACILITY BPX.SUPERUSER UACC(NONE)
SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY)
PERMIT BPX.SUPERUSER CLASS(FACILITY) ID(hcsuperid) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
```
For more information, see:
Note: Once you start IBM Health Checker for z/OS with its associated User ID, changes you make to the UID for the User ID won't usually take effect until the IBM Health Checker for z/OS address space is stopped and restarted.
Associate the superuser User ID, hcsuperid, with the IBM Health Checker for z/OS started task, HZSPROC. For example:
```
SETROPTS GENERIC(STARTED)
RDEFINE STARTED HZSPROC.* STDATA(USER(hcsuperid) GROUP(OMVSGRP))
SETROPTS CLASSACT(STARTED)
SETROPTS RACLIST(STARTED)
```
If you had already RACLISTed the STARTED class, the last statement would have to be SETROPTS RACLIST(STARTED) REFRESH.
For more information, see:
- z/OS Security Server RACF Security Administrator's Guide and z/OS UNIX System Services Planning.
- The RDEFINE and SETROPTS sections of z/OS Security Server RACF Command Language Reference.
Give the IBM Health Checker for z/OS started task super User ID access to the HZSPDATA data set on each system where you'll run IBM Health Checker for z/OS. For example, you might specify the following:
```
ADDSD 'SYS1.PRODSYS.HZSPDATA' UACC(NONE)
PERMIT SYS1.PRODSYS.HZSPDATA CLASS(DATASET) ID(hcsuperid) ACCESS(UPDATE)
```
Give IBM Health Checker for z/OS started task super User ID READ access to the HZSPRMxx parmlib member(s). For example, you might specify the following:
```
ADDSD 'SYS1.PARMLIB' UACC(NONE)
PERMIT 'SYS1.PARMLIB' CLASS(DATASET) ID(hcsuperid) ACCESS(READ)
```
If you will be using a log stream, you must define UPDATE access for the IBM Health Checker for z/OS started task super User ID to each RESOURCE(logstreamname) CLASS(LOGSTRM). IBM Health Checker for z/OS connects directly to the defined log stream or streams. For example, you might specify the following:
```
RDEFINE LOGSTRM logstreamname UACC(NONE)
PERMIT logstreamname CLASS(LOGSTRM) ID(hcsuperid) ACCESS(UPDATE)
SETROPTS CLASSACT(LOGSTRM) RACLIST(LOGSTRM)
SETROPTS RACLIST(LOGSTRM)
```
If you had already RACLISTed the LOGSTRM class, the last statement would have to be SETROPTS RACLIST(LOGSTRM) REFRESH.
See the "LOGR parameters for administrative data utility section of z/OS MVS Setting Up a Sysplex.
REXX health checks support input and output datasets and the checks have a REXXHLQ (REXX dataset high level qualifier) attribute. Be prepared to grant the appropriate access rights for REXX datasets to the user ID that is associated with the Health Checker address space.
If the SERVAUTH class is activated and a profile is defined for the EZB.STACKACCESS.sysname.tcpprocname resource, you must grant the user ID that is associated with the Health Checker address space READ access to the profile.
```
 PERMIT   EZB.STACKACCESS.sysname.tcpprocname CLASS(SERVAUTH) ID(hcsuperid) ACCESS(READ)
 SETROPTS GENERIC(SERVAUTH) REFRESH
 SETROPTS RACLIST(SERVAUTH) REFRESH 
```
In order for check (IBMUSS,ZOSMIGREC_ROOT_FS_SIZE) to run successfully, give the Health Checker user ID READ access to the OPERCMDS MVS™.DISPLAY.OMVS resource.
In order for check (IBMRACF,RACF_RRSF_Resources) to run successfully, give the Health Checker user ID READ access to:
- the IRR.RADMIN.EXTRACT.RRSF profile in the FACILITY class (required to use r-Admin to extract RRSF information)
- <subsystem>.TARGET.LIST in the OPERCMDS class, if this resource is protected.
In order for check ZOSMIGV2R2_NEXT_IXG_REMOVE_DRXRC to run successfully, grant the user ID associated with the IBM Health checker address space READ access to the MVSADMIN.LOGR resource profile at the time you activate the FACILITY class and define the profile. For example, you might specify the following:
```
RDEFINE FACILITY MVSADMIN.LOGR UACC(NONE) 
PERMIT MVSADMIN.LOGR CLASS(FACILITY) ID(hcsuperid) ACCESS(READ) 
SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY) 
SETROPTS RACLIST(FACILITY)
```
If you previously RACLISTed the FACILITY class, the last statement must be:
```
SETROPTS RACLIST(FACILITY) REFRESH
```
See the section on LOGR keywords and parameters for the administrative data utility in z/OS MVS Setting Up a Sysplex for more details.