Tivoli Asset Discovery for z/OS, Version 8.1

Security and authorization prerequisites

A z/OS® user ID is required with appropriate RACF® access to submit the batch jobs used in the customizing and operation of Tivoli® Asset Discovery for z/OS. Additional security and authorization configurations can be necessary, depending on your environment.

RACF authorizations

The following table lists the RACF authority required to run Tivoli Asset Discovery for z/OS Started Tasks, Usage Monitor, Analyzer, and Automation Server. Consult with your RACF administrator to define the required RACF authority.

Table 1. RACF authority required for each started task
Started task name	SHSIMOD1	PARMLIB	SHSIANL1	SHSIANL2	ACDS	(DB2 only) SDSNLOAD and SDSNEXIT	HLQIDS data set	Usage Monitor output data sets
Usage Monitor	READ	READ	n/a	n/a	n/a	n/a	READ	ALTER
Analyzer	READ	READ	READ	READ	n/a	READ	n/a	n/a
Automation Server	READ	READ	n/a	n/a	CONTROL	n/a	n/a	n/a

The started task should be defined in the resource class STARTED, with additional detail in the STDATA segment of the resource. It can also be defined in the started task table ICHRIN03, but this requires an IPL to add or update a task definition. For example:

RDEFINE STARTED HSI*.* UACC(NONE)  +
STDATA (USER(uuuuuuu))

Replace uuuuuuu with the name of the started task user for Tivoli Asset Discovery for z/OS

SETROPTS RACLIST(STARTED) REFRESH

For non-RACF security products, consult your Security Administrator.

z/OS UNIX security

Both the Usage Monitor and the z/OS UNIX Inquisitor need sufficient authority to navigate the UNIX file system. The writer task of the Usage Monitor requires access to resolve symbolic links, while the UNIX Inquisitor is tasked with discovering executable files.

APF

The Inquisitor and Usage Monitor use z/OS authorized system services. These programs are contained in the PDSE Load Library SHSIMOD1, which must be authorized using APF in order to run the Usage Monitor and/or the Inquisitor when the latter is not being run with PARM=NOAPF.

MAXCAD parameter

A z/OS system programmer must have the necessary authorities to perform this task.

The Usage Monitor uses a SCOPE=COMMON data space. For this reason, it is necessary to have at least two additional system-wide data space PASN entries. Tivoli Asset Discovery for z/OS uses one data space, and after a switch, creates a new one. The older data space is not deleted until it is processed by the Usage Monitor writer task.

To enable the creation of the Usage Monitor data spaces, increase the Usage Monitor MAXCAD system parameter by an additional value of 3 (three). For example, increase an existing installation with MAXCAD=100 to MAXCAD=103 to cater for the addition of TADz Usage Monitor data spaces. Define the MAXCAD parameter in the IEASYSxx member of the system PARMLIB library. For more information about the default and valid value range for this parameter, refer to the MVS Initialization and Tuning Reference, SA22-7592 .

DB2 authorization

You need DB2® privileges to perform the following tasks:

DBADM authority to access the product database. You may need to drop and create DB2 resources.
BIND plans and packages.
EXECUTE authority to execute plans and packages.
SELECT authority to access the DB2 Catalog tables.
LOAD, REPAIR, and STATS privileges to run DB2 utilities LOAD, REPAIR, and RUNSTATS.
GRANT USE OF BUFFERPOOL privilege to use specific buffer pools.
GRANT USE of STOGROUP privilege to use a specific storage group.
Access to work file database or TEMP database for Declared Global Temporary table.

SQLite authorization

To perform an installation with a SQLite database requires that authority to perform the following tasks:

Allocate, format and mount a zFS file system.
Grant access to z/OS OMVS groups

Feedback