These settings are generated into the load module CAZCNFG1. You specify these in assembly macro statements then edit and submit sample job CAZASMCF in hlq.SCAZSAMP to generate the CAZCNFG1 module. Source member CAZCNFG1 in hlq.SCAZSAMP contains model source code. The following example illustrates the syntax of the statements in the CAZCNFG1 source member.
* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - *
* Configuration Section.
*
CAZCNFG1 CAZCVSET START
CAZCVSET END
* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - *
* Access Rules (Security) Section.
*
01 CAZRULE *,allow,ViewRequestsOwnedBy,========
02 CAZRULE *,allow,DeleteRequestsOwnedBy,========
03 CAZRULE *,allow,UpdateRequestsOwnedBy,========
04 CAZRULE *,allow,MeasureJOB,*
05 CAZRULE *,allow,MeasureSTC,*
06 CAZRULE *,allow,MeasureTSU,========
07 CAZRULE *,allow,UseDB2Plus,*
08 CAZRULE *,allow,UseIMSPlus,*
09 CAZRULE *,allow,MonitorJOB,*
10 CAZRULE *,allow,MonitorSTC,*
11 CAZRULE *,allow,MonitorTSU,========
12 CAZRULE *,allow,UseWLMI,*
13 CAZRULE *,allow,UseCICSPlus,*
15 CAZRULE ADMIN01,allow,AdministerProduct,*
CAZRULE END
* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - *
You specify access rules - rules controlling the type of access to Application Performance Analyzer functions granted by User ID - in the access rules section of CAZCNFG1. You define each access rule in the CAZCNFG1 source member using the CAZRULE statement. In each rule you specify:
The CAZRULE statement is an assembly macro statement and must follow the syntax rules for assembler macros. You specify the four values, noted above, in the first through fourth positional macro parameters. You might also specify a value in the name field - starting in column 1. This is ignored by the CAZRULE; you can use this for your own purposes.
>>-CAZRULE--Userid--,--+----------+-----------------------------> +-ALLOW----+ '-DISALLOW-' >--,--AccessType--,--Object--,--+----------+------------------->< +-ID=*-----+ '-ID=STCID-'
Specify patterns using the following special characters:
The types of objects are:
Some examples of CAZRULE statements are illustrated here. The examples specify a name field that is ignored. We assigned reference numbers 01, 02, 03 and 04 to the rules in the name field for easier identification.
01 CAZRULE FRANK01,Allow,ViewRequestsOwnedBy,*
02 CAZRULE *,Allow,MeasureJob,*
03 CAZRULE *,Allow,MeasureTSU,========
04 CAZRULE ADMIN01,allow,AdministerProduct,*
Notes about CAZRULE statement examples:
Code this | For this type of access | Object type |
---|---|---|
ViewRequestsOwnedBy | Controls which measurement requests the user is allowed to view reports for. | User ID of user that created the request. |
DeleteRequestsOwnedBy | Controls which measurement requests the user is allowed to delete. | User ID of user that created the request. |
UpdateRequestOwnedBy | Controls which measurement requests the user is allowed to modify. | User ID of user that created the request. |
MeasureJOB | Controls what job names the user is allowed to measure. | Job name of job to be measured. |
MeasureSTC | Controls what STCs (started tasks) the user is allowed to measure. | Name of started task procedure to be measured. |
MeasureTSU | Controls what TSUs (TSO regions) the user is allowed to measure. | Name of TSO region (the TSO User ID). |
UseDB2Plus | Controls whether the user is allowed to use the DB2+ data extractor. | Always '*' |
UseIMSPlus | Controls whether the user is allowed to use the IMS+ data extractor. | Always '*' |
MonitorJOB | Controls what job names the user is allowed to threshold-monitor. | Job name of job to be monitored. |
MonitorSTC | Controls what STCs (started tasks) the user is allowed to threshold-monitor. | Name of started task procedure to be monitored. |
MonitorTSU | Controls what TSUs (TSO regions) the user is allowed to threshold-monitor. | Name of TSO region (the TSO User ID). |
UseWLMI | Controls whether the user is allowed to use the WLM Intercept to measure a specific DB2 stored procedure or user-defined function and/or use the collateral DB2 (CDB2) data extractor | Always '*' |
UseCICSPlus | Controls whether the user is allowed to use the CICS+ data extractor | Always '*' |
AdministerProduct | Controls whether the user has Application Performance Analyzer administrator authority. Administrator authority allows a user to update the common list of data sets in the CDS for source program mapping. When expiry days warning is enabled, users with administrator authority will see the expiry days warning for all users’observations. By default, this access is disallowed. | Always ‘*' |
Whenever separate CAZRULE statements specify conflicting effects for the same User ID, the statements specified later in the source member take precedence over earlier ones.
For example:
CAZRULE *,allow,ViewRequestsOwnedBy,========
CAZRULE FRANK01,allow,ViewRequestsOwnedBy,*
The first statement above specifies that all users are allowed to view reports for only their own requests. The second statement, however, specifies that User ID FRANK01 is allowed to view reports for all requests. This statement overrides the previous one for FRANK01.
The approach is to first code statements for the most inclusive rules and then follow these with less inclusive rules.
Member CAZCNFG1 in hlq.SCAZSAMP contains suggested Application Performance Analyzer rules. You need to carefully review these, and make changes for your own installation. For example, rule number 06 allows all users to measure stated tasks. However, you might want to control who is able to run measurements of, for example, your CICS® regions, in which case you would have to specify more specific rules controlling started task measurement. Measurement of CICS regions can either be permitted or restricted, more detailed options are not available.
The rules supplied in CAZCNFG1 leave access fairly open, and their equivalent RACF® profiles are shown below:
01 CAZRULE *,allow,ViewRequestsOwnedBy,========
/* This is a default, no RACF profile required. */
02 CAZRULE *,allow,DeleteRequestsOwnedBy,========
/* This is a default, no RACF profile required. */
03 CAZRULE *,allow,UpdateRequestsOwnedBy,========
/* This is a default, no RACF profile required. */
04 CAZRULE *,allow,MeasureJOB,*
/* RDEFINE FACILITY CAZ0.MEASURE.JOB.* UACC(READ) */
05 CAZRULE *,allow,MeasureSTC,*
/* RDEFINE FACILITY CAZ0.MEASURE.STC.* UACC(READ) */
06 CAZRULE *,allow,MeasureTSU,========
/* This is a default, no RACF profile required. */
07 CAZRULE *,allow,UseDB2Plus,*
/* RDEFINE FACILITY CAZ0.USE.DB2PLUS UACC(READ) */
08 CAZRULE *,allow,UseIMSPlus,*
/* RDEFINE FACILITY CAZ0.USE.IMSPLUS UACC(READ) */
09 CAZRULE *,allow,MonitorJOB,*
/* RDEFINE FACILITY CAZ0.MONITOR.JOB.* UACC(READ) */
10 CAZRULE *,allow,MonitorSTC,*
/* RDEFINE FACILITY CAZ0.MONITOR.STC.* UACC(READ) */
11 CAZRULE *,allow,MonitorTSU,========
/* This is a default, no RACF profile required. */
12 CAZRULE *,allow,UseWLMI,*
/* RDEFINE FACILITY CAZ0.USE.WLMI UACC(READ) */
13 CAZRULE *,allow,UseCICSPlus,*
/* RDEFINE FACILITY CAZ0.USE.CICSPlus UACC(READ) */
14 CAZRULE ADMIN01,allow,AdministerProduct,*
/* RDEFINE FACILITY CAZ0.ADMINISTERPRODUCT UACC(NONE) */
/* PERMIT CAZ0.ADMINISTERPRODUCT ID(ADMIN01) */
Rule number | Explanation |
---|---|
01 | Users can view reports for only their own measurement requests. Access to reports for other users' requests is denied. |
02 | Users can only delete their own measurement requests. |
03 | Users can only modify/cancel their own measurement requests. |
04 | Any user can measure jobs with any jobname. |
05 | Any user is allowed to measure a started task. |
06 | Any user is allowed to measure his/her own TSO region. |
07 | Any user is allowed to turn on the DB2+ data extractor. |
08 | Any user is allowed to turn on the IMS+ data extractor. |
09 | Any user is allowed to threshold-monitor jobs with any jobname. |
10 | Any user is allowed to threshold-monitor a started task. |
11 | Any user is allowed to threshold-monitor his or her own TSO region. |
12 | Any user is allowed to measure a specific DB2 stored procedure or user-defined function and/or turn on the collateral DB2 (CDB2) data extractor. |
13 | Any user is allowed to turn on the CICS+ dtaa extractor. |
14 | Allow user ADMIN01 to update the common list of data sets in the common data store. Disallow update access to all other users. When expiry days warning is enabled, ADMIN01 will see the expiry days warning for all users’ observations. All other users will see the expiry days warning for their own observations only. |
[ Top of Page | Previous Page | Next Page | Contents | Index ]