Take Action commands fail on SAF authorization

IBM® Z OMEGAMON® AI for Networks adopts a common security model that is used by other products in the OMEGAMON® suite.

Take Action commands issued from Tivoli® Enterprise Portal fail with one of the following messages:
KN3A006E RACF AUTHORIZATION ERROR

The newly adopted security model requires that all Take Action commands be validated against the RTE's security class or the product specific override.

If a security class is not specified, Take Action commands will not be permitted under this security model.

After the SMP/E installation, use the Configuration Tool or the PARMGEN tool to specify a SAF security class that is used to implement the new Take Action validation.

The new Take Action implementation requires values from the following parameters:
  • The RTE_SECURITY_CLASS parameter, which validates the user identity using the SAF interface. The parameter specifies a valid SAF class name.
    • You set this parameter in the Configuration Tool using the in the Global SAF class name field on panel KCIPRTA1 "Add Runtime Environment (1 of 3)." This parameter sets values for everything running on this RTE when you first create the RTE. To update an existing RTE you need to set the Global SAF class name field on panel on panel KCIPRTEU Update Runtime Environment (1 of 3).
    • You set this parameter in PARMGEN by specifying a value for the RTE_SECURITY_CLASS and completing the PARMGEN configuration.
  • The KN3_SECURITY_ACTION_CLASS parameter can be optionally used to override the RTE_SECURITY_CLASS value specified for the runtime environment. You can use this parameter to define a separate security class to control command-level security for IBM® Z OMEGAMON® AI for Networks monitoring agent.
    • You set this parameter in the Configuration Tool using the SAF class name override field on panel KN341P2 Specify Configuration Parameters (Page 1).
    • You set this parameter in PARMGEN by specifying a value for the KN3_SECURITY_ACTION_CLASS and completing the PARMGEN configuration.

To correct this problem, configure the monitoring agent using with the Configuration Tool or PARMGEN and the procedures described in the IBM® Tivoli IBM® Z OMEGAMON® AI for Networks: Planning and Configuration Guide. Pay special attention to the Authorize users to access IBM® Z OMEGAMON® AI for Networks managed systems on the enhanced 3270 user interface section where the instructions for setting up command authorizations are documented.