Prefixed Take Action commands
OMEGAMON for DB2® Performance Expert uses Take Action commands to issue commands to Db2 from the Enhanced 3270 User Interface.
Take Action commands, which are prefixed by IP, are known as agent commands. Security for OMEGAMON for Db2 Performance Expert Take Action commands is based on SAF security classes and resource profile names. If no resource profiles are created to control Take Action commands, all commands are denied.
The Enhanced 3270 User Interface validates the resource profile to determine whether users are authorized to issue the Take Action commands. To allow Take Action commands on all managed systems, use the following profile:
You can use this profile to issue the Take Action command to the agent from the Enhanced 3270 User Interface. The agent uses the security profile that is used by the Db2 subsystem to issue the specific Db2 command.
For example, to issue OMEGAMON for Db2 Performance Expert Take Actions commands on all managed systems that use an SAF class name of $KOBSEC, issue the following RACF® commands from the Enhanced 3270 User Interface:
RDEFINE $KOBSEC KDP.**..TAKEACTION UACC(NONE) SETROPTS RACLIST($KOBSEC) REFRESH PERMIT KDP.**.TAKEACTION ID(userid) ACCESS(UPDATE) CLASS($KOBSEC)
At a minimum, you must use this pattern for the global security class (RTE_SECURITY_CLASS) to create a profile. You must also set permissions to authorize users to issue OMEGAMON for Db2 Performance Expert Take Action commands to update the profile. When you specify the RTE_SECURITY_CLASS parameter (RKANPARU member KOBENV) and it is not set to the reserved name, OMEGDEMO, the OMEGAMON for Db2 Performance Expert agent uses this class to validate the authority of a user to issue commands. You can also create other profiles for more granular access control.
While the previous profile of KDP.**.TAKEACTION allows Db2 commands to be issued for all managed systems, you can also create other profiles for more granular access and control. Use the following profile:
where msn is the name of the managed system and uses this format for an Db2 subsystem: ssid:smfid:DB2. The ssid is the four-character ID of the Db2 subsystem. The smfid is the four-character System Management Facility ID.
To control the ability to issue Take Action commands to an OMEGAMON for Db2 Performance Expert agent that is running on LPAR MVS1 for DB2A, for example, use the following profile:
Users must be given UPDATE access to the profiles. In addition, an SAF Pass Ticket profile must be defined to allow the Enhanced 3270 User Interface to authenticate between the interface and the hub monitoring server. For more information, see:
- OMEGAMON shared documentation, Version 6.3.0 Fix Pack 2 and above: Configuring security on a monitoring server on z/OS
- OMEGAMON shared documentation, Version 6.3.0 Fix Pack 2 and above: Common parameters
- Db2 take action commands
- If you want to allow certain users to execute CANCEL THREAD actions in Thread Activity in the Enhanced 3270 User Interface, you must use the Db2 GRANT statement to grant privileges additionally (for example SYSOPR).