Controlling access to RMF data for the sysplex data services

Users of applications that call sysplex data services to access data from the RMF Sysplex Data Server's SMF buffer must have RACF® authorization.

RMF™ has defined a RACF resource profile of class FACILITY called ERBSDS.SMFDATA to control access to SMF data in the RMF Sysplex Data Server's SMF buffers. Every user accessing the SMF records in this SMF buffer must be authorized.

ERBSDS.SMFDATA
controls access to SMF data in the SMF buffer by the ERBDSQRY service (Query Available Sysplex SMF Data) or the ERBDSREC service (Request Sysplex SMF Record Data). One application using these services is the RMF Postprocessor, if the SMF records are retrieved directly from the SMF buffers.

Also, if you want to exploit the DDS HTTP API (see the z/OS RMF Programmer's Guide), you must grant read access to the ERBSDS.SMFDATA profile for the GPMSERVE user ID, which is assigned to the DDS started task GPMSERVE as described in Assign started task procedures to user IDs.

Another application using the mentioned services is the data gatherer of the Monitor II ILOCK command.

RMF does not perform mandatory access checks for Monitor II data (accessed by the ERB2XDGS service) and Monitor III set-of-samples data (accessed by the ERB3XDRS service). If you want to protect this data, define RACF resource profiles called ERBSDS.MON2DATA and ERBSDS.MON3DATA in the FACILITY class. If you do not define a profile, RACF does not restrict any user ID from invoking the mentioned sysplex data services:

ERBSDS.MON2DATA
controls access to Monitor II SMF type 79 data by the ERB2XDGS and ERBSMFI services. For example, a Monitor II reporter session invokes this service when reporting about another system in the sysplex.
ERBSDS.MON3DATA
controls access to Monitor III set-of-samples data by the ERB3XDRS service. For example, the Distributed Data Server as server address space for users of RMF PM calls this service. If this profile is defined, the TSO user ID of RMF PM users must be authorized. Also, a Monitor III reporter session calls this service when sysplex-wide reports are requested.

If the same group of users takes advantage of all RMF sysplex data services, you can work with the generic profile ERBSDS.*.

Parent topic: Specifying access definitions