Stylesheet Options

You learned about the role concept, definitions that are required for human operators, and how commands can be secured according to IBM® recommendations. There are stylesheet options that are required to implement this level of security.

The CNMSTGEN member, generated by the Configuration Assistant, uses security options that start the Automation Agent before you do any configuration to this member, with the defaults that are provided by the product. However, this level of security is not sufficient and in fact is not secure at all, unless you change the default passwords as explained here.

When you are ready to switch to SAF-based security, in your <sa_hlq_user>.DSIPARM data set, edit the CNMSTGEN member and activate the following options:

The first option specifies that operator identification and password or password phrase checking is done with an SAF security product.

SECOPTS.OPERSEC = SAFDEF

The second option specifies that the NetView® component performs command authorization checking with an SAF security product. Users can issue all commands when the SAF product cannot make a security decision. This option avoids the need to define profiles and permissions for all non-critical NetView component commands explicitly.

SECOPTS.CMDAUTH = SAF.PASS

The third option specifies to check the authority of the original issuer or the ID closest to the original issuer.

Make sure, you specify each of the options once and you comment out the default settings in this member.

SECOPTS.AUTHCHK = SOURCEID

The fourth option specifies that commands routed tasks from the NetView automation table are not authority-checked by a SAF security product, unless SEC=CH was specified on the CMDDEF statement.

DEFAULTS.AUTOSEC = BYPASS

You activate resource level security checks by setting the following stylesheet option in CNMSTGEN:

SECOPTS.SARESAUT = ON.PASS

The user id used for SAF checking is either OPID() from the top level System Automation command or explicitly set for third party checking (for example, from the PPI Receiver).