Application Performance Analyzer for z/OS, Version 11.1, Customization Guide

Installation-level configuration settings

These settings are generated into the load module CAZCNFG1. You specify these in assembly macro statements then edit and submit sample job CAZASMCF in hlq.SCAZSAMP to generate the CAZCNFG1 module. Source member CAZCNFG1 in hlq.SCAZSAMP contains model source code. The following example illustrates the syntax of the statements in the CAZCNFG1 source member.

* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - *
*     Configuration Section.
*
CAZCNFG1       CAZCVSET START
               CAZCVSET END

* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - *
*    Access Rules (Security) Section.
*
01 CAZRULE   *,allow,ViewRequestsOwnedBy,========
02 CAZRULE   *,allow,DeleteRequestsOwnedBy,========
03 CAZRULE   *,allow,UpdateRequestsOwnedBy,========
04 CAZRULE   *,allow,MeasureJOB,*
05 CAZRULE   *,allow,MeasureSTC,*
06 CAZRULE   *,allow,MeasureTSU,========
07 CAZRULE   *,allow,UseDB2Plus,*
08 CAZRULE   *,allow,UseIMSPlus,*
09 CAZRULE   *,allow,MonitorJOB,*
10 CAZRULE   *,allow,MonitorSTC,*
11 CAZRULE   *,allow,MonitorTSU,========
12 CAZRULE   *,allow,UseWLMI,*
13 CAZRULE *,allow,UseCICSPlus,*
15 CAZRULE  ADMIN01,allow,AdministerProduct,*
   CAZRULE END
* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - *

Specifying access rules

You specify access rules - rules controlling the type of access to Application Performance Analyzer functions granted by User ID - in the access rules section of CAZCNFG1. You define each access rule in the CAZCNFG1 source member using the CAZRULE statement. In each rule you specify:

The CAZRULE statement is an assembly macro statement and must follow the syntax rules for assembler macros. You specify the four values, noted above, in the first through fourth positional macro parameters. You might also specify a value in the name field - starting in column 1. This is ignored by the CAZRULE; you can use this for your own purposes.

CAZRULE syntax
Read syntax diagramSkip visual syntax diagram>>-CAZRULE--Userid--,--+----------+----------------------------->
                       +-ALLOW----+
                       '-DISALLOW-'
 
>--,--AccessType--,--Object--,--+----------+-------------------><
                                +-ID=*-----+
                                '-ID=STCID-'
 
CAZRULE Statement Parameters
Userid
Specify the User ID to which the rule applies in the first positional parameter. You can specify either a full User ID or a User ID pattern. The value is not case sensitive.

Specify patterns using the following special characters:

* (asterisk)
To specify a wildcard value. An asterisk must be the last character in the value. The characters up to the asterisk are compared for an exact match. For example, ABC* will match any User ID beginning with ABC.
? (question mark)
To specify any character match. A question mark specifies that any User ID character, in the same position, will be matched. For example, AB??EF will result in the match of any User ID characters in the third and fourth positions. The User ID ABCDEF will be matched, as will ABXYEF.
ALLOW or DISALLOW
The second positional parameter determines whether the CAZRULE statement specifies that the access is to be permitted (ALLOW) or denied (DISALLOW). The value is not case sensitive.
AccessType
The third positional parameter in the CAZRULE statement specifies the type of access. See Access rule descriptions for a summary of all AccessType values. The value is not case sensitive.
Object
The fourth positional parameter specifies the Object to which the rule applies. Refer to Access rule descriptions for information about which objects apply to which AccessType values.

The types of objects are:

User ID Object pattern
When the object type is a User ID, an additional special pattern character, an equal sign (=), is permitted. Specifying '=' has the effect of substituting the character from the actual User ID (the User ID for which the rule is being checked) before the comparison is made.
ID
The CAZRULE accepts one keyword parameter: ID=STCID. You can use this parameter to specify the Application Performance Analyzer ID to which the rule applies. Typically you omit the ID= parameter for a default value of '*'. The rule applies to all Application Performance Analyzer started tasks.
Examples

Some examples of CAZRULE statements are illustrated here. The examples specify a name field that is ignored. We assigned reference numbers 01, 02, 03 and 04 to the rules in the name field for easier identification.

01 CAZRULE FRANK01,Allow,ViewRequestsOwnedBy,*
02 CAZRULE *,Allow,MeasureJob,*
03 CAZRULE *,Allow,MeasureTSU,========
04 CAZRULE ADMIN01,allow,AdministerProduct,*

Notes about CAZRULE statement examples:

  1. The first example specifies an access rule that applies to User ID FRANK01. The second positional parameter, Allow, specifies that access is granted to FRANK01. The third positional parameter specifies the type of access. In this case, ViewRequestsOwnedBy specifies that FRANK01 is allowed to view reports for measurement requests. The fourth positional parameter specifies *. FRANK01 is allowed to view reports for measurement requests owned by any user.
  2. The second example specifies an access rule that applies to all users; the wildcard pattern * in the first positional parameter indicates this. The second positional parameter, Allow, specifies that the access is granted. The third positional parameter specifies the type of access. In this case, MeasureJob; it specifies those jobs are allowed to be measured. The fourth positional parameter specifies *. This grants all users permission to measure all job names.
  3. The third example specifies an asterisk for the User ID, hence, applies to all users. The value '========' is specified for the Object. In the case of MeasureTSU the Object is the User ID of the user's TSO address space. Since each character of the Object field is an equal sign, the corresponding characters of the actual User ID are substituted. The effect is that the user is only allowed to measure his own TSO address space.
  4. The fourth example specifies that only the User ID ADMIN01 has Application Performance Analyzer administrator authority. ADMIN01 is allowed to update the common list of data sets in the common data store for source program mapping. When expiry days warning is enabled, ADMIN01 will see the expiry days warning for all users’ observations.
Access rule descriptions
Code this For this type of access Object type
ViewRequestsOwnedBy Controls which measurement requests the user is allowed to view reports for. User ID of user that created the request.
DeleteRequestsOwnedBy Controls which measurement requests the user is allowed to delete. User ID of user that created the request.
UpdateRequestOwnedBy Controls which measurement requests the user is allowed to modify. User ID of user that created the request.
MeasureJOB Controls what job names the user is allowed to measure. Job name of job to be measured.
MeasureSTC Controls what STCs (started tasks) the user is allowed to measure. Name of started task procedure to be measured.
MeasureTSU Controls what TSUs (TSO regions) the user is allowed to measure. Name of TSO region (the TSO User ID).
UseDB2Plus Controls whether the user is allowed to use the DB2+ data extractor. Always '*'
UseIMSPlus Controls whether the user is allowed to use the IMS+ data extractor. Always '*'
MonitorJOB Controls what job names the user is allowed to threshold-monitor. Job name of job to be monitored.
MonitorSTC Controls what STCs (started tasks) the user is allowed to threshold-monitor. Name of started task procedure to be monitored.
MonitorTSU Controls what TSUs (TSO regions) the user is allowed to threshold-monitor. Name of TSO region (the TSO User ID).
UseWLMI Controls whether the user is allowed to use the WLM Intercept to measure a specific DB2 stored procedure or user-defined function and/or use the collateral DB2 (CDB2) data extractor Always '*'
UseCICSPlus Controls whether the user is allowed to use the CICS+ data extractor Always '*'
AdministerProduct Controls whether the user has Application Performance Analyzer administrator authority. Administrator authority allows a user to update the common list of data sets in the CDS for source program mapping. When expiry days warning is enabled, users with administrator authority will see the expiry days warning for all users’observations. By default, this access is disallowed. Always ‘*'
Precedence of rules

Whenever separate CAZRULE statements specify conflicting effects for the same User ID, the statements specified later in the source member take precedence over earlier ones.

For example:

CAZRULE *,allow,ViewRequestsOwnedBy,========
CAZRULE FRANK01,allow,ViewRequestsOwnedBy,*

The first statement above specifies that all users are allowed to view reports for only their own requests. The second statement, however, specifies that User ID FRANK01 is allowed to view reports for all requests. This statement overrides the previous one for FRANK01.

The approach is to first code statements for the most inclusive rules and then follow these with less inclusive rules.

Suggested Application Performance Analyzer rules

Member CAZCNFG1 in hlq.SCAZSAMP contains suggested Application Performance Analyzer rules. You need to carefully review these, and make changes for your own installation. For example, rule number 06 allows all users to measure stated tasks. However, you might want to control who is able to run measurements of, for example, your CICS® regions, in which case you would have to specify more specific rules controlling started task measurement. Measurement of CICS regions can either be permitted or restricted, more detailed options are not available.

The rules supplied in CAZCNFG1 leave access fairly open, and their equivalent RACF® profiles are shown below:

	01 CAZRULE *,allow,ViewRequestsOwnedBy,========
      /*  This is a default, no RACF profile required.  */
 02 CAZRULE *,allow,DeleteRequestsOwnedBy,========
      /*  This is a default, no RACF profile required.  */
	03 CAZRULE *,allow,UpdateRequestsOwnedBy,========
      /*  This is a default, no RACF profile required.  */
	04 CAZRULE *,allow,MeasureJOB,*
      /*  RDEFINE FACILITY CAZ0.MEASURE.JOB.* UACC(READ)  */
	05 CAZRULE *,allow,MeasureSTC,*
      /*  RDEFINE FACILITY CAZ0.MEASURE.STC.* UACC(READ)  */
	06 CAZRULE *,allow,MeasureTSU,========
      /*  This is a default, no RACF profile required.  */
	07 CAZRULE *,allow,UseDB2Plus,*
      /*  RDEFINE FACILITY CAZ0.USE.DB2PLUS UACC(READ)  */
	08 CAZRULE *,allow,UseIMSPlus,*
      /*  RDEFINE FACILITY CAZ0.USE.IMSPLUS UACC(READ)  */
 09 CAZRULE *,allow,MonitorJOB,*
      /*  RDEFINE FACILITY CAZ0.MONITOR.JOB.* UACC(READ) */
 10 CAZRULE *,allow,MonitorSTC,*
      /*  RDEFINE FACILITY CAZ0.MONITOR.STC.* UACC(READ) */
 11 CAZRULE  *,allow,MonitorTSU,========
      /*  This is a default, no RACF profile required. */
 12 CAZRULE  *,allow,UseWLMI,*
      /* RDEFINE FACILITY CAZ0.USE.WLMI UACC(READ) */
 13 CAZRULE *,allow,UseCICSPlus,*
		/* RDEFINE FACILITY CAZ0.USE.CICSPlus UACC(READ) */
 14 CAZRULE ADMIN01,allow,AdministerProduct,*
		/* RDEFINE FACILITY CAZ0.ADMINISTERPRODUCT UACC(NONE) */
		/* PERMIT CAZ0.ADMINISTERPRODUCT ID(ADMIN01) */

Rule number Explanation
01 Users can view reports for only their own measurement requests. Access to reports for other users' requests is denied.
02 Users can only delete their own measurement requests.
03 Users can only modify/cancel their own measurement requests.
04 Any user can measure jobs with any jobname.
05 Any user is allowed to measure a started task.
06 Any user is allowed to measure his/her own TSO region.
07 Any user is allowed to turn on the DB2+ data extractor.
08 Any user is allowed to turn on the IMS+ data extractor.
09 Any user is allowed to threshold-monitor jobs with any jobname.
10 Any user is allowed to threshold-monitor a started task.
11 Any user is allowed to threshold-monitor his or her own TSO region.
12 Any user is allowed to measure a specific DB2 stored procedure or user-defined function and/or turn on the collateral DB2 (CDB2) data extractor.
13 Any user is allowed to turn on the CICS+ dtaa extractor.
14 Allow user ADMIN01 to update the common list of data sets in the common data store. Disallow update access to all other users. When expiry days warning is enabled, ADMIN01 will see the expiry days warning for all users’ observations. All other users will see the expiry days warning for their own observations only.



Rate this page

[ Top of Page | Previous Page | Next Page | Contents | Index ]