Defining the security authorization for Policy Agent

Defining the security authorization for Policy Agent

Overview

The policies managed by Policy Agent can affect system operation significantly. Therefore, you need to restrict the list of z/OS user IDs under which Policy Agent is allowed to run. To do this, you need to define certain resources and controls in the system's security manager product, such as RACF.

Security definitions

To set up the Policy Agent's security definitions to RACF:

  1. Define the PAGENT user ID.
  2. Define the PAGENT started task to RACF.
  3. Associate the PAGENT user ID with the PAGENT started task.
  4. Give authorized users access to manage the PAGENT started task.

RACF command example

Following is an example of sequence of RACF commands that set up security definitions for Policy Agent.

  1. Define a user ID (for example, PAGENT) for the PAGENT started task:

    ADDUSER PAGENT DFLTGRP(OMVSGRP) OMVS(UID(0) HOME('/'))

  2. Define the PAGENT started task to RACF:

    RDEFINE STARTED PAGENT.* DFLTGRP(OMVSGRP) -
    STDATA(USER(PAGENT) GROUP(OMVSGRP)
    SETROPTS RACLIST(STARTED) REFRESH
    SETROPTS GENERIC(STARTED) REFRESH

  3. If you want to log messages through SYSLOGD, define a profile for SYSLOGD:

    RDEFINE STARTED SYSLOGD.*

  4. Give authorized users access to manage the PAGENT started task:

    PERMIT MVS.SERVMGR.PAGENT CLASS(OPERCMDS) ACCESS(CONTROL) -
    ID(PAGENT)
    SETROPTS RACLIST(OPERCMDS) REFRESH
    SETROPTS GENERIC(OPERCMDS) REFRESH

  5. Optional: Restrict access to the pasearch Unix command.

    PERMIT EZB.PAGENT.SYSTEMNAME.TCPIPNAME.* CLASS(SERVAUTH) -
    ID(userid) ACCESS(READ)
    SETROPTS RACLIST(SERVAUTH) REFRESH
    SETROPTS GENERIC(SERVAUTH) REFRESH

A sample job with these security definitions can be found in member PAGNTSEC in the BSA.SAMPLIB.