Use this procedure to define the SAF general resource class that is used for controlling
access to the OMEGAMON enhanced 3270 user interface.
Before you begin
The resource profiles that control access to the OMEGAMON® enhanced 3270 user interface (enhanced 3270UI) are defined within a SAF general
resource class. If you already have a general resource class that you want to use that has the
appropriate CDT characteristics, use that class. If you do not have an appropriate class, or you
want to use a different class, one must be defined.
The enhanced 3270UI security will be significantly different from OMEGAMON security definitions
that you might already have for other OMEGAMON interfaces like the OMEGAMON II CUA and or Classic
interfaces. It is recommended that a new security class along with its required resource definitions
be established for the enhanced 3270UI, as without change prior security definitions will not be
compatible. However, you can review existing OMEGAMON security definitions to review authorizations
granted to users.
The SAF general resource class must have the following CDT characteristics (DCT entry values):
- CASE(UPPER)
- FIRST(ALPHA,NATIONAL)
- OTHER(ALPHA,SPECIAL,NUMERIC,NATIONAL)
- MAXLENGTH(246)
- MAXLENX(246)
- KEYQUALIFIERS(0)
- PROFILESALLOWED(YES)
- GENERIC(ALLOWED)
- RACLIST(REQUIRED)
About this task
You can define a SAF general resource class dynamically or by updating the CDT. If you are using
RACF, special authority is required. The following procedure documents the steps for using
RACF. Consult the product documentation for other security applications.
For the enhanced 3270UI, the SAF general resource class name (classname in the
following procedure) is customizable and is specified in parameter
RTE_SECURITY_CLASS.
Note: For controlling Take Action command access using
SAF profiles or for securing TEMS REST services, the SAF general resource class name
(classname in the following procedure) must be
$KOBSEC.
Procedure
- Take one of the following approaches:
- To define a SAF general resource class using the ICHERCDE macro (for RACF), code:
ICHERCDE CLASS=classname,
CASE=UPPER,
DFTRETC=4,
DFTUACC=NONE,
FIRST=ALPHA,
GENLIST=ALLOWED,
GENERIC=ALLOWED,
MAXLENX=246,
OTHER=ANY,
POSIT=nnn,
PROFDEF=YES,
RACLIST=ALLOWED
Both the
classname and POSIT number should be
unique. POSIT values 0 - 18, 57 - 127, and 528 – 1023 are reserved for IBM use and should not be
used for your dynamic class entries. To list the POSIT numbers currently in use, use the following
command:
RLIST CDT * NORACF CDTINFO
- To define a RACF class dynamically, use the following commands:
SETROPTS CLASSACT(CDT) RACLIST(CDT)
RDEFINE CDT classname UACC(NONE) CDTINFO( +
CASE(UPPER) FIRST(ALPHA,NATIONAL) OTHER(ALPHA,NATIONAL,SPECIAL,NUMERIC) +
MAXLENGTH(246) MAXLENX(246) KEYQUALIFIERS(0) +
PROFILESALLOWED(YES) POSIT(nnn) GENERIC(ALLOWED) +
RACLIST(REQUIRED) )
SETROPTS RACLIST(CDT) REFRESH
SETROPTS RACLIST(classname)
SETROPTS GENERIC(classname)
SETROPTS CLASSACT(classname)
- If your security implementation is configured to deny access to undefined SAF resources
by default and you want to enable near-term history (NTH), you must update your configuration to add
the O4SRV.** resource that is used to secure configuration actions.
If a query class is
being employed, the O4SRV.** profile definition is added to that class instead.
Following are
example RACF SAF definitions to accomplish the security updates:
RDEFINE classname O4SRV.** UACC(NONE)
SETROPTS RACLIST(classname) REFRESH
PERMIT O4SRV.** ID(userid) ACCESS(READ) CLASS(classname)
What to do next
Now you can define the profiles that control access to the interface itself and
control administrative and user actions.