Resource names used for Take Action commands by the agent

The OMEGAMON enhanced 3270 user interface will validate against the following resource name for Take Action commands directed at the CICS® resource to see if users are authorized to issue the request:

KCP.smfid.cicsname.TAKEACTION

Where smfid and cicsname refer to the location and name of the CICS region that is being acted upon. The OMEGAMON AI for CICS agent builds upon this name to further qualify the request.

A Take Action command is automatically invoked when a situation becomes TRUE, and is run under the userID that last created or modified it.

The resource names for the AIDK (KILL AIDS), ICEK (KILL ICES), RLIM, TRACE, and WTO Take Action commands have no predictable values.

These are the resource names:
  • KCP.smfid.cicsname.TAKEACTION.KILL.AIDS
  • KCP.smfid.cicsname.TAKEACTION.KILL.ICES
  • KCP.smfid.cicsname.TAKEACTION.RLIM
  • KCP.smfid.cicsname.TAKEACTION.TRACE
  • KCP.smfid.cicsname.TAKEACTION.WTO

The CEMT SET Take Action command has many different options. You can define specific profiles to provide finer granularity for selected options; specify a profile for each individual option.

For example:
KCP.smfid.cicsname.TAKEACTION.SET.CEMT.option

Where option is FILE or PROGRAM.

  • KCP.smfid.cicsname.TAKEACTION.SET.CEMT.FILE
  • KCP.smfid.cicsname.TAKEACTION.SET.CEMT.PROGRAM

This format forces users to always specify the full command syntax in the Take Action commands. (No attempt is made to use the CICS abbreviation when building the resource name.)

To provide maximum flexibility in specifying the CEMT SET command and to prevent errors, use a profile with the CICS abbreviation for these options:
  • KCP.smfid.cicsname.TAKEACTION.SET.CEMT.FI*
  • KCP.smfid.cicsname.TAKEACTION.SET.CEMT.PROG*

No attempt is made to use the CICS abbreviation for the option when building the resource name, and no attempt is made to validate that the option you specify is valid for your version of CICS Transaction Server.

Use this generic profile to control all SET commands unless more specific profiles exist:

KCP.smfid.cicsname.TAKEACTION.SET.CEMT.* 

When deleting transient data and temporary storage queues, the resource generated contains the name of the queue being deleted.

The value is the queuename in character form, for the TDDL (TDQ DELETE) Take Action command:
  • KCP.smfid.cicsname.TAKEACTION.DELETE.TDQ.queuename
  • KCP.smfid.cicsname.TAKEACTION.DELETE.TDQ.*

However, for the TSQD (TSQ DELETE) Take Action command, the value is still the queuename, but it can be specified in either hexadecimal or character form.

To prevent bypassing of your security environment, you should specify a profile for both forms as in the following examples:
  • KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.HEXhexqueuename
  • KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.HEX.*
  • KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.queuename
  • KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.*

where hexqueuename is the name of the queue in hexadecimal form and queuename is in character form.

When you attempt to delete a temporary storage queue using the hexadecimal queue ID, the request is first validated using the hex queue ID; if that is allowed or no security decision can be made, the request is then validated again using the character form of the queue ID. If that is allowed or no decision can be made, then access is allowed or denied in the following order:
  • Hex Queue ID=permitted and Queue ID=permitted → delete request allowed
  • Hex Queue ID=no decision and Queue ID=permitted → delete request allowed
  • Hex Queue ID=permitted and Queue ID=no decision → delete request allowed
  • Hex Queue ID=no decision and Queue ID=no decision → delete request not allowed
Note: If either access is denied or either access query returns an error, the delete request is not allowed.
You enter the following Take Action command:
CP:TSQD ID=D6D4C5C7C1D4D6D5F1F2F3F4F5F6F7F8 HEX
This command is first validated against the following resource:
KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.HEX.D6D4C5C7C1D4D6D5
F1F2F3F4F5F6F7F8
If that is allowed or no decision can be made, it would be validated against the following resource:
KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.OMEGAMON12345678
These are examples of profile or user permission combinations that allow the command:
  • KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.OMEG* ACC(READ)

    The first result is no decision and the second is allowed.

  • KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.HEX.* ACC(READ)

    The first result is allowed, and the second is no decision.

  • KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.HEX.* ACC(READ)
    KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.OMEG* ACC(READ)

    The first and second results are allowed.

These are examples of profile or user permission combinations that would deny the command:
KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.HEX.* ACC(READ)
KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.OMEG* ACC(NONE)
KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.HEX* ACC(NONE)
In the first example, the first result is allowed and the second is not allowed.

In the second example, no profile and the first and second results are no decision.

In the third example, the first result is allowed and the second result is not validated.

If the character form of the queuename contains special characters (blank, ampersand, asterisk, percent), these are changed to a question mark for profile comparisons.

Updating CICSplex rules

The resource name that is generated when you update a CICSplex rule is slightly different. The OMEGAMON enhanced 3270 user interface validates your authority to issue a Take Action command against a specific CICS region, however, the agent will validate your authority against the CICSplex name as follows:
KCP.cicsplexname::CICSplex.TAKEACTION.RULES

where cicsplexname is the name of the CICSplex being monitored.

Using generic profiles to define resources

The verification of the resource names allows for the specification of generic profiles. For example:
KCP.smfid.*.TAKEACTION.** ACCESS(READ)

This example enables you to issue Take Action commands against all the CICS regions for a specific LPAR.

Conversely, you could specify:
KCP.*.CICSP*.** ACCESS(READ)

This example, you access to all CICS regions beginning with the letters CICSP on any LPAR.

If you want access to all CICS resources you would specify:
KCP.** ACCESS(READ)

Security defined in Version 4.2.0

If you specified FTA Security in Version 4.2.0, then OMEGAMON AI for CICS allowed for the use of Take Action security. If you have specified FTA security using the Configuration Tool in previous releases, then FTA security would be active, and the parameters used are inherited for releases after V4.2.0. In this case, however, the format of the resource name will match what was used for the prior version. The resource names will be the same as described previously except that the format will change from:
KCP.smfid.cicsname.TAKEACTION....
to
cicsname.KCP...
To allow access for the OMEGAMON enhanced 3270 user interface, configure a resource profile as follows:
KCP.smfid.cicsname.TAKEACTION ACC(READ)

Security considerations

The only consideration for security would be whether or not to continue using the OMEGAMON AI for CICS FTA security, if it was enabled, or to enable the new Global SAF security for CP: common Take Action command processing. See Securing OMEGAMON AI for CICS Take Action commands.