Overview of Operator Security
Do not use the names of NetView® commands, components, printers (hardcopy logs), terminals, or task identifiers for operator identifiers. Also, do not use the following reserved keywords:
| ALL | NNT |
| DPR | OPT |
| DST | OST |
| HCL | PPT |
| HCT | SYSOP |
| LOG | TCT |
| MNT |
Additionally, if the operator identifier is the same as the LU name (terminal), some command lists assume that the operator is an autotask and do not run.
You can define passwords in either the NetView program or an SAF product, as described in Defining Operator Password Security.
The six types of operator security definitions are defined by the SECOPTS.OPERSEC statement in the CNMSTYLE member, as shown in Table 1. Each type specifies the combination of password and profile security:
| OPERSEC value | Type of Operator Password and Logon Attributes |
|---|---|
| MINIMAL | Both operator passwords and logon attributes are ignored. |
| NETVPW | Operator passwords are specified in DSIOPF. Logon attributes
are specified in the NetView DSIOPF
member and defined in the DSIPRF data set. If the password value is |
| NETVPW and NOCHECK specified in DSIOPF | Passwords are not checked by the NetView program. Logon information is passed to NetView installation exit 12 (DSIEX12). |
| SAFPW | Operator passwords or password phrases are checked by an SAF product, with operator profiles that are specified in the NetView DSIOPF member and logon attribute values that are defined in the DSIPRF data set. A default profile can be specified by using the DEFAULTS command or the DEFAULTS.LogProf statement in the CNMSTYLE member, which eliminates the need for operator definitions in the DSIOPF member. Access to the data sets that are protected in the DATASET class and to MVS™ system commands that are protected in the OPERCMDS class of the SAF product are checked at the NetView product level. |
| SAFCHECK | Operator passwords or password phrases are checked by an SAF product, with operator profiles that are specified in the NetView DSIOPF member and logon attribute values that are defined in the DSIPRF data set. A default profile can be specified by using the DEFAULTS command or the DEFAULTS.LogProf statement in the CNMSTYLE member, which eliminates the need for operator definitions in the DSIOPF member. Access to the data sets that are protected in the DATASET class and to MVS system commands that are protected in the OPERCMDS class of the SAF product are checked at the individual task level. |
| SAFDEF | Operator passwords or password phrases are checked by an SAF product. Logon attributes are defined in the NETVIEW segment of an SAF product. Access to the data sets protected in the DATASET class and to MVS system commands protected in the OPERCMDS class of the SAF product are checked at the individual task level. |
RACF® supports the NGMFVSPN attribute for NetView management console view security. Support for this attribute might be available in other SAF products. Contact the product support group for your SAF product to find out.
By defining NetView operators exclusively to an SAF product and using the NETSPAN class, you can eliminate the need for the DSIOPF members and members in the DSIPRF data set. However, for migration and regression purposes, do not erase your operator profiles and definitions. Defining operator span of control is related to logon attributes, but is covered in Using Spans to Protect Resources and Views.
When operators are defined exclusively in an SAF product (OPERSEC=SAFDEF), they can be authorized to log on to a particular NetView host through a profile in the APPL class of an SAF product. You can use domain identifiers to define resources in the APPL class to represent instances of the NetView program.
If you are using an SAF security product to perform operator identification and password checking, you can log on to the NetView program using a PassTicket rather than a password. For example, the Network Security Program/Secure Logon Coordinator product (NetSP/SLC V1.2) supports PassTickets.
Programs that use UNIX System Services require an OMVS segment for the user ID under which they run. For this reason, NetView operator IDs that use UNIX System Services must have an OMVS segment defined at either the user ID or group level using an SAF product. The NetView product has no specific requirements for OMVS segment attributes, unless stated for a specific NetView function, so the attribute values are determined by your security administrator in the same manner as other user IDs that require OMVS segments.
See Using an SAF Product Exclusively for more information about defining operators and operator attributes using an SAF product. If you want to further limit access to the NetView program, see Using an SAF Product to Restrict Logon Access and Protecting EMCS Console Names Using an SAF Product.