You must set up security for
IBM Health Checker for z/OS the same
way you would for any other started task. To do this task with RACF®, do the following steps:
- Create a user
ID for IBM Health Checker for z/OS and
connect the superuser user ID to a group. Define the user ID with:
- Superuser authority using either:
- A home directory of HOME('/')
- A program of PROGRAM('/bin/sh')
Examples: - Using UID(0), you might use the following commands to
define the user ID as follows:
ADDUSER hcsuperid
OMVS(UID(0) HOME('/') PROGRAM('/bin/sh'))
NOPASSWORD
ADDGROUP OMVSGRP OMVS(GID(xx))
CONNECT hcsuperid GROUP(OMVSGRP)
- Using access to the BPX.SUPERUSER resource, you might use the following commands to define the
user ID as follows:
ADDUSER hcsuperid OMVS(UID(yy) HOME(’/’) PROGRAM(’/bin/sh’)) NOPASSWORD
ADDGROUP OMVSGRP OMVS(GID(xx))
CONNECT hcsuperid GROUP(OMVSGRP)
RDEFINE FACILITY BPX.SUPERUSER UACC(NONE)
SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY)
PERMIT BPX.SUPERUSER CLASS(FACILITY) ID(hcsuperid) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
For more information, see:
Note: Once you start IBM Health
Checker for z/OS with its associated
User ID, changes you make to the UID for the User ID won't usually
take effect until the IBM Health
Checker for z/OS address space
is stopped and restarted.
- Associate the superuser User ID, hcsuperid,
with the IBM Health Checker for z/OS started
task, HZSPROC. For example:
SETROPTS GENERIC(STARTED)
RDEFINE STARTED HZSPROC.* STDATA(USER(hcsuperid) GROUP(OMVSGRP))
SETROPTS CLASSACT(STARTED)
SETROPTS RACLIST(STARTED)
If you had already RACLISTed
the STARTED class, the last statement would have to be SETROPTS
RACLIST(STARTED) REFRESH.
For more information, see:
- Give the IBM Health Checker for z/OS started
task super User ID access to the HZSPDATA data set on each system
where you'll run IBM Health Checker for z/OS. For example,
you might specify the following:
ADDSD 'SYS1.PRODSYS.HZSPDATA' UACC(NONE)
PERMIT SYS1.PRODSYS.HZSPDATA CLASS(DATASET) ID(hcsuperid) ACCESS(UPDATE)
- Give IBM Health Checker for z/OS started
task super User ID READ access to the HZSPRMxx parmlib member(s).
For example, you might specify the following:
ADDSD 'SYS1.PARMLIB' UACC(NONE)
PERMIT 'SYS1.PARMLIB' CLASS(DATASET) ID(hcsuperid) ACCESS(READ)
- If you will be using a log stream, you must define UPDATE access
for the IBM Health Checker for z/OS started
task super User ID to each RESOURCE(logstreamname)
CLASS(LOGSTRM). IBM Health Checker for z/OS connects
directly to the defined log stream or streams. For example, you might
specify the following:
RDEFINE LOGSTRM logstreamname UACC(NONE)
PERMIT logstreamname CLASS(LOGSTRM) ID(hcsuperid) ACCESS(UPDATE)
SETROPTS CLASSACT(LOGSTRM) RACLIST(LOGSTRM)
SETROPTS RACLIST(LOGSTRM)
If you had already RACLISTed
the LOGSTRM class, the last statement would have to be SETROPTS
RACLIST(LOGSTRM) REFRESH. See the "LOGR parameters for administrative data utility section
of z/OS MVS Setting Up a Sysplex.
- REXX health checks support input and output datasets
and the checks have a REXXHLQ (REXX dataset high level qualifier)
attribute. Be prepared to grant the appropriate access rights for
REXX datasets to the user ID that is associated with the Health Checker
address space.
- If the SERVAUTH class is activated and a profile
is defined for the EZB.STACKACCESS.sysname.tcpprocname resource,
you must grant the user ID that is associated with the Health Checker
address space READ access to the profile.
PERMIT EZB.STACKACCESS.sysname.tcpprocname CLASS(SERVAUTH) ID(hcsuperid) ACCESS(READ)
SETROPTS GENERIC(SERVAUTH) REFRESH
SETROPTS RACLIST(SERVAUTH) REFRESH
- To let health check (IBMUSS,ZOSMIGREC_ROOT_FS_SIZE)
run successfully, give the Health Checker user ID READ access to the
OPERCMDS MVS™.DISPLAY.OMVS resource.