Define Take Action command security settings using SAF profiles

Configure the FOLD and CNTRLPT (control point) security parameters for Take Action command authorization and access using SAF profiles.

Before you begin

Review the following information:
  • Security parameters FOLD and CNTRLPT are used for Take Action command authorization and access.
  • In addition to using the SAF interface to set the FOLD and CNTRLPT parameters, you can also configure these parameters in the rHilev.rte_name.RKANPARU(KppINNAM) member. If you use SAF profiles to set the FOLD and CNTRLPT parameters, duplicate settings in the KppINNAM members are ignored.
  • Of the Take Action command security settings, only the FOLD and CNTRLPT parameters can be configured using SAF profiles. All other parameters (for example, parameters DATA or VALIDATE) are taken from the KppINNAM member.
  • The use of SAF profiles for setting the FOLD and CNTRLPT parameters is optional. Using SAF profiles for this purpose requires a SAF general resource class named $KOBSEC. If resource class $KOBSEC does not exist, it must be defined. For more information, see Define a SAF general resource class for securing access to OMEGAMON resources.
    Note: The OMEGAMON® enhanced 3270 user interface (enhanced 3270UI) and TEMS REST services also use the SAF interface for securing access to resources. For the enhanced 3270UI, the SAF general resource class name is customizable and specified in parameter RTE_SECURITY_CLASS. For TEMS REST services, the class name must also be $KOBSEC.

About this task

To set the FOLD and CNTRLPT parameters using the SAF interface, you must define the following profiles in SAF general resource class $KOBSEC:
  • smfid.stc.KLVINNAM.FOLD
  • smfid.stc.KLVINNAM.CNTRLPTxx
Where smfid is the name of the LPAR, stc is the name of the started task, and xx is 01 - 99.

The APPLDATA field is then used to define the parameter values, respectively.

Important: To successfully implement this feature, you must define both profiles. If the profile for the FOLD parameter does not exist, the profile for the CNTRLPT parameter is ignored.

To set the FOLD and CNTRLPT values using SAF profiles, complete the following procedure.

Procedure

  1. Define the FOLD parameter, as follows:
    1. Create the following profile in the RACF security class $KOBSEC: 
      smfid.stc.KLVINNAM.FOLD
      Where smfid is the name of the LPAR and stc is the name of the started task.
    2. Within the profile, use the APPLDATA field to specify the value of the FOLD parameter.
  2. Perform the following steps for each control point to define:
    1. Create the following profile in the RACF security class $KOBSEC: 
      smfid.stc.KLVINNAM.CNTRLPTxx
      Where smfid is the name of the LPAR, stc is the name of the started task, and xx is 01 - 99. For multiple control points, xx must be a consecutive integer value starting with 01 and not omitting any numbers.
    2. Within the profile, use the APPLDATA field to specify control point keywords, where xx is 01 - 99.

Example

For example, creating profile smfid.stc.KLVINNAM.FOLD in $KOBSEC security class with APPLDATA YES and creating profile smfid.stc.KLVINNAM.CNTRLPT01 in $KOBSEC security class with APPLDATA containing DEFAULT APPL(CANDLE) SAF NORACF will override the settings in the KDSINNAM member:
FOLD(NO)
DEFAULT APPL(CANDLE) -
DSNAME(rte.RKDSNAM) - 
NOSAF - 
NORACF - 
NODB