Authorizing users to issue Prefixed Take Action commands

You can authorize users for a set of predefined Take Action commands called 'agent commands'. Agent commands are prefixed by M5. Agent commands cannot also be run as console commands.

A subset of agent commands can be issued using the Take Action feature on the Tivoli Enterprise Portal. In the OMEGAMON Enhanced 3270 user interface, the complete set of commands is available in action menus. Security for OMEGAMON AI for z/OS Take Action commands is based on SAF security classes and resource profile names. If no resource profiles are created to control Take Action commands, all commands are denied.

The OMEGAMON Enhanced 3270 user interface validates for the following resource profile to see if users are authorized to issue the Take Action commands directed at z/OS resources: 
KM5.msn.TAKEACTION
At a minimum, you must create a profile using this pattern for the global security class (RTE_SECURITY_CLASS) and give update access to the profile to all users you want to authorize to issue OMEGAMON AI for z/OS Take Action commands. You can also create other profiles for more granular access control.
For example, to control all OMEGAMON AI for z/OS Take Action commands on all managed systems, use the following profile: 
KM5.**.TAKEACTION
To restrict authority to issue commands to a specific managed system, specify the managed system name. For example, to control the ability to issue Take Action commands to an OMEGAMON AI for z/OS agent running on Sysplex IBMTEST on Sysplex member TSTA, you would define a profile named 
KM5.IBMTEST:TSTA:MVSSYS.TAKEACTION
To control access to individual commands, you must define at least one profile with the following format in either the global security class or the override security class (KM5_SECURITY_ACTION_CLASS): 
KM5.**.TAKEACTION.commandname
This can be either a generic profile, or a command-specific profile. For example, to control access to all commands, create a profile like the following:
KM5.**.TAKEACTION.*
To control access to the KILL command, create a profile with the following form:
KM5.**.TAKEACTION.KILL
To control access to the KILL command on a specific managed system, create a profile with the following form:
KM5.msn.TAKEACTION.KILL
where msn is the managed system name of the target system. (For information on managed system names, see Authorizing access to managed systems on the enhanced 3270 user interface.)
OMEGAMON AI for z/OS provides the following set of predefined Take Action commands:
  • CANCEL
  • CANCELDUMP
  • CANCELRESTART
  • CANCELDUMPRESTART
  • KILL
  • RESETSC
  • QUIESCE
  • RESUME
  • CHANGETIMELIMIT
  • SWAPIN
  • MARKSWAPPABLE
  • MARKNONSWAPPABLE

The KM5 override security class parameter (KM5_SECURITY_ACTION_CLASS, in PARMGEN) allows you to specify a separate security class to control individual OMEGAMON AI for z/OS Take Action commands. However, you must still create the KM5.**.TAKEACTION resource profile discussed previously for the global security class.

Users must be given UPDATE access to the profiles. In addition, an SAF Pass Ticket profile must be defined to allow the OMEGAMON Enhanced 3270 user interface to authenticate between the interface and the hub monitoring server. For more information, see the Configuring section of the IBM® Tivoli® OMEGAMON® and Tivoli Management Services on z/OS®: Shared documentation.

For information on issuing Take Action commands from the Tivoli Enterprise Portal, see the IBM Tivoli OMEGAMON AI for z/OS: User’s Guide.