IBM® recommends that installations use Security Authorization Facility (SAF) to control access to system logger resources such as log streams or coupling facility structures associated with log streams.
Define access for applications to the following classes and resources for each service. Note that only applications writing to coupling facility log streams need access to coupling facility structures:
System Logger Service | Access type | SAF class and Resource |
---|---|---|
IXGINVNT REQUEST=DEFINE TYPE=LOGSTREAM IXGINVNT REQUEST=UPDATE TYPE=LOGSTREAM IXGINVNT REQUEST=DELETE TYPE=LOGSTREAM |
ALTER | RESOURCE(log_stream_name) CLASS(LOGSTRM) |
IXGINVNT REQUEST=DEFINE TYPE=LOGSTREAM IXGINVNT REQUEST=UPDATE TYPE=LOGSTREAM STRUCTNAME=structure_name |
ALTER UPDATE |
RESOURCE(log_stream_name) CLASS(LOGSTRM) RESOURCE(IXLSTR.structure_name) CLASS(FACILITY) |
IXGINVNT REQUEST=DEFINE TYPE=LOGSTREAM LIKE=like_log_stream_name DASDONLY=NO and when like_log_stream_name has a structure name, that is, like_structure_name | ALTER UPDATE |
RESOURCE(log_stream_name) CLASS(LOGSTRM) RESOURCE(IXLSTR.like_structure_name) CLASS(FACILITY) |
IXGINVNT REQUEST=DEFINE TYPE=STRUCTURE IXGINVNT REQUEST=DELETE TYPE=STRUCTURE |
ALTER | RESOURCE(MVSADMIN.LOGR) CLASS(FACILITY) |
IXGCONN REQUEST=CONNECT AUTH=WRITE | UPDATE | RESOURCE(log_stream_name) CLASS(LOGSTRM) |
IXGCONN REQUEST=CONNECT AUTH=READ | READ | RESOURCE(log_stream_name) CLASS(LOGSTRM) |