Define SAF profiles to control permissions for history collection configurations

Create SAF resource profiles to control permissions for history collection configurations when using TEMS REST services.

Before you begin

TEMS REST services allows you to retrieve and delete information about history collection configurations. By default, all requests are allowed unless SAF resource profiles that restrict access are defined.

Security for TEMS REST services requires a SAF general resource class named $KOBSEC. For more information, review Securing TEMS REST services.

About this task

A history collection configuration defines what historical data is collected for particular attribute groups and provides other collection-related settings.

History collection configurations are stored as internal UADVISOR situations. A UADVISOR situation is a special form of situation that is created for internal product use. The name of a UADVISOR situation is in the format UADVISOR_xxxxx.

Note: For information about securing access to user-defined situations or predefined product-provided situations, see Define SAF profiles to control permissions for situations.

TEMS REST services verifies the authority to interact with history collection configurations by checking for access to the SAF resources, as follows:

Table 1. TEMS REST services endpoints and SAF resources for history collection configurations
Description of request	Method	Endpoint	Resource pattern	Access required
Retrieve history collection configurations	`GET`	`/data/historycollections`	`O4SRV.HISTORYCOLLECTIONS.uadvisor_name`	`READ`
Delete a history collection configuration	`DELETE`	`/data/historycollections`	`O4SRV.HISTORYCOLLECTIONS.uadvisor_name`	`ALTER`

where:

O4SRV: Is a literal qualifier value. O4SRV is a qualifier for monitoring server tables.
HISTORYCOLLECTIONS: Is a literal qualifier value. Use this qualifier for controlling permissions to history collection configurations.
uadvisor_name: Is the unique name of the history collection configuration in the format UADVISOR_xxxxx. Commonly, Kpp and tablename appear in the name.

You must create a SAF profile to match the resource. If a matching SAF profile does not exist to protect a given resource, the request is allowed.

As an example, to control the ability to retrieve a history collection configuration named UADVISOR_KDP_ANOMALY for all users, enter the following command:

RDEFINE $KOBSEC O4SRV.HISTORYCOLLECTIONS.UADVISOR_KDP_ANOMALY UACC(NONE)

More generally, you can define the profile using the asterisk (*) wildcard to restrict requests for all history collection configurations:

RDEFINE $KOBSEC O4SRV.HISTORYCOLLECTIONS.* UACC(NONE)

You can then give access to the profiles for individual users or user groups.

Important: When enabling security for the OMEGAMON enhanced 3270 user interface, you might define resource profile O4SRV.** with UACC(NONE) to secure near-term history. If this profile exists in your $KOBSEC resource class, it would overrule the profiles for your history collection configurations using TEMS REST services. If this is the case, define the following profile to allow the use of TEMS REST services to retrieve all history collection configurations before restricting access to specific resources:

RDEFINE $KOBSEC O4SRV.HISTORYCOLLECTIONS.* UACC(READ)

Note: To allow users to delete history collection configurations, you must provide ALTER access.

Procedure

For each history collection configuration to protect, enter the following commands in RACF:
```
RDEFINE $KOBSEC O4SRV.HISTORYCOLLECTIONS.uadvisor_name UACC(NONE)
SETROPTS RACLIST($KOBSEC) REFRESH
```
These commands refuse access to all users.
To permit access to individual users, enter the following commands in RACF:
- To permit retrieval of a history collection configuration:
```
PERMIT O4SRV.HISTORYCOLLECTIONS.uadvisor_name ID(userid) ACCESS(READ) CLASS($KOBSEC)
```
- To permit deleting a history collection configuration:
```
PERMIT O4SRV.HISTORYCOLLECTIONS.uadvisor_name ID(userid) ACCESS(ALTER) CLASS($KOBSEC)
```