Security and authorization requirements
A z/OS® user ID with appropriate RACF® access is required to submit the batch jobs used in the customizing and operation of Z Asset Optimizer . Additional security and authorization configurations can be necessary, depending on your environment.
RACF® authorizations
The following table lists the RACF® authority required to run Z Asset Optimizer Started Tasks, Usage Monitor, Analyzer, and Automation Server. Consult with your RACF® administrator to define the required RACF® authority.
Started task name | SHZAMOD1 | PARMLIB | SHZAANL1 | SHZAANL2 | ACDS | (Db2 only) SDSNLOAD and SDSNEXIT | HLQIDS data set | Usage Monitor output data sets |
---|---|---|---|---|---|---|---|---|
Usage Monitor | READ | READ | n/a | n/a | n/a | n/a | READ | ALTER |
Analyzer | READ | READ | READ | READ | n/a | READ | n/a | n/a |
Automation Server | READ | READ | n/a | n/a | CONTROL | n/a | n/a | n/a |
RDEFINE STARTED HZA*.* UACC(NONE) +
STDATA (USER(uuuuuuu))
SETROPTS RACLIST(STARTED) REFRESH
When SECURITY=SYSTEM is set
for the Analyzer, the application name of HZACANLZ is supplied to
SAF during authentication. Security administrators can use permissions to the HZACANLZ resource in the
APPL RACF class to control which users are allowed to logon to the Analyzer.For non-RACF security products, consult your Security Administrator.
z/OS® UNIX™ security
Both the Usage Monitor and the z/OS® UNIX™ Inquisitor need sufficient authority to navigate the UNIX™ file system. The writer task of the Usage Monitor requires access to resolve symbolic links, while the UNIX™ Inquisitor is tasked with discovering executable files.
The HZAPHOST module is called by the Usage Monitor writer task and by both Inquisitor programs to collect the system TCP/IP host name and IP address. This action requires a security user profile which has an associated UNIX uid value. The call of HZAPHOST can be disabled by relevant Usage Monitor and Inquisitor settings, if necessary.
APF
The Inquisitor and Usage Monitor use z/OS® authorized system services. These programs are contained in the PDSE Load Library SHZAMOD1, which must be authorized using APF in order to run the Usage Monitor and/or the Inquisitor when the latter is not being run with PARM=NOAPF.
The Analyzer also requires an APF authorized environment when the SECURITY=SYSTEM option is selected so that it can issue the relevant SAF calls required for user authentication.
MEMLIMIT
The Usage Monitor creates memory objects, which are areas of virtual storage that have addresses greater than 2GB and can only be addressed in 64-bit addressing mode.
The MEMLIMIT setting, which applies to the Usage Monitor address space, must be set at a value high enough to allow the Usage Monitor to create all memory objects necessary for operations. It is recommended that MEMLIMIT=NOLIMIT is used for the Usage Monitor address space.
The actual size of the memory objects that the Usage Monitor creates depends on the SIZ and QSZ settings.
Db2® authorization
- DBADM authority to access the product database. You may need to drop and create Db2® resources.
- BIND plans and packages
- EXECUTE authority to execute plans and packages
- SELECT authority to access the Db2® Catalog tables
- LOAD, REPAIR, and STATS privileges to run Db2® utilities LOAD, REPAIR, and RUNSTATS
- GRANT USE OF BUFFERPOOL privilege to use specific buffer pools
- GRANT USE of STOGROUP privilege to use a specific storage group
- Access to work file database or TEMP database for Declared Global Temporary table.
SQLite authorization
- Allocate, format, and mount a zFS file system
- Grant access to z/OS OMVS groups