Security

Privileges to view, list, and access Output Manager objects are determined by the level of access that a user has to an object’s associated security profile, as specified in RACF®, as well as any optionally specified Output Manager security configuration parameters.

You create a RACF profile for each Output Manager object type (administrative objects including archive attributes and selector rules, as well as end-users objects such as reports and archives), and then grant each user, or group of users, the appropriate level of access for each Output Manager object profile.

Your security configuration affects both the Output Manager ISPF and the ITOMweb interfaces.

The recommended security configuration is outlined in Overview of the recommended security configuration. Alternatively, you can have a RACF-only setup, without Output Manager security configuration if you prefer to rely solely on RACF as your means of security.

Note:
  • All security definitions and rules are given assuming you are using RACF Security. If using an alternative External Security Manager (ESM) you will need to convert the security rules to those relevant for you security manager. Also Output Manager makes extensive use of RACROUTE REQUEST=AUTH STATUS=ACCESS calls to self-configure according to the security rules. Some ESMs do not allow this call to be made from code that is running unauthorized and this results in unexpected S047 abends. If you are using such an ESM, consult your security vendors documentation on how to enable this.
  • ITOMWeb connects to Db2® using RRSAF instead of CAF. If MVS™ Resource Recovery Services (RRS) is not active, ITOMWeb will force the connection to be via CAF, and a warning message will be output. The started task and all utilities currently continue to connect via CAF.

Sample security jobs in SBJTSAMP

There are two sample jobs in SBJTSAMP that you can use to define RACF classes and profiles. BJT#RDEF has RDEFINE statements to define each Output Manager profile. BJT#RPER has PERMIT statements for each profile defined in BJT#RDEF.

Tip: BJT#RPER can be reused to add additional user IDs and groups, as necessary. For example, for creating the necessary PERMIT statements for job scheduling products that submit Output Manager batch utilities.

The <DB_QUALIFIER> path name used in the security examples is the value specified for the BJTQUAL variable during customization, and is equal to the owner of the BJT tables.

Security options for reports

Table 1. Security options for reports
Security option Description
General viewing of reports RACF resource profile BJT.<DB_QUALIFIER>.VIEW.RPRT

Create a security profile for viewing reports. The actions that a user can perform are determined by the following levels of access:

  • NONE: Report viewing is disabled for the user. The View Reports ISPF panel and the ITOMweb Reports link are deactivated when the user opens Output Manager.
  • READ: The user can view reports. The reports that they can and cannot see are determined by whether or not the Access ID (defined in their recipient record) matches at least one of the Access IDs for the recipients in the distribution list, if they are on the report distribution list, and if the level of access granted to them for the RACF profiles of individual report names (BJT.<DB_QUALIFIER>.RPRT.report_name).
  • CONTROL: The user can view a list of all reports, and can search by user ID in the search panels. Searching by a different user ID allows the user with CONTROL access to check to see which reports that user ID is allowed to access. CONTROL does not allow the user to see the contents of the report. Although they can view search results list, they are restricted from viewing the content of the reports unless their personal user ID has access privileges to the reports (for example, if they also have READ access for the RACF profiles of individual report names).
  • The reports that they can and cannot see are determined by whether or not the Access ID (defined in their recipient record) matches at least one of the Access IDs for the recipients in the distribution list, if they are on the report distribution list, and if t
  • ALTER: The user can view a list of all reports, can search by User ID in search panels, and can browse the contents of all reports for which they have READ access to the RACF profiles of individual reports (BJT.<DB_QUALIFIER>.RPRT.report_name. Although these users do not need to be on the distribution list, they do need to have access to BJT.<DB_QUALIFIER>.RPRT.report_name).

Note: For more information on searching by User ID, see Viewing list panels as a different user ID

Tip: You can grant online report-view access to a RACF group rather than to each user ID individually. For more information, see Using a RACF group as a recipient for a distribution list.
Viewing of specific reports RACF resource profiles BJT.<DB_QUALIFIER>.RPRT.report_name

Create a RACF security profile for each report name (or, using wildcards, a group of similarly named report names). The actions that a user can perform on a report are determined by the following levels of access:

  • NONE: The user cannot view reports associated with this RACF security profile.
  • READ: The user can view reports associated with this RACF security profile.
  • CONTROL: The user can view reports associated with this RACF security profile.
  • ALTER: The user can view reports associated with this RACF security profile.
Printing reports RACF resource profile BJT.<DB_QUALIFIER>.VIEW.RPRT.PRINT
The print actions that a user can perform on a report are determined by the following levels of access:
  • NONE: The user cannot print reports.
  • READ: The user can print reports.
Set UACC(NONE) if your site policy prohibits printing reports or limits printing to specific users or groups. Set UACC(READ) if you allow most users to print reports.
Downloading reports RACF resource profile BJT.<DB_QUALIFIER>.VIEW.RPRT.DOWNLOAD
The download actions that a user can perform on a report are determined by the following levels of access:
  • NONE: The user cannot download reports.
  • READ: The user can download reports.
Set UACC(NONE) if your site policy prohibits downloading reports or limits downloading to specific users or groups. Set UACC(READ) if you allow most users to download reports.
Reprinting reports
The reprint security profiles define which report administrators are allowed to reprint reports, as well as their level of update privileges for the distribution list. The reprint actions that a user can perform on a report are determined by the levels of access on the following profiles:
  • BJT.<DB_QUALIFIER>.VIEW.RPRT.REPRINT
    • NONE: The user cannot reprint reports.
    • READ (or higher): The user can reprint reports.
  • BJT.<DB_QUALIFIER>.VIEW.RPRT.REPRINT.DIST
    • ALTER (or higher): The user can select a different distribution list to perform the reprint.
    • CONTROL: The user can add recipients to the distribution list selected to perform the reprint.
  • BJT.<DB_QUALIFIER>.VIEW.RPRT.REPRINT.REC
    • READ (or higher): The user can make changes to the recipients in the distribution list.
It is recommended to set UACC(NONE) for the reprint profiles, and then grant higher permissions to report administrators as appropriate for your site's security policy.
REPORT_ACCESS_ID user_ID

Output Manager internal security configuration parameter, specified in the Recipient ID panels (ISPF A.J).

Switches a user's personal user ID to an external security user ID (RACF ID) when they view or print a report. Because it is the temporary user ID that accesses the underlying archive data set(s), individual user IDs do not need access to these data set(s).

Output Manager determines a user’s access ID by the following hierarchy of access priority:
  1. Finding a recipient definition that matches the current MVS user ID
  2. Finding a recipient definition that matches the current MVS user ID by a wildcard match
  3. Finding a recipient entry that specifies a RACF group in which the current MVS user ID is a member
  4. Defaulting to the user’s ACCID and ACCMASK. If not defined, the ACCID and ACCMASK = User ID
ACCESS MASK

Output Manager internal security configuration parameter, specified in the Policy Administration panels (ISPF A.PA).

For users with READ access to BJT.<DB_QUALIFIER>.VIEW.RPRT, the access mask is always used to determine which reports they have access to.

Security options for archives

Table 2. Security options for archives
Security option Description
General viewing of archives

RACF resource profile BJT.<DB_QUALIFIER>.VIEW.ARCH

Create a security profile for viewing archives. The actions that a user can perform are determined by the following levels of access:

  • NONE: Archive viewing is disabled for the user. The View Archive ISPF panels and ITOMweb Archives link are deactivated when the user opens Output Manager.
  • READ: The user can list and view archives. The archives they can and cannot list and view are determined by the archives filtered by the Output Manager ARCFILTER and VARCHIVE configuration settings specified in the next step.
  • CONTROL: The user can see a list of all archives except those hidden by VARCHIVE. Whether or not they are allowed to view the actual archive is determined by the Output Manager ARCFILTER settings. A user can view the archive if the archive name matches an entry in their archive access list.

    CONTROL access does not override the VARCHIVE configuration setting; if VARCHIVE is set to hide archives that contain reports, the archives will remain hidden. However, CONTROL access does override the ARCFILTER setting to control which archive names are displayed in the list.

  • ALTER: The user can list, view, and browse all archives, even those that would normally be filtered by ARCFILTER. ALTER does not override the VARCHIVE configuration specified in the next step.
Note: By default, the Data Set Name column is hidden in the Output Manager ISPF interface Archive list panel. A user is allowed to un-hide the Data Set Name column (using the Hide/Unhide option of Options menu) if they have CONTROL or ALTER access to BJT.<DB_QUALIFIER>.VIEW.ARCH
Printing archives RACF resource profile BJT.<DB_QUALIFIER>.VIEW.ARCH.PRINT
The print actions that a user can perform on an archive are determined by the following levels of access:
  • NONE: The user cannot print archives.
  • READ: The user can print archives.
Set UACC(NONE) if your site policy prohibits printing archives or limits printing to specific users or groups. Set UACC(READ) if you allow most users to print archives.
Downloading archives RACF resource profile BJT.<DB_QUALIFIER>.VIEW.ARCH.DOWNLOAD
The download actions that a user can perform on an archive are determined by the following levels of access:
  • NONE: The user cannot download archives.
  • READ: The user can download archives.
Set UACC(NONE) if your site policy prohibits downloading archives or limits downloading to specific users or groups. Set UACC(READ) if you allow most users to download archives.
VARCHIVE: ALL|NOREPORT

Output Manager internal security configuration parameter, specified in the Policy Administration panels (ISPF A.PA).

Controls which archives are presented to the user when they open the View Archives panel (V.A in ISPF, or clicks the Archives link in ITOMweb). Specify ALL to display all archives, or NOREPORT to only display archives that do not have associated reports. This setting will not override permission privileges determined by RACF profiles.

ARCFILTER: ENABLE|DISABLE

Output Manager internal security configuration parameter, specified in the Policy Administration panels (ISPF A.PA).

When ENABLE is specified, the list of archives that a user sees is limited by their list of Archive Access IDs (defined in their Output Manager recipient ID). If any of the user’s Archive Access IDs match an archive name, either generic, or fully-qualified, that user can view that archive.

When DISABLE is specified, the list of archives that a user sees is not filtered by Archive Access IDs. Archive Access IDs do not need to be defined if ARCFILTER is set to DISABLE.

Started task resource profiles

Table 3. RACF resource profiles for started task security
Security option Description
Policy Activate/Deactivate BJT.<DB_QUALIFIER>.CMND

Notes on security

Notes:
  • If permission to perform an operation is controlled by more than one resource or flag, you must satisfy both criteria.
  • Bundle printing with BJTBATCH requires access to BJT.<DB_QUALIFIER>.ADM.BUN. If you submit bundle printing through the started task via a modify command, the ID of the STC needs access to BJT.<DB_QUALIFIER>.ADM.BUN. When bundle printing is performed by a user submitting BJT@BUNP, then that user needs appropriate access to BJT.<DB_QUALIFIER>.ADM.BUN.
  • The started task must have ALTER access to BJT.<DB_QUALIFIER>.VIEW.RPRT for automatic printing.