Resource names used for Take Action commands by the agent
The OMEGAMON enhanced 3270 user interface will validate against the following resource name for Take Action commands directed at the CICS® resource to see if users are authorized to issue the request:
KCP.smfid.cicsname.TAKEACTION
Where smfid and cicsname refer to the location and name of the CICS region that is being acted upon. The OMEGAMON AI for CICS agent builds upon this name to further qualify the request.
A Take Action command is automatically invoked when a situation becomes TRUE, and is run under the userID that last created or modified it.
The resource names for the AIDK (KILL AIDS), ICEK (KILL ICES), RLIM, TRACE, and WTO Take Action commands have no predictable values.
KCP.smfid.cicsname.TAKEACTION.KILL.AIDS
KCP.smfid.cicsname.TAKEACTION.KILL.ICES
KCP.smfid.cicsname.TAKEACTION.RLIM
KCP.smfid.cicsname.TAKEACTION.TRACE
KCP.smfid.cicsname.TAKEACTION.WTO
The CEMT SET Take Action command has many different options. You can define specific profiles to provide finer granularity for selected options; specify a profile for each individual option.
KCP.smfid.cicsname.TAKEACTION.SET.CEMT.option
Where option is FILE or PROGRAM.
KCP.smfid.cicsname.TAKEACTION.SET.CEMT.FILE
KCP.smfid.cicsname.TAKEACTION.SET.CEMT.PROGRAM
This format forces users to always specify the full command syntax in the Take Action commands. (No attempt is made to use the CICS abbreviation when building the resource name.)
KCP.smfid.cicsname.TAKEACTION.SET.CEMT.FI*
KCP.smfid.cicsname.TAKEACTION.SET.CEMT.PROG*
No attempt is made to use the CICS abbreviation for the option when building the resource name, and no attempt is made to validate that the option you specify is valid for your version of CICS Transaction Server.
KCP.smfid.cicsname.TAKEACTION.SET.CEMT.*
When deleting transient data and temporary storage queues, the resource generated contains the name of the queue being deleted.
KCP.smfid.cicsname.TAKEACTION.DELETE.TDQ.queuename
KCP.smfid.cicsname.TAKEACTION.DELETE.TDQ.*
However, for the TSQD (TSQ DELETE) Take Action command, the value is still the queuename, but it can be specified in either hexadecimal or character form.
KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.HEXhexqueuename
KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.HEX.*
KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.queuename
KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.*
where hexqueuename is the name of the queue in hexadecimal form and queuename is in character form.
- Hex Queue ID=permitted and Queue ID=permitted → delete request allowed
- Hex Queue ID=no decision and Queue ID=permitted → delete request allowed
- Hex Queue ID=permitted and Queue ID=no decision → delete request allowed
- Hex Queue ID=no decision and Queue ID=no decision → delete request not allowed
CP:TSQD ID=D6D4C5C7C1D4D6D5F1F2F3F4F5F6F7F8 HEX
KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.HEX.D6D4C5C7C1D4D6D5
F1F2F3F4F5F6F7F8
KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.OMEGAMON12345678
KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.OMEG* ACC(READ)
The first result is no decision and the second is allowed.
KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.HEX.* ACC(READ)
The first result is allowed, and the second is no decision.
KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.HEX.* ACC(READ) KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.OMEG* ACC(READ)
The first and second results are allowed.
KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.HEX.* ACC(READ)
KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.OMEG* ACC(NONE)
KCP.smfid.cicsname.TAKEACTION.DELETE.TSQ.HEX* ACC(NONE)
In
the first example, the first result is allowed and the second is not
allowed.In the second example, no profile and the first and second results are no decision.
In the third example, the first result is allowed and the second result is not validated.
If the character form of the queuename contains special characters (blank, ampersand, asterisk, percent), these are changed to a question mark for profile comparisons.
Updating CICSplex rules
KCP.cicsplexname::CICSplex.TAKEACTION.RULES
where cicsplexname is the name of the CICSplex being monitored.
Using generic profiles to define resources
KCP.smfid.*.TAKEACTION.** ACCESS(READ)
This example enables you to issue Take Action commands against all the CICS regions for a specific LPAR.
KCP.*.CICSP*.** ACCESS(READ)
This
example, you access to all CICS regions
beginning with the letters CICSP
on any LPAR.
KCP.** ACCESS(READ)
Security defined in Version 4.2.0
KCP.smfid.cicsname.TAKEACTION....
tocicsname.KCP...
KCP.smfid.cicsname.TAKEACTION ACC(READ)
Security considerations
The only consideration for security would be whether or not to continue using the OMEGAMON AI for CICS FTA security, if it was enabled, or to enable the new Global SAF security for CP: common Take Action command processing. See Securing OMEGAMON AI for CICS Take Action commands.