Security
The enhanced 3270 user interface (enhanced 3270UI) authenticates user identity by using the system authorization facility (SAF) interface. All authentication or authorization failures are logged. All Take Action requests are logged.
System Authorization Facility
The existence of the SAF user ID and its validity are always checked. The enhanced
3270UI also runs a number of SAF authorization checks to check whether the user has authority to do
the following activities:
- Log on to this instance of the enhanced 3270 user interface
- End User activities
- View data for a specific attribute group (table) on a specific managed system
- Transmit a Take Action request to a specific managed system
- Change auto-update preferences
- Entry of any command on the command line
- Create and modify a profile member name with the same name as the user ID of the user
- Use a specific hub Tivoli® Enterprise Monitoring Server
- Administrative activities
- List enhanced 3270 user interface users, and optionally end a user's session
- Save a data set member
- Start or stop user interface tracing
- Start or stop internal tracing
- Modify (Save As) any PDS member that is named with a different user ID to that of the current user
- Near-term history configuration
- If no SAF security class is supplied (value for RTE_SECURITY_CLASS is missing or blank), users can log on to the OMEGAMON® enhanced 3270UI, can access data through queries, but cannot issue Take Action commands.
- If a SAF security class is supplied, but the class is not defined and active in SAF, no one can log on to the OMEGAMON enhanced 3270UI.
- If a SAF security class is supplied, and is defined and active in SAF, but no logon profile is defined, no one can log on to the OMEGAMON enhanced 3270UI.
- If a user is able to log on, and a different security class than the one used for logon is used for queries or for Take Action commands (but is not activated or resources are not defined in that security class), everyone can view data for any managed system and perform other commands and activities, but all Take Action commands are denied.
- If a security class name is configured, resource profiles must be defined to control log on, data access, and Take Actions, and users must be given access to those profiles.
Enabling e3270UI PassTicket generation
Requests to either display or zap memory from the e3270UI require a secured sign-on from the
enhanced 3270UI to the OMEGAMON on z/OS monitoring agent. The enhanced 3270UI will generate a
PassTicket (a one time only password) and send it to the OMEGAMON on z/OS monitoring agent in the
data request. In this way the monitoring agent can authenticate the request that comes from the user
logged into the enhanced 3270UI.
In order for a PassTicket to be generated, the PTKTDATA security class must be activated. To activate the PTKTDATA class and the SETROPTS RACLIST processing, run the following command.
In order for a PassTicket to be generated, the PTKTDATA security class must be activated. To activate the PTKTDATA class and the SETROPTS RACLIST processing, run the following command.
SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA) GENERIC(PTKTDATA)
By using the
PassTicket key class the security administrator can associate a RACF secured sign-on secret key with
a particular mainframe application that uses RACF for user authentication. All profiles that contain
PassTicket information are defined to the PTKTDATA class. Configuring security resource profiles
See Enable security for the OMEGAMON enhanced 3270 user interface for information about how security works and how to configure security resource profiles.
Starting from OMEGAMON enhanced 3270 user interface PTF UA83356 for APAR OA51564, you can use the
Situation Editor and Object Editor for situation and group management. However, the new Situation
Editor and Object Editor functions that are introduced in this PTF are disabled by default due to
possible performance impact of certain situations. The following security resource profiles must be
defined for these editors.
- KOBUI.ADMIN.SITEDITOR
- KOBUI.ADMIN.OBJECTEDITOR
- O4SRV.**
- To view the editors, the users must have either read or update permission to the corresponding editor profiles (KOBUI.ADMIN.SITEDITOR for the Situation Editor and KOBUI.ADMIN.OBJECTEDITOR for the Object Editor). Users with none permission to the profiles are not able to access the editors.
- To save updates in the editors, the users must have read or update permission to the O4SRV.** profile, as well as either read or update permission to the corresponding editor profiles. Users with none permission to the O4SRV.** profile are not able to save updates in the editors.
Data Facility Storage Management System (DFSMS)
The following activities are separately secured by the
Data Facility Storage Management System (DFSMS):
- Display a member list for a data set
- Browse the contents of a data set member
- Save a data set member
User Experience
When users are not authorized to run an activity, they are prevented from running the activity regardless of the attempted method, for example, whether by using a menu item, command line, or function key.
When users attempt to run an activity that they are
not authorized to, a message similar to the following is displayed
on their screen:
The administrator can check the SYSPRINT log
file to see additional details about the request that is denied. For
example, for the message shown an entry similar to the following can
be found in the SYSPRINT log file:
USER2 KOBUICS2I SAF R15=00000008 CLASS($KOBTEST)
RESOURCE(KOBUI.ADMIN.TRACE.UI.BASIC ) RC=00000008 RSN=00000000