IBM z/OS Change Tracker is a System Software Change Control and Management solution for the z/OS platform. It allows for tracking, control, and management of systems software configuration changes, and can identify and report on system-wide changes.
With its advanced tooling, IBM z/OS Change Tracker can compare local and remote software deployments across z/OS environments, while critical system software and mission-critical application software can be monitored automatically in real-time. Automation extends to member-level backup of protected resources, and allows panel-driven recovery to resolve an undesired change.
IBM z/OS Change Tracker provides robust capabilities to audit and check software integrity, protect critical libraries, and track changes to the members in these libraries through audit trails and fingerprinting key data sets in the environment.
You can use IBM z/OS Change Tracker for data protection, data recovery, and audit support.
IBM z/OS Change Tracker can be used for data protection and data recovery at the member level, audit support, and snapshot comparisons. System programmers can monitor and take automatic backups of critical configuration data sets at the member-level, while compliance evidence providers can use IBM z/OS Change Tracker to see who has changed critical configuration data sets for z/OS, including how it was changed and when.
Data Protection: IBM z/OS Change Tracker provides monitoring and protection of critical libraries. Locked members cannot be changed without permission granted by the Administrator.
Data Recovery: Automatic backups are generated whenever a monitored member is changed, and an optional email notification can be provided. Members in monitored data sets can be restored to previous versions.
Audit Support: Out-of-the-box audit reports of monitored data sets indicate the event type (add, update, delete, rename, zap), who made the change, and when.
It is critical for systems managers to be in charge of the system-wide changes in their z/OS environment. IBM z/OS Change Tracker provides them with comprehensive tools to keep track of critical library changes in real-time, and large software environments across systems and over time.
IBM z/OS Change Tracker will replace manual procedures for auditing and investigating systems changes. In case of an outage, you will review the information collected by IBM z/OS Change Tracker to determine the cause of the system failure and recover from an unplanned or undesired change. Member-level backups generated by IBM z/OS Change Tracker when the change had been made will be available.
Any existing tools will stay in place. IBM z/OS Change Tracker operates behind the scenes to monitor and control changes in your critical libraries.
IBM z/OS Change Tracker grants different levels of access and involvement depending on user role: administrator, user, or auditor.
Administrators are able to define libraries to be monitored and protected, and can grant individuals access to update locked members. Users can view and compare backups.
Users can verify that software on multiple local or remote systems is identical. If IBM z/OS Change Tracker finds any differences, it identifies which members in the libraries have different contents.
Auditors are participants who are able to receive and view outputs generated by IBM z/OS Change Tracker.
There are certain best practices in place to execute the change management process in the correct way.
- Administrator defines critical libraries to be locked and automatically back up
- User submits a request (outside IBM z/OS Change Tracker ) to the administrator for update access to a member in a critical library
- After review, the administrator grants the user update access to that member
- User makes the change
- The administrator revokes their access to the member
IBM z/OS Change Tracker requires z/OS version 2.5 to run. It is shipped with z/OS 2.5 and is enabled as Monthly License Charge (MLC) content.
Once you are entitled to use this priced feature, you can verify that it has been enabled in IFAPRDxx.
IBM z/OS Change Tracker is deployed and configured using z/OSMF workflows.
IBM z/OS Change Tracker consists of two SMP/E FMIDs - HCYG100 (base and English), and JCYG10 (Japanese). If z/OS V2.5 has already been installed and upgrade actions are completed, it would be easiest to install the desired FMIDs separately on top of z/OS V2.5 rather than re-order z/OS V2.5 in a shipment that contains IBM z/OS Change Tracker.
To install the IBM z/OS Change Tracker FMID(s), order a CBPDO of z/OS V2.5 along with the IBM z/OS Change Tracker feature on Shopz for that order. When your CBPDO for z/OS V2.5 arrives, then only install the z/OS Change Tracker FMID(s) following the instructions in the z/OS V2.5 Program Directory.
If you wish to entitle IBM z/OS Change Tracker after its GA, you can order it via Shopz with your z/OS V2.5 deliverable, or entitle it afterwards as outlined in z/OS Planning for Installation, section 'Using dynamic enablement'.
Decide who will be the IBM z/OS Change Tracker administrators, users, and auditors in your enterprise.
The Security Administrator will need to create the RACF FACILITY class profiles and grant READ access to the appropriate people. Doing so ensures that the appropriate level of security is assigned to the correct group of users.
To set up roles and determine their access:
- Create two RACF FACILITY class profiles: CYG.ADMIN and CYG.AUDIT
- READ access to CYG.ADMIN grants the user Admin level access in IBM z/OS Change Tracker. The user who will be assigned the started task job will need this.
- READ access to CYG.AUDIT grants the user access to the Audit feature in the product
Note: All of the above can be met by a single user
There are RACF settings required for various roles: FACILITY class profiles: CYG.ADMIN and CYG.AUDIT
IBM z/OS Change Tracker provides a workflow that performs the configuration of the product and the definition of the correct datasets.
After the installation of IBM z/OS Change Tracker, run the z/OSMF Configuration Workflow which can be found here: /usr/lpp/cyg/zosmf/workflows/cygwflw.xml
Use z/OSMF Security Configuration Assistant to view and verify the IBM z/OS Change Tracker security definitions.
IBM z/OS Change Tracker uses the z/OSMF Security Configuration Assistant to verify that the correct users in groups can have access to the resources they need.
The Administrator needs to define data sets to be monitored. All modifications to the members of these data sets are then automatically tracked.
The audit feature can be filtered based on event type, date and time range, member name or data set name.
Developers can fingerprint anything from a single file to an entire disc volume.
When analyzing a large collection of data sets, each member is fingerprinted. IBM z/OS Change Tracker then allows you to compare fingerprints of the entire collection of data sets, providing information on what, how, when and by whom modifications have been made – at both data set and member level.
Learn more about what IBM z/OS Change Tracker has to offer and how it works.
IBM z/OS Change Tracker Guide and Reference is available in IBM Documentation.