Security

The existence of the SAF user ID and its validity are always checked. The enhanced 3270UI also runs a number of SAF authorization checks to check whether the user has authority to do the following activities:

• Log on to this instance of the enhanced 3270 user interface
• End User activities
  • View data for a specific attribute group (table) on a specific managed system
  • Transmit a Take Action request to a specific managed system
  • Change auto-update preferences
  • Entry of any command on the command line
  • Create and modify a profile member name with the same name as the user ID of the user
  • Use a specific hub Tivoli® Enterprise Monitoring Server
• Administrative activities
  • List enhanced 3270 user interface users, and optionally end a user's session
  • Save a data set member
  • Start or stop user interface tracing
  • Start or stop internal tracing
  • Modify (Save As) any PDS member that is named with a different user ID to that of the current user
  • Near-term history configuration

User permissions and the amount of security that is imposed are assigned by site administrators. Authorization works as follows:

• If no SAF security class is supplied (value for RTE_SECURITY_CLASS is missing or blank), users can log on to the OMEGAMON® enhanced 3270UI, can access data through queries, but cannot issue Take Action commands.
• If a SAF security class is supplied, but the class is not defined and active in SAF, no one can log on to the OMEGAMON enhanced 3270UI.
• If a SAF security class is supplied, and is defined and active in SAF, but no logon profile is defined, no one can log on to the OMEGAMON enhanced 3270UI.
• If a user is able to log on, and a different security class than the one used for logon is used for queries or for Take Action commands (but is not activated or resources are not defined in that security class), everyone can view data for any managed system and perform other commands and activities, but all Take Action commands are denied.
• If a security class name is configured, resource profiles must be defined to control log on, data access, and Take Actions, and users must be given access to those profiles.

Requests to either display or zap memory from the e3270UI require a secured sign-on from the enhanced 3270UI to the OMEGAMON on z/OS monitoring agent. The enhanced 3270UI will generate a PassTicket (a one time only password) and send it to the OMEGAMON on z/OS monitoring agent in the data request. In this way the monitoring agent can authenticate the request that comes from the user logged into the enhanced 3270UI.
In order for a PassTicket to be generated, the PTKTDATA security class must be activated. To activate the PTKTDATA class and the SETROPTS RACLIST processing, run the following command.

SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA) GENERIC(PTKTDATA) 

By using the PassTicket key class the security administrator can associate a RACF secured sign-on secret key with a particular mainframe application that uses RACF for user authentication. All profiles that contain PassTicket information are defined to the PTKTDATA class.

Starting from OMEGAMON enhanced 3270 user interface PTF UA83356 for APAR OA51564, you can use the Situation Editor and Object Editor for situation and group management. However, the new Situation Editor and Object Editor functions that are introduced in this PTF are disabled by default due to possible performance impact of certain situations. The following security resource profiles must be defined for these editors.

• KOBUI.ADMIN.SITEDITOR
• KOBUI.ADMIN.OBJECTEDITOR
• O4SRV.**

Use combinations of read, update, or none for the profiles to control the access to the editors.

• To view the editors, the users must have either read or update permission to the corresponding editor profiles (KOBUI.ADMIN.SITEDITOR for the Situation Editor and KOBUI.ADMIN.OBJECTEDITOR for the Object Editor). Users with none permission to the profiles are not able to access the editors.
• To save updates in the editors, the users must have read or update permission to the O4SRV.** profile, as well as either read or update permission to the corresponding editor profiles. Users with none permission to the O4SRV.** profile are not able to save updates in the editors.