Implementing SmartTrace Security

nwmsol
 
Valid for
NetMaster NM for TCP/IP
The SmartTrace feature lets users view IP packets flowing into and out of your z/OS systems, while providing instant access to IP packet data.
The following levels of security are associated with SmartTrace:
Using SmartTrace
-- To use SmartTrace, a user UAMS definition or group definition must have a TCP/IP Services value of 2. This setting permits them to define, delete, start and stop tracing, and view any traced packet headers.
Viewing Packet Data
-- Because the IP packets can contain sensitive information, a further level of authority is required for users to view packet payload data. Your external security system (
ACF2 for z/OS
,
Top Secret for z/OS
, or RACF) must grant this authority. The user must have READ access to NETMSTR.PKTTRACE.
region
, where
region
is the region ACB name, as specified in the PRI= parameter in the RUNSYSIN member.

Grant Access to SmartTrace Data Using
Top Secret

To set up definitions to allow access to SmartTrace in your region with ACB NMTEST, issue the following commands:
TSS ADD(dept) IBMFAC(NETMSTR) TSS PERMIT(USER1) IBMFAC(NETMSTR.PKTTRACE.*) ACCESS(NONE)
To permit user USER1 to access SmartTrace data, issue the following command:
TSS PERMIT(USER1) IBMFAC(NETMSTR.PKTTRACE.NMTEST) ACCESS(CONTROL)

Grant Access to SmartTrace Data Using
ACF2

To set up definitions to allow access to SmartTrace in your region with ACB NMTEST, issue the following commands:
[ACF] SET RESOURCE(FAC) COMPILE * $KEY(NETMSTR.PKTTRACE.*) TYPE(FAC)
To permit user USER1 to access SmartTrace data, issue the following command:
$KEY(NETMSTR.PKTTRACE.NMTEST) TYPE(FAC) USER1(USER1) READ(ALLOW) STORE [END]

Grant Access to SmartTrace Data Using RACF

To set up definitions to allow access to SmartTrace in your region with ACB NMTEST, issue the following commands:
RDEFINE FACILITY NETMSTR.PKTTRACE.* UACC(NONE) RDEFINE FACILITY NETMSTR.PKTTRACE.NMTEST UACC(NONE) SETROPTS RACLIST(FACILITY) REFRESH
To permit user USER1 to access SmartTrace data, issue the following command:
PERMIT NETMSTR.PKTTRACE.NMTEST CLASS(FACILITY) ID(USER1) ACCESS(READ)