Security and authorization requirements

A z/OS® user ID with appropriate RACF® access is required to submit the batch jobs used in the customizing and operation of Z Asset Optimizer . Additional security and authorization configurations can be necessary, depending on your environment.

RACF® authorizations

The following table lists the RACF® authority required to run Z Asset Optimizer Started Tasks, Usage Monitor, Analyzer, and Automation Server. Consult with your RACF® administrator to define the required RACF® authority.

Table 1. RACF® data set access required by each started task
Started task name	SHZAMOD1	PARMLIB	SHZAANL1	SHZAANL2	ACDS	(Db2 only) SDSNLOAD and SDSNEXIT	HLQIDS data set	Usage Monitor output data sets
Usage Monitor	READ	READ	n/a	n/a	n/a	n/a	READ	ALTER
Analyzer	READ	READ	READ	READ	n/a	READ	n/a	n/a
Automation Server	READ	READ	n/a	n/a	CONTROL	n/a	n/a	n/a

The started task should be defined in the resource class STARTED, with additional detail in the STDATA segment of the resource. It can also be defined in the started task table ICHRIN03, but this requires an IPL to add or update a task definition. For example:

RDEFINE STARTED HZA*.* UACC(NONE)  +
STDATA (USER(uuuuuuu))

Replace uuuuuuu with the name of the started task user for Z Asset Optimizer .

SETROPTS RACLIST(STARTED) REFRESH

When SECURITY=SYSTEM is set for the Analyzer, the application name of HZACANLZ is supplied to SAF during authentication. Security administrators can use permissions to the HZACANLZ resource in the APPL RACF class to control which users are allowed to logon to the Analyzer.

For non-RACF security products, consult your Security Administrator.

z/OS® UNIX™ security

Both the Usage Monitor and the z/OS® UNIX™ Inquisitor need sufficient authority to navigate the UNIX™ file system. The writer task of the Usage Monitor requires access to resolve symbolic links, while the UNIX™ Inquisitor is tasked with discovering executable files.

The HZAPHOST module is called by the Usage Monitor writer task and by both Inquisitor programs to collect the system TCP/IP host name and IP address. This action requires a security user profile which has an associated UNIX uid value. The call of HZAPHOST can be disabled by relevant Usage Monitor and Inquisitor settings, if necessary.

APF

The Inquisitor and Usage Monitor use z/OS® authorized system services. These programs are contained in the PDSE Load Library SHZAMOD1, which must be authorized using APF in order to run the Usage Monitor and/or the Inquisitor when the latter is not being run with PARM=NOAPF.

The Analyzer also requires an APF authorized environment when the SECURITY=SYSTEM option is selected so that it can issue the relevant SAF calls required for user authentication.

MEMLIMIT

The Usage Monitor creates memory objects, which are areas of virtual storage that have addresses greater than 2GB and can only be addressed in 64-bit addressing mode.

The MEMLIMIT setting, which applies to the Usage Monitor address space, must be set at a value high enough to allow the Usage Monitor to create all memory objects necessary for operations. It is recommended that MEMLIMIT=NOLIMIT is used for the Usage Monitor address space.

The actual size of the memory objects that the Usage Monitor creates depends on the SIZ and QSZ settings.

Db2® authorization

You need Db2® privileges to perform the following tasks:

DBADM authority to access the product database. You may need to drop and create Db2® resources.
BIND plans and packages
EXECUTE authority to execute plans and packages
SELECT authority to access the Db2® Catalog tables
LOAD, REPAIR, and STATS privileges to run Db2® utilities LOAD, REPAIR, and RUNSTATS
GRANT USE OF BUFFERPOOL privilege to use specific buffer pools
GRANT USE of STOGROUP privilege to use a specific storage group
Access to work file database or TEMP database for Declared Global Temporary table.

SQLite authorization

Creating a SQLite database requires authority to perform the following tasks:

Allocate, format, and mount a zFS file system
Grant access to z/OS OMVS groups