Security Requirements

This section describes the security requirements pertinent to installing
Web Viewer
.
Logging In
Web Viewer
runs as a deployed application under a web application server. Users login to
Web Viewer
using the z/OS credentials for the system where the web application server is running. Access to CA View repositories and reports are controlled by z/OS and CA View, based on the user that logged in to
Web Viewer
.
Web Viewer
provides an open API that implements security on the operation level through authentication and authorization checks. If you require additional security mechanisms, implement these mechanisms externally to the application.
Requirement for Web Application Server Id
The id (ACID) of the web application server requires read access to the IBM Facility entity
BPX.SERVER
and the SURROGATE Facility entity
BPX.SRV.userid
  • Specify the userid for the user that requires access to
    Web Viewer
    . To give access to all users, specify ** as the userid.
  • RACF requires that both the logged in user and the id (ACID) of the web application server have access to CA View repositories and reports.
Requirement for
Web Viewer
Users
Web Viewer
users require an OMVS segment and READ access to applid OMVSAPPL to log in to the product.
Repository Administrative Authority
To manage repositories and repository groups in
Web Viewer
, you must have Repository Administrative Authority. You should only grant Repository Administrative Authority to users who need to manage repositories or repository groups. Repository Administrative Authority for
Web Viewer
requires the following access:
  • Resource Class
    CHA1VIEW
  • Resource Type:
    WEBVWR.ADMIN
  • Access
    READ
Example: Security Rule
TSS PERMIT(acid) CHA1VIEW(WEBVWR.ADMIN) ACCESS(READ)
Repository Groups
Authorization for a repository group in
Web Viewer
requires the following access:
  • Resource Class
    CHA1VIEW
  • Resource Type:
    WEBVWR.GROUP.<grpname>
  • Access
    READ
Example: Security Rule
TSS PERMIT(acid) CHA1VIEW(WEBVWR.GROUP.TEST) ACCESS(READ)
SMF Records
If you want
Web Viewer
to create SMF records to monitor usage, appropriate security permissions are required for the IBM BPX1SMF service. Both the
Web Viewer
application server and the logged in user must have permission to the BPX.SMF resource profile in the FACILITY class.
RACF Surrogate
RACF users must define the RACF SURROGAT class to allow the web application server to run processes as the signed on user.  See the following sample commands to define the RACF SURROGAT class:
SETROPTS CLASSACT(SURROGAT) RACLIST(SURROGAT) GENERIC(SURROGAT)
RDEFINE SURROGAT BPX.SRV.** UACC(NONE)
PERMIT BPX.SRV.** CLASS(SURROGAT) ACCESS(READ) ID(serverid)
  • serverid defines the id (ACID) of the web application server where Web Viewer is deployed
Use the following sample command to apply the changes to your RACF environment.
SETROPTS GENERIC(SURROGAT) RACLIST(SURROGAT) REFRESH
RACF Program Control
If you use RACF Program Control, use the following sample commands to add the modules that are used by
Web Viewer
to program control:
To add the CCS libraries to program control:
RALTER PROGRAM * ADDMEM('YourCCSHLQ.CAW0PLD'//NOPADCHK)
To add the CA View libraries to program control:
RALTER PROGRAM * ADDMEM('YourCAViewHLQ.CVDELOAD'//NOPADCHK)
(Optional) To add the CA Spool libraries to program control:
RALTER PROGRAM * ADDMEM('YourCASpoolHLQ.CBQ4LOAD'//NOPADCHK)
Use the following sample command to apply the changes to your RACF environment.
SETROPTS REFRESH WHEN(PROGRAM)