Configuration of Security - Universal Command Security
Overview
Universal Command access controls consist of the following profile types:
- Remote Access profiles control Universal Command's access to remote systems.
- Stdio Access profiles control Universal Command's access to local data sets used as standard input, output or error.
Universal Command Remote Access Profile
The remote access profile controls Universal Command Manager's access to specific remote systems running Universal Agent. The remote system is identified by the IP address of the remote system, the port number on which the Manager is connecting to the remote system, and the remote system user ID with which the Manager is requesting the command to be executed.
Universal Command Manager identifies a remote system with the REMOTE_HOST and REMOTE_PORT configuration options, and the remote user ID with the USER_ID configuration option.
The remote access profile has the following format:
UCMD.Iipaddress.Pport.userid
The following table identifies the fields that comprise the profile name.
Field | Description |
---|---|
ipaddress | Numeric dotted-form IP address of the remote host as specified by the REMOTE_HOST option. The format of the IP address is four three-character numeric fields. Each field represents one number of the IP address. For example, IP address 256.10.2.123 is formatted as 256010002123. |
port | Numeric port number on which Universal Broker is listening as specified by the REMOTE_PORT option. The default Universal Broker port number is 7887. The format of the port number is a five-digit number. For example, port 7887 is formatted as 07887. |
userid | Remote user identifier with which Universal Command Manager will execute the remote command as specified by the USER_ID option. |
Universal Command Standard I/O Access Profile
The standard I/O (stdio) access profile controls Universal Command Manager's access to data sets allocated for standard I/O. The standard I/O ddnames are UNVIN for standard input, UNVOUT for standard output, and UNVERR for standard error, unless otherwise changed with the SIO_LOCAL_FILE configuration option.
The standard I/O access profile has the following format:
UCMD.stdio.Iipaddress.Pport.allocation
The following table identifies the fields that comprise the profile name.
Field | Description |
---|---|
stdio | Standard I/O file which the profile is for. Valid values are:
|
ipaddress | Numeric dotted-form IP address of the remote host as specified by the REMOTE_HOST option. The format of the IP address is four three-character numeric fields. Each field represents one number of the IP address. For example, IP address 256.10.2.123 is formatted as 256010002123. |
port | Numeric port number on which Universal Broker is listening as specified by the REMOTE_PORT option. The default Universal Broker port number is 7887. The format of the port number is a five-digit number. For example, port 7887 is formatted as 07887. |
allocation | Entity that is allocated to the standard I/O ddname. There are a number of different items that may be allocated to a ddname. The following formats are available:
|
Universal Command Security Profile Definitions
These examples illustrate sample RACF commands that can be used to define Universal Command security profiles and permit z/OS user identifiers access to those profiles. Refer to the IBM RACF documentation for complete details on RACF commands.
Example 1
Assume that you want to restrict Universal Command Manager for z/OS access to remote host 10.23.90.2. The following profile would restrict access to only those z/OS users who have read access to the profile UCMD.I010023090002.*.*.
The following TSO commands define the required profile and permits access to TSO user TSO555.
RDEF $UNV (UCMD.I010023090002.*.*) UACC(NONE) PE UCMD.I010023090002.*.* CLASS($UNV) ID(TSO555) ACCESS(READ)
Example 2
Assume that you run all Universal Brokers on privileged port 1000. To enforce the policy that z/OS Managers connect only to port 1000, define profile UCMD.*.*.* with universal access none and define UCMD.*.P01000.* with universal access read.
The following TSO commands define the required profiles.
RDEF $UNV (UCMD.*.*.*) UACC(NONE) RDEF $UNV (UCMD.*.P01000.*) UACC(READ)
Example 3
Assume that you want to restrict root access to all hosts from Universal Command Manager for z/OS. The following profile would restrict root access to only those z/OS users who have read access to the profile UCMD.*.*.ROOT.
The following TSO command defines the required RACF profile.
RDEF $UNV (UCMD.*.*.ROOT) UACC(NONE)
Example 4
Assume that you want to restrict Universal Command Manager access to data sets PROD.*. You also don't want Universal Command Manager to use any temporary data sets. The following profiles would restrict access to only those z/OS users who have read access to the profile.
The following TSO command defines the required RACF profile.
RDEF $UNV (UCMD.STD*.*.*.DPROD.**) UACC(NONE) RDEF $UNV (UCMD.STD*.*.*.TEMPORARY) UACC(NONE)