Secure the Performance Metrics Services

Secure the monitoring of the IDMS REST API Performance Metrics information with your external security manager.
To enable secure monitoring of performance metrics information for an IDMS system, use an external security manager (ESM), such as CA Top Secret (TSS), IBM Resource Access Control Facility (RACF), or CA ACF2, to define a security class and resource that identifies the target system and grants permission to that resource through a user profile.
An unauthorized user that attempts to monitor the system is denied access and receives an HTTP 403 return code.
The Performance Metrics services are protected by the following system authorization facility (SAF) resource:
CLASS: IDMSAPI
RESOURCE: SYST.
<IdmsSystemJobName>
Follow these steps:
To secure externally-monitored services for a given IDMS system, perform the following steps. See the example that follows for a detailed illustration.
  1. Add external security product definitions by creating a resource class, such as IDMSAPI. Follow the pattern SYST.<
    IdmsSystemJobName>
    for resource names.
    The target IDMS system name can be either the JOB name or the started task name (STC) of the target IDMS system startup job.
  2. Assign ownership to the resource name.
  3. Grant permission to the user that will monitor the IDMS system.
Example Using Top Secret
The following example is based on a scenario that uses Top Secret as the external security manager. Because the parameters shown in the steps will vary by installation, modify the information you enter as necessary for your ESM and environment.
You can use wildcard masking. For example, in steps 2 and 3 you can specify all systems on an LPAR to TSS as IDMSAPI(SYST.)
  1. Add external security product definitions to TSS:
    TSS ADDTO(RDT) RESCLASS(IDMSAPI) RESCODE(120) ACLST(ALL,READ) DEFACC(READ)
  2. For each IDMS system to be monitored, add the following to assign ownership to the resource name:
    TSS ADD(user02) IDMSAPI(SYST.SYSTEM74)
  3. For each user, add the following to grant permissions to monitor the external system:
    TSS PERMIT(user10)IDMSAPI(SYST.SYSTEM74) ACCESS(READ)