Authorization for system logger application programs

IBM® recommends that installations use Security Authorization Facility (SAF) to control access to system logger resources such as log streams or coupling facility structures associated with log streams.

Define access for applications to the following classes and resources for each service. Note that only applications writing to coupling facility log streams need access to coupling facility structures:

Table 1. Defining SAF Authorization For System Logger Resources
System Logger Service Access type SAF class and Resource
IXGINVNT REQUEST=DEFINE TYPE=LOGSTREAM

IXGINVNT REQUEST=UPDATE TYPE=LOGSTREAM

IXGINVNT REQUEST=DELETE TYPE=LOGSTREAM

 ALTER RESOURCE(log_stream_name) CLASS(LOGSTRM)
IXGINVNT REQUEST=DEFINE TYPE=LOGSTREAM

IXGINVNT REQUEST=UPDATE TYPE=LOGSTREAM

STRUCTNAME=structure_name

 ALTER

UPDATE

 RESOURCE(log_stream_name) CLASS(LOGSTRM)

RESOURCE(IXLSTR.structure_name) CLASS(FACILITY)
IXGINVNT REQUEST=DEFINE TYPE=LOGSTREAM LIKE=like_log_stream_name DASDONLY=NO and when like_log_stream_name has a structure name, that is, like_structure_name ALTER

UPDATE

 RESOURCE(log_stream_name) CLASS(LOGSTRM)

RESOURCE(IXLSTR.like_structure_name) CLASS(FACILITY)
IXGINVNT REQUEST=DEFINE TYPE=STRUCTURE

IXGINVNT REQUEST=DELETE TYPE=STRUCTURE

 ALTER RESOURCE(MVSADMIN.LOGR) CLASS(FACILITY)
IXGCONN REQUEST=CONNECT AUTH=WRITE UPDATE RESOURCE(log_stream_name) CLASS(LOGSTRM)
IXGCONN REQUEST=CONNECT AUTH=READ READ RESOURCE(log_stream_name) CLASS(LOGSTRM)
Parent topic: Define authorization to system logger resources