Define query profiles to control access to data sources

The authority to issue query requests from the OMEGAMON® enhanced 3270 user interface to a product agent instance is verified by checking for access to an SAF resource named in this pattern: Kpp.msn.tablename

where

Kpp

Is the product code of the agent instance. For example, for OMEGAMON for CICS, the product code is KCP. For OMEGAMON for z/OS®, the product code is KM5. See Product codes for other products.

msn

Is a managed system name. A managed system name typically identifies a unique Tivoli Enterprise Monitoring Server agent instance. Note that the form of managed system names differs from product to product. Check the agent-specific Configuration and Planning Guide for information about the form used for managed system names.

tablename

Is the name of the data source (attribute group, or table) defined within the product agent. Note that if a matching SAF profile does not exist to protect a given query, that query is allowed. For example, suppose you want to control the ability to issue a query to an OMEGAMON for z/OS agent running on Sysplex IBMTEST on Sysplex member TSTA, for table KM5xxxxx. Assuming that the SAF class name is $KOBSEC, you would define a profile named KM5.IBMTEST:TSTA:MVSSYS.KM5xxxxx by entering these commands:

RDEFINE $KOBSEC KM5.IBMTEST:TSTA:MVSSYS.KM5xxxxxx UACC(NONE)
SETROPTS RACLIST($KOBSEC) REFRESH

More generally, you could define a profile to control all data queries for a specific product:

RDEFINE $KOBSEC KM5.** UACC(NONE)
SETROPTS RACLIST($KOBSEC) REFRESH

RDEFINE classname O4SRV.** UACC(NONE)
SETROPTS RACLIST(classname) REFRESH

PERMIT O4SRV.** ID(userid) ACCESS(READ) CLASS(classname)