Configuring the CIM server's resource authorization model

The CIM server can be run with two different authorization models, depending on whether the profile BPX.SERVER is defined in the FACILITY class or not. In any case, the CIM server follows a resource-based authorization model, which means that user requests are processed in separate threads, for which the security context is switched to the user ID of the requestor or to a designated user ID. So when a CIM provider performs a user request in such a thread, it accesses any z/OS system resource under the requestor's or a designated user ID and thus, authorization checks occur against this user ID. These checks are performed in addition to the general access check for the CIM server through the CIMSERV profile in class WBEM.

To let the resource based authorization security work properly, set up the CIM server user ID as follows:

__ 1.

If the Enhanced Security model is disabled:

When the Enhanced Security model is disabled, no profile BPX.SERVER is active in the FACILITY class.
- _ Set up the user ID running the CIM server as a privileged user (UID=0).

If the Enhanced Security model is enabled:

When the Enhanced Security model is enabled, profile BPX.SERVER exists in the FACILITY class, and the FACILITY class is active.
Note:
The definition of BPX.SERVER is not specific for the CIM server, but has system wide implications for all programs running on the z/OS system. Refer to Setting up the BPX.* FACILITY class profiles in z/OS UNIX System Services Planning for additional information.
__ a.
Set up the user ID running the CIM server with UPDATE access to BPX.SERVER.

__ b.
If the CIM server user ID is not privileged (UID ≠ 0), ensure that the directories /etc/wbem and /var/wbem are owned by this user ID.
The following example shows how to change ownership:
Example:
```
chown -R <Server UserID>:<Server GroupID> /etc/wbem
chown -R <Server UserID>:<Server GroupID> /var/wbem
```
If any of these requirements are not met, the CIM server will not start, but issue an according error message in the logs.

__ 2.

Consider to enable the must-stay-clean feature (see Enabling the must-stay-clean feature).

__ 3.

If the Enhanced Security model or the must-stay-clean feature is enabled, make sure that the CIM server runs in a clean program controlled environment (see Setting up program control).