The policies managed by Policy Agent can affect system operation significantly. Therefore, you need to restrict the list of z/OS user IDs under which Policy Agent is allowed to run. To do this, you need to define certain resources and controls in the system's security manager product, such as RACF.
To set up the Policy Agent's security definitions to RACF:
Following is an example of sequence of RACF commands that set up security definitions for Policy Agent.
ADDUSER PAGENT DFLTGRP(OMVSGRP) OMVS(UID(0) HOME('/'))
RDEFINE STARTED PAGENT.* DFLTGRP(OMVSGRP) -
STDATA(USER(PAGENT) GROUP(OMVSGRP)
SETROPTS RACLIST(STARTED) REFRESH
SETROPTS GENERIC(STARTED) REFRESH
RDEFINE STARTED SYSLOGD.*
PERMIT MVS.SERVMGR.PAGENT CLASS(OPERCMDS) ACCESS(CONTROL) -
ID(PAGENT)
SETROPTS RACLIST(OPERCMDS) REFRESH
SETROPTS GENERIC(OPERCMDS) REFRESH
PERMIT EZB.PAGENT.SYSTEMNAME.TCPIPNAME.* CLASS(SERVAUTH) -
ID(userid) ACCESS(READ)
SETROPTS RACLIST(SERVAUTH) REFRESH
SETROPTS GENERIC(SERVAUTH) REFRESH
A sample job with these security definitions can be found in member PAGNTSEC in the BSA.SAMPLIB.