ESM class and Facility class profiles

All of the resources Operations Manager uses are profiles in the ESM class as defined by the DEFOPTN ESMCLASS operand. These profiles determine users' level of authorization.

Replace ESMPREF in the tables below with one of the following:
  • RKT.OPM – This is the default. Use this value if you have not specified a value for ESMPREF on the DEFOPTN statement in the Operations Manager configuration file.
  • GOM.prefix – where prefix is a name of your choosing. The prefix must match the value specified for ESMPREF on the DEFOPTN statement in the Operations Manager configuration file.
Replace ESMCLASS in the tables below with one of the following:
  • FACILITY – This is the default. Use this value if you have not specified a value for ESMCLASS on the DEFOPTN statement in the Operations Manager configuration file.
  • esmclass – where esmclass is the name of the ESM class containing Operations Manager profiles.

Operations Manager can be configured to check profiles at a general level or by specific commands. The following sections describe the available profiles for each option.

General profiles

Operations Manager checks these profiles when all of the following are true:
  • DEFOPTN ESM is set to Y.
  • AUTHCMD is set to N.
  • AUTHEXT is set to 0 or is not used.
Table 1. General ESMCLASS profiles
Profile Authorization
ESMPREF.CONTROL Users who have READ access to this profile have authority to issue control and configuration commands.
ESMPREF.CONFIG Users who have READ access to this profile have authority to issue configuration commands.
ESMPREF.ALTRCON.userid

Refer to the note below for the valid replacements of userid.

Users who have READ access to this profile have authority to alter the display attributes of a line in a user's console when it is displayed using VIEWCON.
ESMPREF.VIEWCON.userid

Refer to the note below for the valid replacements of userid.

Users who have READ access to this profile have authority to view consoles.
Users who have UPDATE access to this profile have authority to view consoles and issue commands.
ESMPREF.VIEWSPL.userid

Refer to the note below for the valid replacements of userid.

Users who have READ access to this profile have authority to view spool files.
Users who have UPDATE access to this profile have authority to view spool files, purge spool files, and alter a spool file's external attributes.
ESMPREF.CMDIPCS.ipcsid

Refer to the note below for the valid replacements of ipcsid.

Users who have READ access to this profile have authority to interact with the IP session defined as ipcsid.
The userid value in the ESMPREF.ALTRCON.userid, ESMPREF.VIEWCON.userid, and ESMPREF.VIEWSPL.userid profiles can be replaced with a wildcard pattern or one of the following options:
  • Any individual user ID. For example, READ access to profile ESMPREF.VIEWCON.JONES allows the user to view the console of the user ID JONES.
  • Any combined view defined by the DEFVIEW command. For example, READ access to profile ESMPREF.VIEWCON.VIEW3 allows the user to view the combined view named VIEW3, which contains USER1, USER2, and USER3.
  • A generic matching pattern. For example, READ access to profile ESMPREF.VIEWCON.* allows the user to view the console of any user monitored by Operations Manager. Before defining any generic profiles in the ESMCLASS, ensure that the ESMCLASS can contain generic profiles. Refer to RACF® Security Server Security Administrator's Guide (SC24–6142).
The ipcsid value in the ESMPREF.CMDIPCS.ipcsid can be replaced with a wildcard pattern or one of the following options:
  • Any individual IP session name. The IP session name is defined by the DEFIPCS command NAME operand. For example, READ access to profile ESMPREF.CMDIPCS.SYS23 allows the user to interact with the IP session defined with DEFIPCS NAME SYS23.
  • A generic matching pattern. For example, READ access to profile ESMPREF.CMDIPCS.* allows the user to interact with any IP session defined by DEFIPCS. Before defining any generic profiles in the ESMCLASS, ensure that the ESMCLASS can contain generic profiles. Refer to RACF Security Server Security Administrator's Guide (SC24–6142).

Command-level profiles

By setting DEFOPTN ESM to Y and AUTHCMD to Y, Operations Manager provides the ability to authorize by specific commands.

Notes:
  1. If DEFOPTN ESM is set to Y and AUTHCMD is set to Y, Operations Manager does not check these profiles:
    • ESMPREF.CONTROL
    • ESMPREF.CONFIG
  2. Generic profiles can also be used based on your External Security Manager. For example, READ access to profile ESMPREF.COMMAND.* gives a user the authority for all Operations Manager control and configuration commands. Before defining any generic profiles in the ESMCLASS, ensure that the ESMCLASS can contain generic profiles. Refer to RACF Security Server Security Administrator's Guide (SC24–6142).
If DEFOPTN ESM is set to Y and AUTHCMD is set to Y, Operations Manager checks the profiles shown in the table below.
Table 2. Command-level ESMCLASS profiles
Profile Authority
ESMPREF.VIEWCON.userid

Refer to the note above for the valid replacements of userid.

Users who have READ access to this profile have authority to view consoles.
Users who have UPDATE access to this profile have authority to view consoles and issue commands.
ESMPREF.ALTRCON.userid

Refer to the note above for the valid replacements of userid.

Users who have READ access to this profile have authority to alter the display attributes of a line in a user's console when it is displayed using VIEWCON.
ESMPREF.VIEWSPL.userid

Refer to the note above for the valid replacements of userid.

Users who have READ access to this profile have authority to view spool files.
Users who have UPDATE access to this profile have authority to view spool files, purge spool files, and alter a spool file's external attributes.
ESMPREF.CMDIPCS.ipcsid

Refer to the note above for the valid replacements of ipcsid.

Users who have READ access to this profile have authority to interact with the IP session defined as ipcsid.
ESMPREF.COMMAND.AUTH Users who have READ access to this profile have authority for the AUTH command.
ESMPREF.COMMAND.CMS Users who have READ access to this profile have authority for the CMS command.
ESMPREF.COMMAND.CONFIG Users who have READ access to this profile have authority for the CONFIG command.
ESMPREF.COMMAND.CONFIG.ACTION Users who have READ access to this profile have authority for the CONFIG CLEAR ACTION command.
ESMPREF.COMMAND.CONFIG.DATE Users who have READ access to this profile have authority for the CONFIG CLEAR DATE command.
ESMPREF.COMMAND.CONFIG.EVENT Users who have READ access to this profile have authority for the CONFIG CLEAR EVENT command.
ESMPREF.COMMAND.CONFIG.IDLE Users who have READ access to this profile have authority for the CONFIG CLEAR IDLE command.
ESMPREF.COMMAND.CONFIG.GROUP Users who have READ access to this profile have authority for the CONFIG CLEAR GROUP command.
ESMPREF.COMMAND.CONFIG.MACHINE Users who have READ access to this profile have authority for the CONFIG CLEAR MACHINE command.
ESMPREF.COMMAND.CONFIG.PAGE Users who have READ access to this profile have authority for the CONFIG CLEAR PAGE command.
ESMPREF.COMMAND.CONFIG.RULE Users who have READ access to this profile have authority for the CONFIG CLEAR RULE command.
ESMPREF.COMMAND.CONFIG.SCHEDULE Users who have READ access to this profile have authority for the CONFIG CLEAR SCHEDULE command.
ESMPREF.COMMAND.CONFIG.SPOOL Users who have READ access to this profile have authority for the CONFIG CLEAR SPOOL command.
ESMPREF.COMMAND.CP Users who have READ access to this profile have authority for the CP command.
ESMPREF.COMMAND.DEFACTN Users who have READ access to this profile have authority for the DEFACTN command.
ESMPREF.COMMAND.DEFDATE Users who have READ access to this profile have authority for the DEFDATE command.
ESMPREF.COMMAND.DEFDSPS Users who have READ access to this profile have authority for the DEFDSPS command.
ESMPREF.COMMAND.DEFEMON Users who have READ access to this profile have authority for the DEFEMON command.
ESMPREF.COMMAND.DEFGROUP Users who have READ access to this profile have authority for the DEFGROUP command.
ESMPREF.COMMAND.DEFIMON Users who have READ access to this profile have authority for the DEFIMON command.
ESMPREF.COMMAND.DEFIPCS USERS who have READ access to this profile have authority for the DEFIPCS command.
ESMPREF.COMMAND.DEFMMON Users who have READ access to this profile have authority for the DEFMMON command.
ESMPREF.COMMAND.DEFOPTN Users who have READ access to this profile have authority for the DEFOPTN command.
ESMPREF.COMMAND.DEFPMON Users who have READ access to this profile have authority for the DEFPMON command.
ESMPREF.COMMAND.DEFRULE Users who have READ access to this profile have authority for the DEFRULE command.
ESMPREF.COMMAND.DEFSCHD Users who have READ access to this profile have authority for the DEFSCHD command.
ESMPREF.COMMAND.DEFSMON Users who have READ access to this profile have authority for the DEFSMON command.
ESMPREF.COMMAND.DEFSRVM Users who have READ access to this profile have authority for the DEFSRVM command.
ESMPREF.COMMAND.DEFVIEW Users who have READ access to this profile have authority for the DEFVIEW command.
ESMPREF.COMMAND.DELACTN Users who have READ access to this profile have authority for the DELACTN command.
ESMPREF.COMMAND.DELACTQ USERS who have READ access to this profile have authority for the DELACTQ command.
ESMPREF.COMMAND.DELDATE Users who have READ access to this profile have authority for the DELDATE command.
ESMPREF.COMMAND.DELDSPS Users who have READ access to this profile have authority for the DELDSPS command.
ESMPREF.COMMAND.DELEMON Users who have READ access to this profile have authority for the DELEMON command.
ESMPREF.COMMAND.DELGROUP Users who have READ access to this profile have authority for the DELGROUP command.
ESMPREF.COMMAND.DELIMON Users who have READ access to this profile have authority for the DELIMON command.
ESMPREF.COMMAND.DELIPCS USERS who have READ access to this profile have authority for the DELIPCS command.
ESMPREF.COMMAND.DELMMON Users who have READ access to this profile have authority for the DELMMON command.
ESMPREF.COMMAND.DELPMON Users who have READ access to this profile have authority for the DELPMON command.
ESMPREF.COMMAND.DELRULE Users who have READ access to this profile have authority for the DELRULE command.
ESMPREF.COMMAND.DELSCHD Users who have READ access to this profile have authority for the DELSCHD command.
ESMPREF.COMMAND.DELSMON Users who have READ access to this profile have authority for the DELSMON command.
ESMPREF.COMMAND.DELSRVM Users who have READ access to this profile have authority for the DELSRVM command.
ESMPREF.COMMAND.DELVIEW Users who have READ access to this profile have authority for the DELVIEW command.
ESMPREF.COMMAND.LOGTEXT Users who have READ access to this profile have authority for the LOGTEXT command.
ESMPREF.COMMAND.QUIT Users who have READ access to this profile have authority for the QUIT command.
ESMPREF.COMMAND.RESUME Users who have READ access to this profile have authority for the RESUME command.
ESMPREF.COMMAND.REVOKE Users who have READ access to this profile have authority for the REVOKE command.
ESMPREF.COMMAND.RUN Users who have READ access to this profile have authority for the RUN command.
ESMPREF.COMMAND.STATUS Users who have READ access to this profile have authority for the STATUS command.
ESMPREF.COMMAND.STATUS.ACTION Users who have READ access to this profile have authority for the STATUS DETAIL ACTION command.
ESMPREF.COMMAND.STATUS.ACTIONQ Users who have READ access to this profile have authority for the STATUS DETAIL ACTIONQ command.
ESMPREF.COMMAND.STATUS.AUTH Users who have READ access to this profile have authority for the STATUS DETAIL AUTH command.
ESMPREF.COMMAND.STATUS.CONSOLE Users who have READ access to this profile have authority for the STATUS DETAIL CONSOLE command.
ESMPREF.COMMAND.STATUS.DATASP Users who have READ access to this profile have authority for the STATUS DETAIL DATASP command.
ESMPREF.COMMAND.STATUS.DATE Users who have READ access to this profile have authority for the STATUS DETAIL DATE command.
ESMPREF.COMMAND.STATUS.EVENT Users who have READ access to this profile have authority for the STATUS DETAIL EVENT command.
ESMPREF.COMMAND.STATUS.GROUP Users who have READ access to this profile have authority for the STATUS DETAIL GROUP command.
ESMPREF.COMMAND.STATUS.IDLE Users who have READ access to this profile have authority for the STATUS DETAIL IDLE command.
ESMPREF.COMMAND.STATUS.IPCS Users who have READ access to this profile have authority for the STATUS DETAIL IPCS command.
ESMPREF.COMMAND.STATUS.IUCV Users who have READ access to this profile have authority for the STATUS DETAIL IUCV command.
ESMPREF.COMMAND.STATUS.MACHINE Users who have READ access to this profile have authority for the STATUS DETAIL MACHINE command.
ESMPREF.COMMAND.STATUS.OPTION Users who have READ access to this profile have authority for the STATUS DETAIL OPTION command.
ESMPREF.COMMAND.STATUS.PAGE Users who have READ access to this profile have authority for the STATUS DETAIL PAGE command.
ESMPREF.COMMAND.STATUS.RULE Users who have READ access to this profile have authority for the STATUS DETAIL RULE command.
ESMPREF.COMMAND.STATUS.SCHEDULE Users who have READ access to this profile have authority for the STATUS DETAIL SCHEDULE command.
ESMPREF.COMMAND.STATUS.SERVICE Users who have READ access to this profile have authority for the STATUS DETAIL SERVICE command.
ESMPREF.COMMAND.STATUS.SPOOL Users who have READ access to this profile have authority for the STATUS DETAIL SPOOL command.
ESMPREF.COMMAND.STATUS.SPOOLUSR Users who have READ access to this profile have authority for the STATUS DETAIL SPOOLUSR command.
ESMPREF.COMMAND.STATUS.VIEW Users who have READ access to this profile have authority for the STATUS DETAIL VIEW command.
ESMPREF.COMMAND.STOP Users who have READ access to this profile have authority for the STOP command.
ESMPREF.COMMAND.SUSPEND Users who have READ access to this profile have authority for the SUSPEND command.
ESMPREF.COMMAND.VIEWLOG Users who have READ access to this profile have authority for the VIEWLOG command.

Command-level profile extensions

If DEFOPTN ESM is set to Y, and AUTHCMD is set to Y, you may also choose to include authorization extensions. Each authorization extension is specified by including the extension number in the DEFOPTN AUTHEXT operand value, such as DEFOPTN AUTHEXT 1 for extension 1.

Extension 1
Allows the SUSPEND and RESUME commands to be restricted to the resource level. By specifying extension 1 in the AUTHEXT operand, Operations Manager will check the profile below in addition to the profiles from the Command-level profiles.
Table 3. Command-level profile extensions
Profile Description
ESMPREF.COMMAND.RESUME.RULE.ruleid Users who have READ access to this profile have authority to RESUME the RULE ruleid.
ESMPREF.COMMAND.RESUME.SCHEDULE.schdl Users who have READ access to this profile have authority to RESUME the SCHEDULE schdl.
ESMPREF.COMMAND.RESUME.MACHINE.mmonid Users who have READ access to this profile have authority to RESUME the MACHINE monitor mmonid.
ESMPREF.COMMAND.RESUME.SPOOL.smonid Users who have READ access to this profile have authority to RESUME the SPOOL monitor smonid.
ESMPREF.COMMAND.RESUME.EVENT.emonid Users who have READ access to this profile have authority to RESUME the EVENT monitor emonid.
ESMPREF.COMMAND.RESUME.PAGE.pmonid Users who have READ access to this profile have authority to RESUME the PAGE monitor pmonid.
ESMPREF.COMMAND.RESUME.IDLE.imonid Users who have READ access to this profile have authority to RESUME the IDLE monitor imonid.
ESMPREF.COMMAND.SUSPEND.RULE.ruleid Users who have READ access to this profile have authority to SUSPEND the RULE ruleid.
ESMPREF.COMMAND.SUSPEND.SCHEDULE.schdl Users who have READ access to this profile have authority to SUSPEND the SCHEDULE schdl.
ESMPREF.COMMAND.SUSPEND.MACHINE.mmonid Users who have READ access to this profile have authority to SUSPEND the MACHINE monitor mmonid.
ESMPREF.COMMAND.SUSPEND.SPOOL.smonid Users who have READ access to this profile have authority to SUSPEND the SPOOL monitor smonid.
ESMPREF.COMMAND.SUSPEND.EVENT.emonid Users who have READ access to this profile have authority to SUSPEND the EVENT monitor emonid.
ESMPREF.COMMAND.SUSPEND.PAGE.pmonid Users who have READ access to this profile have authority to SUSPEND the PAGE monitor pmonid.
ESMPREF.COMMAND.SUSPEND.IDLE.imonid Users who have READ access to this profile have authority to SUSPEND the IDLE monitor imonid.

System-data files profiles

By setting DEFOPTN ESM to Y and SDFCMD to Y, you can run commands on the system data files by using the VIEWSPL command. When SDFCMD is set to Y, the following profiles are checked:

ESMPREF.VIEWSPL.*.IMG

ESMPREF.VIEWSPL.*.NLS

ESMPREF.VIEWSPL.*.NSS

ESMPREF.VIEWSPL.*.UCR