Authorizing use of SMP/E commands and services

The System Authorization Facility (SAF) restricts the use of certain SMP/E functions to users who have appropriate access to the SAF resources that protect those functions. The functions being controlled are all the SMP/E commands processed by program GIMSMP (for example, SET, RECEIVE, APPLY, ACCEPT, UCLIN, LIST, REPORT, and so on), the GIMZIP and GIMUNZIP service routines, and the GIMIAP copy utility invocation program.

The SAF FACILITY class resource names corresponding to these functions are of the following form:

GIM.CMD.command for the SMP/E commands, where command is the name of the current SMP/E command being attempted. For example, GIM.CMD.APPLY for the APPLY command.
GIM.PGM.program for the GIMZIP, GIMUNZIP, or GIMIAP service routines, where program is the name of the service routine being processed. For example, GIM.PGM.GIMZIP for GIMZIP.

To allow SMP/E users to execute SMP/E functions, you must protect the appropriate SAF FACILITY class resources in the active security manager and grant read access to those users that should be allowed to invoke the controlled SMP/E functions.

However, of all the functions described previously, several need to be controlled carefully. Users who are granted access to these resources have the potential to undermine system security regardless of any data set protections you may have in place. Therefore, they should be as trusted, for example, as users who have authority to update APF-authorized libraries. The functions that need to be controlled carefully and the corresponding SAF FACILITY class resources that SMP/E checks, are as follows:

Table 1. Functions and resource names that must be carefully controlled
Function	Resource name
RECEIVE command	GIM.CMD.RECEIVE
APPLY command	GIM.CMD.APPLY
ACCEPT command	GIM.CMD.ACCEPT
RESTORE command	GIM.CMD.RESTORE
REJECT command	GIM.CMD.REJECT
LINK command	GIM.CMD.LINK
CLEANUP command	GIM.CMD.CLEANUP
Program GIMZIP	GIM.PGM.GIMZIP
Program GIMUNZIP	GIM.PGM.GIMUNZIP
Program GIMIAP	GIM.PGM.GIMIAP

You may define discrete profiles to control individual SMP/E functions, or you may choose to define generic profiles. However, if the resources are not protected by the security manager, or a user does not have READ authority to those resources, then SMP/E processing will stop. A sample RACF® command to define a single generic FACILITY class profile and to define a user ID in the access list of that profile is as follows:

RDEFINE FACILITY GIM.* UACC(NONE)
PERMIT GIM.* CLASS(FACILITY) ID(user ID) ACCESS(READ)

If you have activated SETROPTS RACLIST processing for the FACILITY class, you must also refresh SETROPTS RACLIST processing for the updates to take affect:

SETROPTS RACLIST(FACILITY) REFRESH

It might be difficult to identify and add all necessary user IDs to the access list for the subject profiles, whether using a single generic profile as in the previous example, or multiple discrete profiles. With this in mind, although not recommended by IBM®, it is possible to define the profiles with WARNING and AUDIT(FAILURES(READ)) to help identify and log all user IDs that currently invoke SMP/E functions and will require eventual definition in the profiles' access list. After sufficient analysis and after the access list has been updated, then profiles should be changed to NOWARNING.

Note: The preceding sample commands to define a FACILITY class profile and to define a user ID in the access list of that profile assume the use of RACF as the security manager. If you use a security manager other than RACF, see the appropriate documentation for equivalent commands.