ESM class and Facility class profiles
All of the resources Operations Manager uses are profiles in the ESM class as defined by the DEFOPTN ESMCLASS operand. These profiles determine users' level of authorization.
- RKT.OPM – This is the default. Use this value if you have not specified a value for ESMPREF on the DEFOPTN statement in the Operations Manager configuration file.
- GOM.prefix – where prefix is a name of your choosing. The prefix must match the value specified for ESMPREF on the DEFOPTN statement in the Operations Manager configuration file.
- FACILITY – This is the default. Use this value if you have not specified a value for ESMCLASS on the DEFOPTN statement in the Operations Manager configuration file.
- esmclass – where esmclass is the name of the ESM class containing Operations Manager profiles.
Operations Manager can be configured to check profiles at a general level or by specific commands. The following sections describe the available profiles for each option.
General profiles
DEFOPTN ESM
is set toY
.AUTHCMD
is set toN
.AUTHEXT
is set to0
or is not used.
Profile | Authorization |
---|---|
ESMPREF.CONTROL | Users who have READ access to this profile have authority to issue control and configuration commands. |
ESMPREF.CONFIG | Users who have READ access to this profile have authority to issue configuration commands. |
ESMPREF.ALTRCON.userid Refer to the note below for the valid replacements of userid. |
Users who have READ access to this profile have authority to alter the display attributes of a line in a user's console when it is displayed using VIEWCON. |
ESMPREF.VIEWCON.userid Refer to the note below for the valid replacements of userid. |
Users who have READ access to this profile have authority to view consoles. |
Users who have UPDATE access to this profile have authority to view consoles and issue commands. | |
ESMPREF.VIEWSPL.userid Refer to the note below for the valid replacements of userid. |
Users who have READ access to this profile have authority to view spool files. |
Users who have UPDATE access to this profile have authority to view spool files, purge spool files, and alter a spool file's external attributes. | |
ESMPREF.CMDIPCS.ipcsid Refer to the note below for the valid replacements of ipcsid. |
Users who have READ access to this profile have authority to interact with the IP session defined as ipcsid. |
- Any individual user ID. For example, READ access to profile ESMPREF.VIEWCON.JONES allows the user to view the console of the user ID JONES.
- Any combined view defined by the DEFVIEW command. For example, READ access to profile ESMPREF.VIEWCON.VIEW3 allows the user to view the combined view named VIEW3, which contains USER1, USER2, and USER3.
- A generic matching pattern. For example, READ access to profile ESMPREF.VIEWCON.* allows the user to view the console of any user monitored by Operations Manager. Before defining any generic profiles in the ESMCLASS, ensure that the ESMCLASS can contain generic profiles. Refer to RACF® Security Server Security Administrator's Guide (SC24–6142).
- Any individual IP session name. The IP session name is defined by the DEFIPCS command
NAME
operand. For example, READ access to profile ESMPREF.CMDIPCS.SYS23 allows the user to interact with the IP session defined with DEFIPCS NAME SYS23. - A generic matching pattern. For example, READ access to profile ESMPREF.CMDIPCS.* allows the user to interact with any IP session defined by DEFIPCS. Before defining any generic profiles in the ESMCLASS, ensure that the ESMCLASS can contain generic profiles. Refer to RACF Security Server Security Administrator's Guide (SC24–6142).
Command-level profiles
By setting DEFOPTN ESM
to Y
and AUTHCMD
to
Y
, Operations Manager provides the ability to
authorize by specific commands.
- If
DEFOPTN ESM
is set toY
andAUTHCMD
is set toY
, Operations Manager does not check these profiles:- ESMPREF.CONTROL
- ESMPREF.CONFIG
- Generic profiles can also be used based on your External Security Manager. For example, READ access to profile ESMPREF.COMMAND.* gives a user the authority for all Operations Manager control and configuration commands. Before defining any generic profiles in the ESMCLASS, ensure that the ESMCLASS can contain generic profiles. Refer to RACF Security Server Security Administrator's Guide (SC24–6142).
DEFOPTN ESM
is set to Y
and AUTHCMD
is set
to Y
, Operations Manager checks the profiles shown in
the table below.
Profile | Authority |
---|---|
ESMPREF.VIEWCON.userid Refer to the note above for the valid replacements of userid. |
Users who have READ access to this profile have authority to view consoles. |
Users who have UPDATE access to this profile have authority to view consoles and issue commands. | |
ESMPREF.ALTRCON.userid Refer to the note above for the valid replacements of userid. |
Users who have READ access to this profile have authority to alter the display attributes of a line in a user's console when it is displayed using VIEWCON. |
ESMPREF.VIEWSPL.userid Refer to the note above for the valid replacements of userid. |
Users who have READ access to this profile have authority to view spool files. |
Users who have UPDATE access to this profile have authority to view spool files, purge spool files, and alter a spool file's external attributes. | |
ESMPREF.CMDIPCS.ipcsid Refer to the note above for the valid replacements of ipcsid. |
Users who have READ access to this profile have authority to interact with the IP session defined as ipcsid. |
ESMPREF.COMMAND.AUTH | Users who have READ access to this profile have authority for the AUTH command. |
ESMPREF.COMMAND.CMS | Users who have READ access to this profile have authority for the CMS command. |
ESMPREF.COMMAND.CONFIG | Users who have READ access to this profile have authority for the CONFIG command. |
ESMPREF.COMMAND.CONFIG.ACTION | Users who have READ access to this profile have authority for the CONFIG CLEAR ACTION command. |
ESMPREF.COMMAND.CONFIG.DATE | Users who have READ access to this profile have authority for the CONFIG CLEAR DATE command. |
ESMPREF.COMMAND.CONFIG.EVENT | Users who have READ access to this profile have authority for the CONFIG CLEAR EVENT command. |
ESMPREF.COMMAND.CONFIG.IDLE | Users who have READ access to this profile have authority for the CONFIG CLEAR IDLE command. |
ESMPREF.COMMAND.CONFIG.GROUP | Users who have READ access to this profile have authority for the CONFIG CLEAR GROUP command. |
ESMPREF.COMMAND.CONFIG.MACHINE | Users who have READ access to this profile have authority for the CONFIG CLEAR MACHINE command. |
ESMPREF.COMMAND.CONFIG.PAGE | Users who have READ access to this profile have authority for the CONFIG CLEAR PAGE command. |
ESMPREF.COMMAND.CONFIG.RULE | Users who have READ access to this profile have authority for the CONFIG CLEAR RULE command. |
ESMPREF.COMMAND.CONFIG.SCHEDULE | Users who have READ access to this profile have authority for the CONFIG CLEAR SCHEDULE command. |
ESMPREF.COMMAND.CONFIG.SPOOL | Users who have READ access to this profile have authority for the CONFIG CLEAR SPOOL command. |
ESMPREF.COMMAND.CP | Users who have READ access to this profile have authority for the CP command. |
ESMPREF.COMMAND.DEFACTN | Users who have READ access to this profile have authority for the DEFACTN command. |
ESMPREF.COMMAND.DEFDATE | Users who have READ access to this profile have authority for the DEFDATE command. |
ESMPREF.COMMAND.DEFDSPS | Users who have READ access to this profile have authority for the DEFDSPS command. |
ESMPREF.COMMAND.DEFEMON | Users who have READ access to this profile have authority for the DEFEMON command. |
ESMPREF.COMMAND.DEFGROUP | Users who have READ access to this profile have authority for the DEFGROUP command. |
ESMPREF.COMMAND.DEFIMON | Users who have READ access to this profile have authority for the DEFIMON command. |
ESMPREF.COMMAND.DEFIPCS | USERS who have READ access to this profile have authority for the DEFIPCS command. |
ESMPREF.COMMAND.DEFMMON | Users who have READ access to this profile have authority for the DEFMMON command. |
ESMPREF.COMMAND.DEFOPTN | Users who have READ access to this profile have authority for the DEFOPTN command. |
ESMPREF.COMMAND.DEFPMON | Users who have READ access to this profile have authority for the DEFPMON command. |
ESMPREF.COMMAND.DEFRULE | Users who have READ access to this profile have authority for the DEFRULE command. |
ESMPREF.COMMAND.DEFSCHD | Users who have READ access to this profile have authority for the DEFSCHD command. |
ESMPREF.COMMAND.DEFSMON | Users who have READ access to this profile have authority for the DEFSMON command. |
ESMPREF.COMMAND.DEFSRVM | Users who have READ access to this profile have authority for the DEFSRVM command. |
ESMPREF.COMMAND.DEFVIEW | Users who have READ access to this profile have authority for the DEFVIEW command. |
ESMPREF.COMMAND.DELACTN | Users who have READ access to this profile have authority for the DELACTN command. |
ESMPREF.COMMAND.DELACTQ | USERS who have READ access to this profile have authority for the DELACTQ command. |
ESMPREF.COMMAND.DELDATE | Users who have READ access to this profile have authority for the DELDATE command. |
ESMPREF.COMMAND.DELDSPS | Users who have READ access to this profile have authority for the DELDSPS command. |
ESMPREF.COMMAND.DELEMON | Users who have READ access to this profile have authority for the DELEMON command. |
ESMPREF.COMMAND.DELGROUP | Users who have READ access to this profile have authority for the DELGROUP command. |
ESMPREF.COMMAND.DELIMON | Users who have READ access to this profile have authority for the DELIMON command. |
ESMPREF.COMMAND.DELIPCS | USERS who have READ access to this profile have authority for the DELIPCS command. |
ESMPREF.COMMAND.DELMMON | Users who have READ access to this profile have authority for the DELMMON command. |
ESMPREF.COMMAND.DELPMON | Users who have READ access to this profile have authority for the DELPMON command. |
ESMPREF.COMMAND.DELRULE | Users who have READ access to this profile have authority for the DELRULE command. |
ESMPREF.COMMAND.DELSCHD | Users who have READ access to this profile have authority for the DELSCHD command. |
ESMPREF.COMMAND.DELSMON | Users who have READ access to this profile have authority for the DELSMON command. |
ESMPREF.COMMAND.DELSRVM | Users who have READ access to this profile have authority for the DELSRVM command. |
ESMPREF.COMMAND.DELVIEW | Users who have READ access to this profile have authority for the DELVIEW command. |
ESMPREF.COMMAND.LOGTEXT | Users who have READ access to this profile have authority for the LOGTEXT command. |
ESMPREF.COMMAND.QUIT | Users who have READ access to this profile have authority for the QUIT command. |
ESMPREF.COMMAND.RESUME | Users who have READ access to this profile have authority for the RESUME command. |
ESMPREF.COMMAND.REVOKE | Users who have READ access to this profile have authority for the REVOKE command. |
ESMPREF.COMMAND.RUN | Users who have READ access to this profile have authority for the RUN command. |
ESMPREF.COMMAND.STATUS | Users who have READ access to this profile have authority for the STATUS command. |
ESMPREF.COMMAND.STATUS.ACTION | Users who have READ access to this profile have authority for the STATUS DETAIL ACTION command. |
ESMPREF.COMMAND.STATUS.ACTIONQ | Users who have READ access to this profile have authority for the STATUS DETAIL ACTIONQ command. |
ESMPREF.COMMAND.STATUS.AUTH | Users who have READ access to this profile have authority for the STATUS DETAIL AUTH command. |
ESMPREF.COMMAND.STATUS.CONSOLE | Users who have READ access to this profile have authority for the STATUS DETAIL CONSOLE command. |
ESMPREF.COMMAND.STATUS.DATASP | Users who have READ access to this profile have authority for the STATUS DETAIL DATASP command. |
ESMPREF.COMMAND.STATUS.DATE | Users who have READ access to this profile have authority for the STATUS DETAIL DATE command. |
ESMPREF.COMMAND.STATUS.EVENT | Users who have READ access to this profile have authority for the STATUS DETAIL EVENT command. |
ESMPREF.COMMAND.STATUS.GROUP | Users who have READ access to this profile have authority for the STATUS DETAIL GROUP command. |
ESMPREF.COMMAND.STATUS.IDLE | Users who have READ access to this profile have authority for the STATUS DETAIL IDLE command. |
ESMPREF.COMMAND.STATUS.IPCS | Users who have READ access to this profile have authority for the STATUS DETAIL IPCS command. |
ESMPREF.COMMAND.STATUS.IUCV | Users who have READ access to this profile have authority for the STATUS DETAIL IUCV command. |
ESMPREF.COMMAND.STATUS.MACHINE | Users who have READ access to this profile have authority for the STATUS DETAIL MACHINE command. |
ESMPREF.COMMAND.STATUS.OPTION | Users who have READ access to this profile have authority for the STATUS DETAIL OPTION command. |
ESMPREF.COMMAND.STATUS.PAGE | Users who have READ access to this profile have authority for the STATUS DETAIL PAGE command. |
ESMPREF.COMMAND.STATUS.RULE | Users who have READ access to this profile have authority for the STATUS DETAIL RULE command. |
ESMPREF.COMMAND.STATUS.SCHEDULE | Users who have READ access to this profile have authority for the STATUS DETAIL SCHEDULE command. |
ESMPREF.COMMAND.STATUS.SERVICE | Users who have READ access to this profile have authority for the STATUS DETAIL SERVICE command. |
ESMPREF.COMMAND.STATUS.SPOOL | Users who have READ access to this profile have authority for the STATUS DETAIL SPOOL command. |
ESMPREF.COMMAND.STATUS.SPOOLUSR | Users who have READ access to this profile have authority for the STATUS DETAIL SPOOLUSR command. |
ESMPREF.COMMAND.STATUS.VIEW | Users who have READ access to this profile have authority for the STATUS DETAIL VIEW command. |
ESMPREF.COMMAND.STOP | Users who have READ access to this profile have authority for the STOP command. |
ESMPREF.COMMAND.SUSPEND | Users who have READ access to this profile have authority for the SUSPEND command. |
ESMPREF.COMMAND.VIEWLOG | Users who have READ access to this profile have authority for the VIEWLOG command. |
Command-level profile extensions
If DEFOPTN ESM
is set to Y, and AUTHCMD
is set to Y, you may
also choose to include authorization extensions. Each authorization extension is specified by
including the extension number in the DEFOPTN AUTHEXT
operand value, such as
DEFOPTN AUTHEXT 1
for extension 1.
- Extension 1
- Allows the SUSPEND and RESUME commands to be restricted to the resource level. By specifying extension 1 in the AUTHEXT operand, Operations Manager will check the profile below in addition to the profiles from the Command-level profiles.
Profile | Description |
---|---|
ESMPREF.COMMAND.RESUME.RULE.ruleid |
Users who have READ access to this profile have authority to RESUME the RULE ruleid. |
ESMPREF.COMMAND.RESUME.SCHEDULE.schdl |
Users who have READ access to this profile have authority to RESUME the SCHEDULE schdl. |
ESMPREF.COMMAND.RESUME.MACHINE.mmonid |
Users who have READ access to this profile have authority to RESUME the MACHINE monitor mmonid. |
ESMPREF.COMMAND.RESUME.SPOOL.smonid |
Users who have READ access to this profile have authority to RESUME the SPOOL monitor smonid. |
ESMPREF.COMMAND.RESUME.EVENT.emonid |
Users who have READ access to this profile have authority to RESUME the EVENT monitor emonid. |
ESMPREF.COMMAND.RESUME.PAGE.pmonid |
Users who have READ access to this profile have authority to RESUME the PAGE monitor pmonid. |
ESMPREF.COMMAND.RESUME.IDLE.imonid |
Users who have READ access to this profile have authority to RESUME the IDLE monitor imonid. |
ESMPREF.COMMAND.SUSPEND.RULE.ruleid |
Users who have READ access to this profile have authority to SUSPEND the RULE ruleid. |
ESMPREF.COMMAND.SUSPEND.SCHEDULE.schdl |
Users who have READ access to this profile have authority to SUSPEND the SCHEDULE schdl. |
ESMPREF.COMMAND.SUSPEND.MACHINE.mmonid |
Users who have READ access to this profile have authority to SUSPEND the MACHINE monitor mmonid. |
ESMPREF.COMMAND.SUSPEND.SPOOL.smonid |
Users who have READ access to this profile have authority to SUSPEND the SPOOL monitor smonid. |
ESMPREF.COMMAND.SUSPEND.EVENT.emonid |
Users who have READ access to this profile have authority to SUSPEND the EVENT monitor emonid. |
ESMPREF.COMMAND.SUSPEND.PAGE.pmonid |
Users who have READ access to this profile have authority to SUSPEND the PAGE monitor pmonid. |
ESMPREF.COMMAND.SUSPEND.IDLE.imonid |
Users who have READ access to this profile have authority to SUSPEND the IDLE monitor imonid. |
System-data files profiles
By setting DEFOPTN ESM to Y and SDFCMD to Y, you can run commands on the system data files by using the VIEWSPL command. When SDFCMD is set to Y, the following profiles are checked:
ESMPREF.VIEWSPL.*.IMG
ESMPREF.VIEWSPL.*.NLS
ESMPREF.VIEWSPL.*.NSS
ESMPREF.VIEWSPL.*.UCR