Define profiles for additional interface activities

Edit online

In addition to Log-on, Take Action, and Query profiles, profiles can be created to control authorization to perform additional tasks using the enhanced 3270 user interface. These profiles are defined to the class identified by the RTE_SECURITY_CLASS parameter.

About this task

Depending upon how your security implementation is configured, if no SAF profile is defined for the activities listed in Table 1, either no users are permitted to perform the action, or all users are permitted to perform the activities. To selectively allow access, the exact resource name shown for each activity must be used in the corresponding SAF profile.
Table 1. Interface activities and resource names

Lists the activities that can be controlled by SAF profiles and the corresponding resource names
Activity Resource name
List users of the enhanced 3270 user interface. KOBUI.ADMIN.LISTUSERS
Start or stop user interface tracing. KOBUI.ADMIN.TRACE.UI.<trace_type>
where <trace_type> is one of the following values:
  • BASIC
  • 3270
  • DATA
  • SECURITY
  • ISPF
  • FLOW
  • OFF
Start or stop internal tracing. KOBUI.ADMIN.TRACE.INTERNAL.<trace_type>
where <trace_type> is one of the following values:
  • REQUESTROUTER
  • CONDUITMANAGER
  • REGISTRY
  • STATUSTHRESHOLDING
  • SESSIONCONTROL
  • GATEWAY
  • ODI
  • SAF
  • OFF
Create or modify a profile member name that is the same as the user's user ID. KOBUI.ADMIN.MEMBER.WRITE.RKOBPFSV.<member>
then either:
  • SAF_CLASS='DATASET'
  • SAF_RESOURCE=<dataset_name>
  • ACCESS=UPDATE
  • USER=<logged_on_e3270ui_userid>
or
  • SAF_CLASS='DATASET'
  • SAF_RESOURCE=<dataset_name>
  • ACCESS=UPDATE
  • USER=<interface_started_task_userid>
Modify (Save, Save As) any PDS member (for example, a workspace in DD=UKANWENU or a profile member in DD=RKOBPFSV) that is named differently than the signed-on user's user ID. KOBUI.ADMIN.MEMBER.WRITE.<dd>.<member>
Then:
  • USER=<logged_on_e3270ui_userid>
  • SAF_CLASS=DATASET
  • SAF_RESOURCE=<dataset_name>
  • ACCESS=UPDATE
Change auto-update preferences. KOBUI.ADMIN.PREFS.AUTOUPDATE
Enter a command on the command line. KOBUI.USER.COMMAND.<command>
Use a hub Tivoli® Enterprise Monitoring Server from within the user interface. KOBUI.ADMIN.USEHUB.<hub_name>
Configure near-term history KOBUI.ADMIN.DEFINEHISTORY.<hub_name>
Note: To authorize updates to near-term history, the O4SRV.** resource must be defined to the general SAF security class (RTE_SECURITY_CLASS), or the query security class (KOB_SAF_QUERY_CLASS_NAME), if one is defined.
Stop a user session on the Tools -> Active Enhanced 3270 User Interface workspace, KOBUSERS KOBUI.ADMIN.KILLUSER
Enable Situation Editor and Object Editor functions The following security resource profiles must be defined for these editors.
  • KOBUI.ADMIN.SITEDITOR
  • KOBUI.ADMIN.OBJECTEDITOR
  • O4SRV.**

To view the editors, the users must have either read or update permission to the corresponding editor profiles (KOBUI.ADMIN.SITEDITOR for the Situation Editor and KOBUI.ADMIN.OBJECTEDITOR for the Object Editor). Users with none permission to the profiles are not able to access the editors.

To save updates in the editors, the users must have read or update permission to the O4SRV.** profile, as well as either read or update permission to the corresponding editor profiles. Users with none permission to the O4SRV.** profile are not able to save updates in the editors.

Send commands and queries to a given Hub TEMS via the TOM interface for IBM Tivoli Management (ITM) CMS (TEMS), Service Index or Soap consoles. KOBUI.ADMIN.ITM.<hub_name>.SERVICEINDEX

KOBUI.ADMIN.ITM.<hub_name>.<servicepoint_name>.SERVICECONSOLE

KOBUI.ADMIN.ITM.<hub_name>.<servicepoint_name>.SOAPCONSOLE
User session initialization Hub TEMS information retrieval SYSTEM.**
Configure multi-tenancy KOBUI.MULTI.CUST.<customerID>

KOBUI.MULTI.GROUP.<group>

For more information, see Creating tenant definitions in RACF.

Examples

Note that the resource rules begin with KOBUI.USER.xxx, KOBUI.ADMIN.xxx, or KOBUI.MULTI.xxx. This naming convention enables the administrator to write a minimal number of SAF resource rules and still secure important parts of the user interface. For example, the administrator could DENY all users access to tracing functions by creating this single SAF rule: 
RDEFINE $OMEGZOS KOBUI.ADMIN.TRACE.** UACC(NONE)

In all cases of resource checking, the SAF class name used is the name that was configured for the enhanced 3270 address space with the RTE_SECURITY_CLASS environmental variable (found in the KOBENV PDS member of the dataset associated with the RKANPAR DD name), for example: RTE_SECURITY_CLASS=$OMEGZOS.

Here are a few examples of securing user interface activities using RACF® commands. For security products other than RACF (such as CA Top Secret for z/OS® and CA ACF2 for z/OS) use the corresponding commands instead of RDEFINE and PERMIT to perform the same type of function.
DEFINE $OMEGZOS KOBUI.ADMIN.PREFS.AUTOUPDATE UACC(NONE)
Prevents all users from altering the Auto Update interval in the user interface.
PERMIT KOBUI.ADMIN.PREFS.AUTOUPDATE CLASS($OMEGZOS) ID(DHODS2) ACCESS(READ)
Allows user DHODS2 to change the Auto Update interval in the user interface.
RDEFINE $OMEGZOS KOBUI.ADMIN.MEMBER.WRITE.RKOBPFSV.Q* UACC(NONE)
Prevents all users from saving profile PDS members that start with the letter Q.
RDEFINE $OMEGZOS KOBUI.ADMIN.MEMBER.WRITE.UKANWENU.KCP* UACC(NONE)
Prevents users from saving workspace PDS members that start with the letters KCP
RDEFINE $OMEGZOS KOBUI.ADMIN.USEHUB.** UACC(READ)
Allows all users access to queries using any hub monitoring server name.
RDEFINE $OMEGZOS KOBUI.ADMIN.USEHUB.M5D0HAHB:CMS UACC(NONE)
Prevents all users from access to queries using the hub monitoring server named M5D0HAHB:CMS.
PERMIT KOBUI.ADMIN.USEHUB.M5D0HAHB:CMS CLASS($OMEGZOS) ID(DHODS2) ACCESS(READ)
Allows user DHODS2 to issue queries using the hub monitoring server named M5D0HAHB:CMS.
RDEFINE $OMEGZOS KOBUI.ADMIN.KILLUSER UACC(NONE)
If this resource does not exist, or if it exists with UACC(NONE), then all users are prevented from stopping Enhanced 3270 User Interface sessions. Stopping your own session is never permitted, regardless of the SAF setting.
PERMIT KOBUI.ADMIN.KILLUSER CLASS($OMEGZOS) ID(DHODS2) ACCESS(READ)
Allows user DHODS2 to stop other Enhanced 3270 User Interface sessions.