Visual Client, Version 1.11.0: Client Manual - IBM · PDF fileiv Visual Client, Version 1.11.0: Client Manual. About this publication ... develop both a working knowledge of the basic

Tivoli® zSecure Visual

Client Manual

Version 1.11.0

SC23-6548-03

��

Tivoli® zSecure Visual

Client Manual

Version 1.11.0

SC23-6548-03

��

NoteBefore using this information and the product it supports, read the information in Appendix B, “Notices,” on page 117.

November 2009

This edition applies to version 1, release 11, modification 0 of IBM Tivoli zSecure Visual (product number 5655-T09)and to all subsequent releases and modifications until otherwise indicated in new editions.

© Copyright International Business Machines Corporation 1998, 2009.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

About this publication . . . . . . . . vIntended audience . . . . . . . . . . . . vWhat this publication contains . . . . . . . . vPublications . . . . . . . . . . . . . . vi

Tivoli zSecure library . . . . . . . . . . viAccessing terminology online . . . . . . . viiiAccessing publications online . . . . . . . viiiOrdering publications . . . . . . . . . viii

Accessibility . . . . . . . . . . . . . . ixTivoli technical training . . . . . . . . . . ixTivoli user groups . . . . . . . . . . . . ixSupport for problem solving . . . . . . . . . xConventions used in this publication . . . . . . x

Typeface conventions . . . . . . . . . . x

Chapter 1. Using IBM Tivoli zSecureVisual. . . . . . . . . . . . . . . . 1Release information . . . . . . . . . . . . 1Logging on . . . . . . . . . . . . . . . 1Logging off . . . . . . . . . . . . . . . 2Exiting . . . . . . . . . . . . . . . . 2Turning off the server definition name . . . . . . 3Viewing the log files . . . . . . . . . . . . 3Using Communication window . . . . . . . . 4Setting options. . . . . . . . . . . . . . 5Setting interface authorizations . . . . . . . . 7Setting the date format . . . . . . . . . . . 8Dragging and dropping. . . . . . . . . . . 9Copying and pasting . . . . . . . . . . . 9Using the toolbar . . . . . . . . . . . . . 9Using the right mouse button . . . . . . . . 10Defining names . . . . . . . . . . . . . 10Changing column sequences. . . . . . . . . 10Exporting table data . . . . . . . . . . . 10Printing . . . . . . . . . . . . . . . 10

Print Preview . . . . . . . . . . . . . 11Deciding which tables to print . . . . . . . 11

Viewing the Server Information dialog . . . . . 11Understanding the ? character . . . . . . . . 11

Chapter 2. Navigating through theRACF database . . . . . . . . . . . 13Using the Find dialog . . . . . . . . . . . 13

Ambiguous Class selection . . . . . . . . 15Viewing Connected users and groups. . . . . . 15Viewing the groups. . . . . . . . . . . . 16Selecting resources for a specific userid or groupwith the Permits function. . . . . . . . . . 16Using Scope . . . . . . . . . . . . . . 17Using Scope * . . . . . . . . . . . . . 21Using RACF SETROPTS Settings . . . . . . . 22Viewing Access List . . . . . . . . . . . 23Viewing Effective Access List . . . . . . . . 23Viewing the Member list . . . . . . . . . . 24Finding classes with the Select class dialog . . . . 24

Chapter 3. User management . . . . . 25User table . . . . . . . . . . . . . . . 25User properties . . . . . . . . . . . . . 27Duplicating a user . . . . . . . . . . . . 30Deleting a user . . . . . . . . . . . . . 32Resuming a user. . . . . . . . . . . . . 33Disabling a user . . . . . . . . . . . . . 33Enabling a user . . . . . . . . . . . . . 34Setting passwords . . . . . . . . . . . . 35Setting a default password . . . . . . . . . 37Removing the default password . . . . . . . 38About Schedules. . . . . . . . . . . . . 38

Viewing and editing schedules . . . . . . . 39Adding a schedule interval . . . . . . . . 40Repeating a schedule interval . . . . . . . 41Deleting a schedule interval . . . . . . . . 41

About Mappings . . . . . . . . . . . . 41Viewing Mappings . . . . . . . . . . . 41

Chapter 4. Group management . . . . 43Group table . . . . . . . . . . . . . . 43Group properties . . . . . . . . . . . . 45Adding a subgroup. . . . . . . . . . . . 46Duplicating a group . . . . . . . . . . . 47Deleting a group . . . . . . . . . . . . 49

Chapter 5. Connect management . . . 51Connects table . . . . . . . . . . . . . 51Viewing and changing Connect properties . . . . 52Creating a connect . . . . . . . . . . . . 54

About Attributes gSpec, gOper and gAud . . . 55About drag-and-drop and copy-paste. . . . . 55

Deleting a connect . . . . . . . . . . . . 55Copying, merging, and moving connects . . . . 56

Chapter 6. Resource management . . . 57Resource profiles . . . . . . . . . . . . 57

Resource table . . . . . . . . . . . . 58Mapping information . . . . . . . . . . 59

Adding a resource profile. . . . . . . . . . 60Duplicating a resource profile . . . . . . . . 62Editing Resource profile properties . . . . . . 63Deleting a resource profile . . . . . . . . . 64Access List . . . . . . . . . . . . . . 65Adding a user or group to an access list . . . . . 66Editing an access list entry . . . . . . . . . 67Deleting an access list entry . . . . . . . . . 67Members . . . . . . . . . . . . . . . 68

Profile members . . . . . . . . . . . . 68Viewing and changing a member list . . . . . . 69Adding a member . . . . . . . . . . . . 69Editing a member . . . . . . . . . . . . 70Deleting a member . . . . . . . . . . . . 70Refreshing a class . . . . . . . . . . . . 70

© Copyright IBM Corp. 1998, 2009 iii

Chapter 7. Segment management . . . 71Authorities and settings required to managesegments . . . . . . . . . . . . . . . 71Viewing and editing segment types . . . . . . 72

Application segments . . . . . . . . . . 72Viewing the segment list . . . . . . . . . . 73Using the Segment Detail window. . . . . . . 74Adding a segment . . . . . . . . . . . . 75Exceptions. . . . . . . . . . . . . . . 76Segment field. . . . . . . . . . . . . . 77

Segments of general resource profiles . . . . . 77Segments of group profiles . . . . . . . . 83Segments of user profiles . . . . . . . . . 84

Consulting IBM books . . . . . . . . . . . 89

Chapter 8. Maintenance . . . . . . . 91Maintaining client definitions . . . . . . . . 91

Batch-adding of Client definitions . . . . . . 93Upload of a client definition to IBM TivolizSecure Visual . . . . . . . . . . . . 93

Chapter 9. Setup and configuration . . 95Prerequisites for installation . . . . . . . . . 95IBM Tivoli zSecure Visual installation. . . . . . 96

Conducting typical installation . . . . . . . 97Conducting compact Installation . . . . . . 97Conducting custom Installation . . . . . . . 97

Maintaining Tivoli zSecure Visual . . . . . . . 98Uninstalling IBM Tivoli zSecure Visual . . . . 98Modifying IBM Tivoli zSecure Visual . . . . . 99Repairing IBM Tivoli zSecure Visual . . . . . 99

Upgrade of IBM Tivoli zSecure Visual . . . . . 99IBM Tivoli zSecure Visual configuration . . . . . 99

Adding and editing a server definition . . . . 100Copying of a server definition . . . . . . . 102

Automated Setup and Configuration . . . . . 102Running the setup with predefined or defaultsettings . . . . . . . . . . . . . . 102Configuration file . . . . . . . . . . . 102Silent installation . . . . . . . . . . . 106Automation of the upgrade path . . . . . . 109

Appendix A. Support information . . . 111Searching knowledge bases . . . . . . . . . 111

Available technical resources . . . . . . . 111Searching with support tools . . . . . . . 111Searching tips . . . . . . . . . . . . 111

Obtaining fixes . . . . . . . . . . . . . 112Receiving weekly support updates . . . . . . 112Registering with IBM Software Support . . . . 113Contacting IBM Software Support . . . . . . 113

Determining the business impact . . . . . . 114Describing problems and gathering information 114Submitting problems . . . . . . . . . . 114

Appendix B. Notices . . . . . . . . 117Trademarks . . . . . . . . . . . . . . 119

Glossary . . . . . . . . . . . . . 121

Index . . . . . . . . . . . . . . . 123

iv Visual Client, Version 1.11.0: Client Manual

About this publication

IBM Tivoli zSecure Visual enables decentralized administrators to managemainframe security and administration from a Microsoft® Windows® workstationthrough a Windows interface to the mainframe server. The product has twocomponents: IBM Tivoli zSecure Visual Server and IBM Tivoli zSecure VisualClient. This publication describes how to install, configure, and use IBM TivolizSecure Visual Client.

Note: Information about setting up and configuring IBM® Tivoli® zSecure VisualServer on a z/OS® system is available in the IBM Tivoli zSecure Visual:Server Manual.

Intended audienceThis publication is for administrators and system programmers responsible forRACF® administration and security.

Readers need to be familiar with RACF administrative tasks and using MicrosoftWindows-based applications. This publication assumes that the IBM Tivoli zSecureVisual Server mainframe component is installed and configured.

What this publication containsThis publication contains the following chapters:v Chapter 1, “Using IBM Tivoli zSecure Visual”

Provides the basic operating procedures for using IBM Tivoli zSecure Visual.v Chapter 2, “Navigating through the RACF database”

Describes the different options to work in the database.v Chapter 3, “User management”

Explains how IBM Tivoli zSecure Visual manages users.v Chapter 4, “Group management”

Describes how IBM Tivoli zSecure Visual manages groups.v Chapter 5, “Connect management”

Explains the connection relationship between users and groups.v Chapter 6, “Resource management”

Describes how to manage resource profiles.v Chapter 7, “Segment management”

Explains application segments and how to manage these segments.v Chapter 8, “Maintenance”

Describes how to maintain client definitions.v Chapter 9, “Setup and configuration”

Describes the installation, configuration, maintenance, and removal of IBM TivolizSecure Visual from the client side.

v Chapter 10, "Problem determination"Describes the Communication window and log files that help diagnose theproblems when using IBM Tivoli zSecure Visual.

© Copyright IBM Corp. 1998, 2009 v

v Appendix A, “Support information”Provides information of obtaining support for IBM products.

PublicationsThis section lists publications in the Tivoli zSecure library and related documents.The section also describes how to access Tivoli publications online and how toorder Tivoli publications.

Tivoli zSecure libraryThis section lists publications in the Tivoli zSecure library and related documents.v Tivoli zSecure: Release Information

For each product release, the Release Information topics provide information onnew features and enhancements, incompatibility warnings, and documentationupdate information for the Tivoli zSecure products. You can obtain the mostcurrent version of the release information from the Tivoli zSecure InformationCenter http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc/releaseinfo/releaseinformation.html. This information isalso available on the Tivoli zSecure Documentation CD.

v IBM Tivoli zSecure CARLa-Driven Components: Installation and Deployment Guide,SC23-6556-04Provides information about installing and configuring the following IBM TivolizSecure components:1. Tivoli zSecure Admin2. Tivoli zSecure Audit for RACF, ACF2 and Top Secret3. Tivoli zSecure Alert for RACF and ACF24. Tivoli zSecure Visual for RACF5. Tivoli Compliance Insight Manager Enabler for z/OS

v IBM Tivoli zSecure Admin and Audit for RACF: Getting Started, GI11-8184-04Provides a hands-on guide introducing IBM Tivoli zSecure Admin and IBMTivoli zSecure Audit product features and user instructions for performingstandard tasks and procedures. This manual is intended to help new usersdevelop both a working knowledge of the basic Tivoli zSecure Admin and Auditfor RACF system functionality and the ability to explore the other productfeatures that are available.

v IBM Tivoli zSecure Admin and Audit for RACF: User Reference Manual,LC23-6592-02Describes the product features for IBM Tivoli zSecure Admin and IBM TivolizSecure Audit. Includes user instructions to run the features from ISPF panels,RACF administration and audit user documentation with both general andadvanced user reference material for the CARLa command language and theSELECT/LIST fields. This manual also provides troubleshooting resources andinstructions for installing the zSecure Collect for z/OS component. Thispublication is only available to licensed users.

v IBM Tivoli zSecure Audit for ACF2: User Reference Manual, LC23-6546-03Explains how to use IBM Tivoli zSecure Audit for ACF2 for mainframe securityand monitoring. For new users, the guide provides an overview and conceptualinformation about using ACF2 and accessing functionality from the ISPF panels.For advanced users, the manual provides detailed reference informationincluding message and return code lists, troubleshooting tips, information on

vi Visual Client, Version 1.11.0: Client Manual

using zSecure Collect for z/OS, and details about user interface setup. Thispublication is only available to licensed users.

v IBM Tivoli zSecure Audit for ACF2: Getting Started, GI11-8183-04Describes the IBM Tivoli zSecure Audit for ACF2 product features and providesuser instructions for performing standard tasks and procedures such asanalyzing Logon ids, Rules, and Global System Options, and running reports.The manual also includes a list of common terms for those not familiar withACF2 terminology.

v IBM Tivoli zSecure Audit for Top Secret: User Reference Manual, LC23-9746-01Describes the Tivoli zSecure Audit for Top Secret product features and providesuser instructions for performing standard tasks and procedures.

v IBM Tivoli zSecure Alert: User Reference Manual, SC23-6547-05Explains how to install, configure, use, and troubleshoot IBM Tivoli zSecureAlert, a real-time monitor for z/OS systems protected with the Security Server(RACF) or CA-ACF2.

v IBM Tivoli zSecure Visual: Client Manual, SC23-6548-03Explains how to setup and use the Tivoli zSecure Visual Client to perform RACFadministrative tasks from the Windows-based GUI.

v IBM Tivoli zSecure Visual: Server Manual, SC23-6549-03Explains how to set up and configure the IBM Tivoli zSecure Visual Server on az/OS system, which allows users to perform decentralized RACF administrativetasks from the Tivoli zSecure Visual Client.

v IBM Tivoli zSecure Command Verifier: User Guide, SC23-6550-03Explains how to install and use IBM Tivoli zSecure Command Verifier to protectRACF mainframe security by enforcing RACF policies as RACF commands areentered.

v IBM Tivoli zSecure CICS Toolkit: User Guide, SC23-6551-02Explains how to install and use IBM Tivoli zSecure CICS Toolkit to provideRACF administration capabilities from the CICS® environment.

v IBM Tivoli zSecure: Messages Guide, GC23-9747-01Provides a message reference for all Tivoli zSecure components. This guidedescribes the message types associated with each product or feature; lists allTivoli zSecure product messages and errors along with their severity levelssorted by message type, and provides an explanation and any additionalsupport information for each message.

v IBM Tivoli zSecure: Quick Reference Booklet, SC23-6558-02This booklet summarizes the commands and parameters for the following IBMTivoli zSecure Suite components: Admin, Audit, Alert, Collect, and CommandVerifier. Obsolete commands are omitted.

v IBM Tivoli zSecure: Documentation CD, LCD7-1387-06Provides the IBM Tivoli zSecure Information Center which includes all TivolizSecure documentation, licensed and unlicensed. The documentation CD is onlyavailable to licensed users.

v Program Directory: Tivoli zSecure Suite CARLa-driven components

This program directory is intended for the system programmer responsible forprogram installation and maintenance. It contains information concerning thematerial and procedures associated with the installation of IBM Tivoli zSecureCARLa-Driven Components: Admin, Audit, Visual, Alert and the ComplianceInsight Manager Enabler. Program directories are provided with the producttapes. You can also download the latest copy from the Tivoli zSecure

About this publication vii

Information center available at http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc/releaseinfo/releaseinformation.html.

v Program Directory: Tivoli zSecure CICS Toolkit

This program directory is intended for the system programmer responsible forprogram installation and maintenance. It contains in formation concerning thematerial and procedures associated with the installation of IBM Tivoli zSecureCICS Toolkit. This publication refers to IBM Tivoli zSecure CICS Toolkit. as CICSToolkit. Program directories are provided with the product tapes. You can alsodownload the latest copy from the Tivoli zSecure Information center available athttp://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc/releaseinfo/releaseinformation.html.

v Program Directory: Program Directory for Tivoli zSecure Command Verifier

This program directory is intended for the system programmer responsible forprogram installation and maintenance. It contains in formation concerning thematerial and procedures associated with the installation of IBM Tivoli zSecureCommand Verifier. This publication refers to IBM Tivoli zSecure CommandVerifier as Tivoli zSecure Command Verifier. Program directories are providedwith the product tapes. You can also download the latest copy from the TivolizSecure Information center available at http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc/releaseinfo/releaseinformation.html.

Accessing terminology onlineThe Tivoli Software Glossary includes definitions for many of the technical termsrelated to Tivoli software. This glossary is available at http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm.

The IBM Terminology Web site consolidates the terminology from IBM productlibraries in one convenient location. You can access the Terminology Web site athttp://www.ibm.com/software/globalization/terminology.

Accessing publications onlineThe documentation CD contains the publications that are in the product library.The format of the publications is PDF, HTML, or both. Refer to the readme file onthe CD for instructions on how to access the documentation.

The product CD contains the publications that are in the product library. Theformat of the publications is PDF, HTML, or both. To access the publications usinga Web browser, open the infocenter.html file. The file is in the appropriatepublications directory on the product CD.

IBM posts publications for this product and all other Tivoli products as theybecome available and whenever updated, to the Tivoli Information Center Web siteat http://publib.boulder.ibm.com/infocenter/tivihelp/v15r1/topic/com.ibm.itm.doc/welcome.htm.

Note: If you print PDF documents on other than letter-sized paper, set the optionin the File → Print window that allows Adobe® Reader to print letter-sizedpages on your local paper.

Ordering publicationsYou can order many Tivoli publications online at http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss.

viii Visual Client, Version 1.11.0: Client Manual

http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

http://www.ibm.com/software/globalization/terminology

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp

http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss


You can also order by telephone by calling one of these numbers:v In the United States: 800-879-2755v In Canada: 800-426-4968

In other countries, contact your software account representative to order Tivolipublications. To locate the telephone number of your local representative, performthe following steps:1. Go to http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss.2. Select your country from the list and click Go.3. Click About this site in the main panel to see an information page that

includes the telephone number of your local representative.

Licensed publicationsLicensed publications are indicated by a publication number that starts with L(LC23-6592-02, for example). To obtain PDF or printed copies of licensedpublications, submit an IBM Customer Support problem report that contains thefollowing information:v IBM Customer numberv List of publication numbers that you want to orderv Preferred contact information

For details, see “Support for problem solving” on page x.

AccessibilityAccessibility features help users who have a physical disability, such as restrictedmobility or limited vision, to use software products successfully. For keyboardaccess in the Tivoli zSecure z/OS products, standard shortcut and accelerator keysare used by the product, where applicable, and are documented by the operatingsystem. Refer to the documentation provided by your operating system for moreinformation.

Visit the IBM Accessibility Center at http://www.ibm.com/alphaworks/topics/accessibility/ for more information about IBM’s commitment to accessibility.

Tivoli technical trainingFor Tivoli technical training information, refer to the following IBM TivoliEducation Web site at http://www-01.ibm.com/software/tivoli/education/

Tivoli user groupsTivoli user groups are independent, user-run membership organizations thatprovide Tivoli users with information to assist them in the implementation ofTivoli Software solutions. Through these groups, members can share informationand learn from the knowledge and experience of other Tivoli users. Tivoli usergroups include the following members and groups:v 23,000+ membersv 144+ groups

Access the link for the Tivoli Users Group at http://www.tivoli-ug.org/.

About this publication ix


http://www.ibm.com/alphaworks/topics/accessibility/

http://www.ibm.com/alphaworks/topics/accessibility/

http://www-01.ibm.com/software/tivoli/education/

http://www.tivoli-ug.org/

Support for problem solvingIf you have a problem with your IBM software, you want to resolve it quickly. IBMprovides the following ways for you to obtain the support you need:

OnlineGo to

the IBM Software Support site at http://www.ibm.com/software/support/probsub.html and follow the instructions.

IBM Support AssistantThe IBM Support Assistant (ISA) is a free local software serviceabilityworkbench that helps you resolve questions and problems with IBM softwareproducts. The ISA provides quick access to support-related information andserviceability tools for problem determination. To install the ISA software, go tohttp://www.ibm.com/software/support/isa.

For more information about IBM support, see Appendix A, “Supportinformation,” on page 111.

Conventions used in this publicationThis publication uses several conventions for special terms and actions, operatingsystem-dependent commands and paths, and margin graphics.

Typeface conventionsThis publication uses the following typeface conventions:

Bold

v Lowercase commands and mixed case commands that are otherwisedifficult to distinguish from surrounding text

v Interface controls such as check boxes, press buttons, radio buttons, spinbuttons, fields, folders, icons, list boxes, items inside list boxes,multicolumn lists, containers, menu choices, menu names, tabs, andproperty sheets, labels such as Tip:, and Operating systemconsiderations:

v Keywords and parameters in text

Italic

v Citations (examples: titles of publications, diskettes, and CDsv Words defined in text (example: a nonswitched line is called a

point-to-point line)v Emphasis of words and letters (words as words example: "Use the word

that to introduce a restrictive clause."; letters as letters example: "TheLUN address must start with the letter L.")

v New terms in text (except in a definition list): a view is a frame in aworkspace that contains data.

v Variables and values you must provide.

Monospace

v Examples and code examplesv File names, programming keywords, and other elements that are difficult

to distinguish from surrounding textv Message text and prompts addressed to the userv Text that the user must type

x Visual Client, Version 1.11.0: Client Manual

http://www.ibm.com/software/support/probsub.html


http://www.ibm.com/software/support/isa

v Values for arguments or command options

About this publication xi

xii Visual Client, Version 1.11.0: Client Manual

Chapter 1. Using IBM Tivoli zSecure Visual

IBM Tivoli zSecure Visual maintains an IBM RACF security database from aWindows workstation. This topic provides the basic operating procedures for usingIBM Tivoli zSecure Visual.

This chapter contains the following topics:v “Release information.”v “Logging on.”v “Logging off” on page 2v “Exiting” on page 2v “Turning off the server definition name” on page 3v “Using Communication window” on page 4v “Setting options” on page 5v “Setting interface authorizations” on page 7v “Setting the date format” on page 8v “Dragging and dropping” on page 9v “Copying and pasting” on page 9v “Using the toolbar” on page 9v “Using the right mouse button” on page 10v “Defining names” on page 10v “Changing column sequences” on page 10v “Exporting table data” on page 10v “Printing” on page 10v “Print Preview” on page 11v “Deciding which tables to print” on page 11v “Viewing the Server Information dialog” on page 11v “Understanding the ? character” on page 11.

Release informationThe Tivoli zSecure Release Information topics include details on new features andenhancements, incompatibility warnings, and documentation update information.You can download the most current version of the release information from thefollowing link in the Tivoli zSecure Information Center: http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc/welcome.htm. This information is also available on the Tivoli zSecureDocumentation CD.

Logging onAfter starting the program, you must log on to RACF so that IBM Tivoli zSecureVisual tells the CKGRACF program on the mainframe to report your access tocertain commands. This access loads schedule names and disables certain features.The CKG profiles control your access. It continues to load the class descriptor tableso to present you a list of all classes defined on the complex. Follow these steps tolog on to the mainframe:

© Copyright IBM Corp. 1998, 2009 1

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc/welcome.htm



1. Select File > Logon from the main menu to access IBM Tivoli zSecure Visual, orclick Logon from the toolbar.

2. Enter your mainframe userid and password combination. Or,3. Select New Password to change your password.4. Confirm your new password.

Note: If this logon is your first time to connect to the server, it takes time to set upa cryptographically secure communication channel.

After your logon succeeds, the Find dialog window displays. To use the Finddialog to display or change the users, groups, or resources, follow these steps:1. Select User, Group, or resource from Class dropdown list.2. Type a user, group, or resource name in the Search field3. Click OK. A search result window displays the user, group, or resource you

look for.

To view what the user, group, or resource connects to, follow these steps:1. Select a specific user, group, or resource from the search result window.2. Select Navigate > Connects. A Connects window displays all users, groups, or

resources related to this specific user, group, or resource.3. Double-click any of the user, group, or resource in the Connects window to see

its properties.

Logging offAfter finishing your tasks, select File > Logoff from the main menu to log off IBMTivoli zSecure Visual. Close all windows containing the mainframe information.

ExitingTo exit IBM Tivoli zSecure Visual, follow these steps:1. Select File > Exit from the main menu.2. Specify whether the program prompts for a confirmation on exit in the Option

dialog.

Figure 1. Logon dialog.

2 Visual Client, Version 1.11.0: Client Manual

For more information, see the section “Setting options” on page 5. If you press Exitwhile you are still on IBM Tivoli zSecure Visual, the program logs off beforeexiting.

Turning off the server definition nameThe IBM Tivoli zSecure Visual client includes the server definition name in theapplication title. The server definition name is between square brackets. By default,the application turns on the server name definition during logon and turns it offduring logoff, but you can turn off this feature. To turn off the server definitionname in the application title, follow these steps:1. Go to the application folder. The default directory is C:\Program

Files\IBM\Tivoli zSecure Visual\1.11\.2. Create a text file named c2racv.cfg.3. Add option:

ShowHost=No

4. Save the file.5. Exit and log on again for the change to take effect.

Viewing the log filesThe zSecure Visual client provides log files in the directory<ApplicationDirectory>\ Servers\<ServerName>\ClientLogs. This directorycontains the following log files:v SYSPRINT.logv CKGPRINT.logv SYSTERM.logv Requests.logv About.log

These log files display errors, warnings, and informational messages that can helplocate the source of a problem, diagnose its severity, and refer to IBM Tivoli zSecure:Messages Guide for extra help. You must provide these log files when reportingproblems related to the zSecure Visual client.

You can view the latest updates contained in these log files from the tabs of theCommunication window GUI. For more information about these log files, see“Using Communication window” on page 4.

The directory <ApplicationDirectory>\Servers\<ServerName> contains the logfiles called cesys and ceaud. These log files provide information on thecommunication layer between the client and server. Though this information is notfor user interpretation, it is very useful for development to diagnosecommunication-related problems. You must provide these log files when reportingproblems.

For information about the messages and possible resolutions, see IBM TivolizSecure: Messages Guide.

Chapter 1. Using IBM Tivoli zSecure Visual 3

Using Communication windowCommunication window enables you to view most of the information exchangedbetween the zSecure Visual client and the components and programs on themainframe side, that is, the zSecure Visual server, CKRCARLA, CKGRACF, andRACF. In general, the client issues requests for the CKRCARLA and CKGRACFprograms to obtain information about the client and modify the RACF database.You can use Communication window to view real time logs on the client requestsand their results.

Follow these steps to view Communication window:1. Display Communication window, using one of the following options:v From the main menu, select View > Communication window ; or,v Select the Communication button on the toolbar. This button always puts

Communication window on top.2. Select the Request tab to see all requests issued by the client, which are the

latest CARLa commands, CKGRACF commands, and commands sent to theserver. You can find the commands sent to the server under the extensionsection of this tab.

3. Select the SYSTERM tab to see the messages resulting in RC of 12 or higherand a number of status messages.v If the most recent request is for CKRCARLA, the SYSPRINT tab contains the

detailed SYSPRINT output of the CKRCARLA program. The SYSPRINToutput is CKRCARLA listings and critical and informational messages. Thisinformation helps locate the command causing problems.

v If the most recent request is for CKGRACF, the CKGPRINT tab contains thedetailed CKGPRINT output of the CKGRACF program. The CKGPRINToutput is CKGRACF commands and messages. It helps locate the commandcausing problems. You can also view messages returned directly from RACF.

4. Select the About tab to see aggregated client and server information. You cancopy and paste this information as text. From this tab, you can find:v Client information: the specific version of zSecure Visual client and

information about the building of the GUI and its engine.v Server information. See “Viewing the Server Information dialog” on page 11.v Copyright notice.

You can print the information found in Communication window and export it to arich text format (.rtf). See “Printing” on page 10 and “Exporting table data” onpage 10.


Setting optionsUse the Option dialog to specify how you want to display IBM Tivoli zSecureVisual. Follow these steps to set the options:1. Select View > Options from the main menu.2. (Optional) Change any of the General behaviors:

Confirm exitSpecifies whether the program has to prompt for confirmation on exit orexit directly.

Find window always on topSpecifies whether the Find dialog remains on top or closes after everysearch.

Interface levelDetermines which part of the functionality of IBM Tivoli zSecure Visual isavailable and shown to the user.

3. (Optional) Change any of the table and grouptree behaviors:

Date formatYou can specify two date formats: one format for all tables, where the widthof the columns is an issue, and one date format for all dialogs. Select a dateformat from the list to get the wanted date format.

Font selectionYou can specify two different fonts, one for the table and the group tree, theother for the dialogs. A font size must be 8 - 12 points.

4. (Optional) Change any of RACF behaviors:

Default connect ownerSpecify who is the default owner for new connects. If you leave the Ownerfield blank in the connect dialog, IBM Tivoli zSecure Visual uses the ownerspecified here.

Include access due to Group Operations in effective Access ListSpecifies whether the Group Operations attributes determine the effectiveaccess list. By default, this option is on.

Figure 2. Communication window


Include access due to System Operations and Universal Groups in effectiveAccess List

Specifies whether the System Operations attributes and Universal Groupaccess determine the effective access list. By default, this option is off.

CAUTION:If you select this option, IBM Tivoli zSecure Visual must read the entireRACF database to create an Effective Access List. It can cause a significantdrop in performance.

Include profiles you can listDetermines which profiles you can see and edit. When this option is on,you see the profiles you can edit and the profile within your CKGLIST andgroup-auditor scope. When it is off, you see only the profiles you can edit.By default, this option is on.

5. When you finish the changes, perform one of the following steps:v Click Restore defaults to set the options to factory defaults.v Click OK to accept the changes.v Click Cancel to close the Options dialog window without changing the

settings.

Figure 3. Options dialog


Setting interface authorizationsUse the Options dialog to adjust the interface according to your role as a user. Youcan select one administration level from the Interface level dropdown list. If youare not authorized to perform all functions of the particular level, the options thatyou cannot access are either hidden or displayed in gray.

The following options are the administration levels for you to select:

HelpdeskHelpdesk is the lowest level, the functionality is limited to:v List usersv Resume a userv Set passwordv Manage schedulesv List mapping profilesv View the mapping profiles of a user

ConnectThis level expands the functionality from the Helpdesk level to:v List groupsv List connectsv View the grouptreev Create connectsv Change connect attributesv Remove connects

UserThis level expands the functionality from the Connect level to:v Duplicate userv Change properties of userv Mark user for deletion

Access listThis level expands the functionality from the User level to:v List resourcesv List Access Listv List effective Access Listv Change access lists (RACF command: permit)

GroupThis level expands the functionality from the Permit level to:v Add subgroupv Duplicate groupv Change group propertiesv Delete group

FullFull is currently the highest level, functionality for this level includes:v List member listv List scopev Create resource profile


v Duplicate resource profilev Modify resource profilev Delete resource profilev Change member listv Segment management

AutomaticDisplays the highest administration level to which the user has access. TheCKGRACF SHOW MYACCESS command determines access.

In the right field, you can select how the interface looks. If you are not authorizedon the mainframe for all commands in your administration level, you can selecteither of the following options:

Gray desired unauthorized functionsDisplay all unauthorized functions in gray.

Hide desired unauthorized functionsConceals all unauthorized functions. You can use this setting for furthercustomization between different levels. You can select the higher level andremove undesired functions by refusing access to their corresponding CKGprofiles on the mainframe.

CKG profiles cannot control the availability of the list commands, which are basedon the administration level only.

If you change the administration level, the Find dialog changes to adapt that level.

Setting the date formatThe date format dialog specifies how dates are displayed. You can select one of thepredefined formats or select Custom and build your own format.

The predefined formats are:

Windows short dateThe Windows date formats are taken from the Windows configuration settings.

Figure 4. Date format dialog


You can change these formats by selecting Control Panel > Regional Settings >Date. The modified format affects all applications that use the format.

Windows long dateSee description of Windows short date.

CKRCARLA date formatThis format is used by the CKRCARLA program on the mainframe, which is ddmmm yyyy. This format has no special meaning or advantages.

ISO date formatThis format is yyyy-mm-dd.

If you want to change the predefined formats, you can build your own using thefollowing characters in the format string:

d one-digit day, two digits only if necessary

dd two-digit day

ddd day of week, three characters

dddd day of week, full name

y day of year

m one-digit month, two digits only if necessary

mm two-digit month

mmm three-character month name

mmmm full month name

yy two-digit year

yyyy four-digit year

You can use the characters / and - as separators, but the separator characterdefined in the Windows Control Panel > Regional Settings > Date can replacethem. You can prevent replacement by placing a / before the character.

Dragging and droppingUse drag-and-drop to change users or connects in the RACF database, instead ofusing menus, pop-up menus, or the toolbar. After every drop, a dialog or a pop-upwindow for confirmation displays to avoid accidental changes. With dragging anddropping you can delete and change users, and delete, change, copy, merge, andmove connects. You can also change subgroups and modify access lists andmember lists.

Copying and pastingYou can use Copy, Paste and Paste Special options on the main menu to performthe following tasks:v Copy users, groups, connects, access lists, and member listsv Create, merge, move, and copy connects

Using the toolbarThe toolbar buttons show the most frequently used menu options. When youhover the mouse cursor over each button, a yellow popup with the descriptiondisplays.


Using the right mouse buttonIn most tables and the group tree, right-click a row to display a pop-up menu withfrequently used Navigate and Action options.

Defining namesWhen you add new users or groups, follow these naming conventions:v The name must be from 1 to 8 characters long.v The characters must be the letters A-Z, number 0-9, or #, $, @.v The name cannot start with a number.v A group cannot have the same name as another group.v A group name cannot have same name as an existing user ID.

Well-defined naming standards help avoid misunderstandings or conflicts betweenadministrators.

Changing column sequencesYou can rearrange the columns in a table by dragging a column to where you wantit so you can compare columns. The column arrangement you made becomes thedefault when you start the program next time.

You can also change the size of a column. Click a vertical border and move it toleft or right. Double-clicking gives you the required size of a column.

Exporting table dataYou can save all printable tables as Comma Separated Values format (CSV).Different programs, such as Microsoft Excel, can read this format. You can alsoexport the communication window to a rtf format. See “Using Communicationwindow” on page 4.

To save as a csv or rtf format, perform the following steps:1. Select File > Save As.2. In the Save as dialog, enter a file name. If this name exists, a warning box

displays. If you do not change the name, it overwrites the original file.3. Click Save.

PrintingYou can print data and see print previews. To print data, perform the followingsteps:1. From the main menu, select File > Print, or2. On the toolbar, click the printer icon3. In the print dialog, select the options you want. The Current® Page option is

only enabled if you print from the print preview.4. Click OK.

Every printout has a page header, which has the name of the data list on the leftand IBM Tivoli zSecure Visual version number on the right, the date, and the pagenumber.


You can print every list and export to CSV, see “Exporting table data” on page 10.

Print PreviewTo get a print preview, follow one of these options:v Select File >Print Preview from the main menu, orv Click the print preview icon on the toolbar.

The print preview window has the following options:v Click Print. In the print dialog, the Current Page option is now enabled.v Click Close to go back to the main program.v Select PgUp or PgDown to scroll through the preview.

Deciding which tables to printYou can print the following tables:v “User table” on page 25v “Group table” on page 43v “Connects table” on page 51v “Resource profiles” on page 57v “Selecting resources for a specific userid or group with the Permits function” on

page 16.v “Viewing Access List” on page 23v “Viewing Effective Access List” on page 23v “Using Scope *” on page 21v “Viewing the Member list” on page 24.

If you cannot print a table, the print and preview options are not active.

Viewing the Server Information dialogThe Server Information dialog displays the information about the server you arecurrently logged on to. To view the server information, select Help > ServerInformation from the main menu. Server Information provides you with thefollowing information:v Release information of the server CKRCARLA and CKGRACFv The host name of the server and its IP portv The possibly resolved value of the C2RSERVE parameter in the zSecure

configurationv The time that the server established itself as a Certificate Authorityv The time that the server was last started.

For more information about your server, see the documentation for your server.

Understanding the ? characterIf you find a ? in a field of a table, it means that this field is not loaded because itis out of your scope.



Chapter 2. Navigating through the RACF database

This chapter explains the different options you can use to work in the database.Click the Navigate button to go to the database entity that you want to see. Youcan find individual users, groups, and resources and their relations such asconnects, permits, schedules, and so on.

This chapter contains the following topics:v “Using the Find dialog”v “Viewing Connected users and groups” on page 15.v “Viewing the groups” on page 16v “Selecting resources for a specific userid or group with the Permits function” on

page 16v “Using Scope” on page 17v “Using Scope *” on page 21v “Using RACF SETROPTS Settings” on page 22v “Viewing Access List” on page 23v “Viewing Effective Access List” on page 23v “Viewing the Member list” on page 24v “Finding classes with the Select class dialog” on page 24

Using the Find dialogThe Find dialog displays users, groups, or resources. Follow these steps to openthe Find dialog:1. Select Navigate > Find.2. Enter the class and the search string.3. Specify whether that string is used as key such as Exact, Filter, or Mask.4. Click OK.

If you do not know the class, click the button next to the class field to get theSelect class dialog. See “Finding classes with the Select class dialog” on page 24.When you leave the class field empty, you receive all records except users orgroups.

You can use keyboard shortcut keys to specify the class field:

Table 1. Shortcut keys for the class

Shortcut keys Class

Ctrl + D Dataset

Ctrl + G Group

Ctrl + U User


The Find dialog has the following fields and options:

ExactThe search string is the only userid, groupid, or profile that is loaded.

FilterIf the search string is used as a filter, all characters of the profile key have tomatch. The ″%″ character matches any character and the ″*″ character matchesall succeeding characters. The ″*″ character is only accepted as a last character.For example,v ″IBMUSER″ matches ″IBMUSER″ onlyv ″I%MUSER″ matches ″IBMUSER″, ″ICMUSER″, ″IDMUSER″ and so onv ″IBM*″ matches ″IBM″, ″IBMUSER″, ″IBMGROUP″, ″IBMSYS″ and so on

The only exception is that an empty string used as a filter selects all just as anempty mask does.

MaskWhen the string is used as a mask, the first characters of the item have tomatch the string. ″IBM″ matches ″IBMUSER″, ″IBMGROUP″, ″IBMSYS″ and soon.

Note: To load one user, use Filter, and the full Userid.

AdvancedWhen clicking <<Advanced, you get additional criteria, which you can use toreduce the selection. Only profiles that match all criteria can be selected. SeeChapter 3, “User management,” on page 25 for a description of the extra fieldsfor users. See Chapter 4, “Group management,” on page 43 for a description ofthe extra fields for groups. See Chapter 6, “Resource management,” on page 57for a description of the extra fields for resources.

SegmentsThe segment option lets you refine the class you open. IBM Tivoli zSecureVisual only selects profiles that have the segment you have chosen. The defaultoption is any, which gives you the complete profile list including the profilesthat have no segments.

Figure 5. Find dialog


If you are not authorized to view segments, or if there are no segments present,the Segment option is grayed out.

The Find window always on top option in the Options dialog specifieswhether the dialog disappears after you click OK. The interface optionsdetermine which fields and options are available in this dialog.

Ambiguous Class selectionWhen you open the User or the Group table, if you make a mistake in the Finddialog, for example, you enter Users instead of User, IBM Tivoli zSecure Visualdisplays the Ambiguous Class selection Class warning. If you continue thesearch, the program tries to find resources of the class you type. Typically thisresults in the message No matching resources found.

To get the User table, select No, then select the right class.

Viewing Connected users and groupsTo see the connected users or groups, perform the following steps:1. Select a user or group.2. Select Navigate > Connects from the main menu.

You can find the explanation of the columns of the resulting table in the followingtopics:v Chapter 3, “User management,” on page 25v Chapter 4, “Group management,” on page 43v Chapter 5, “Connect management,” on page 51

Figure 6. Ambiguous Class

Figure 7. Warning

Chapter 2. Navigating through the RACF database 15

Viewing the groupsYou can see groups in a hierarchical structure. A superior group can have zero ormore subgroups. A group always belongs to only one superior group except forthe group SYS1, which does not have a superior group because it is the root of thetree.

To display the Group tree, follow one of these steps:v Select Navigate > Grouptree from the main menu, orv Click the Grouptree button from the toolbar.

The group tree window normally does not contain all groups defined in the RACFdatabase. It contains only the groups that are in your scope and their superiorgroups up to SYS1. Though you can see the superior groups displayed, you are notable to see any information about any superior group that is out of your scope.

Load Complete is a time saving feature of IBM Tivoli zSecure Visual. It loads allgroups within your scope and their superior ones from the mainframe. It storesthem in the memory of your PC, so you can use them during this session. Thisloading is only possible if your PC has enough memory capacity.

To select groups, follow these steps:1. In the Group tree window, enter a filter in the filter box.2. Click Find.

The group tree is extended with the wanted groups. The first one that matches thefilter is highlighted. If you select just one group, use its name for a filter. The Findcommand loads the wanted information directly from the mainframe except whenthe Load Complete option is used. Then it looks into the memory of your PC.

In the Options dialog, you can specify whether the available installation data ofthe group is shown in the tree.

Selecting resources for a specific userid or group with the Permitsfunction

You can select resources related to a specific userid or group so that you can seethe resource profiles. Follow these steps to select the resources:1. Select the userid or group.2. Select Navigate > Permits.

Figure 8. Group tree


When you use Permits, IBM Tivoli zSecure Visual selects the following profiles:v Resource profiles that contain the userid or group on their Access Listv Resource profiles that are owned by the userid or groupv DATASET profiles that have the userid or group as first qualifier. This qualifier

is often referred as High Level Qualifier (HLQ). These profiles are selectedbecause RACF's users and groups need to alter the datasets that have the useridor group as HLQ.

Note: This procedure does not select all resources the user has access to, becausethe connects of the user are not taken into account. To get a list that takesinto account the connects, use View Scope.

In addition to the columns of a resources table explained in Chapter 6, “Resourcemanagement,” on page 57, the table contains the following columns:

AccessThis field contains the access the user or group has to the resource. It can be anaccess level between None and Alter, and one of the values:

OwnerThe userid or group is the owner of the resource profile.

QualOwnerThe userid or group is the first qualifier of a DATASET profile.

WhenIf this field is not blank, the access is only granted if the condition is met. If thefield is blank, the access is granted without restriction.

Using ScopeUsers, groups or resources that can be accessed by a specific userid or group are in″scope″ of the userid or group. To find the resources that every user can select, useScope *. See “Using Scope *” on page 21. To select users, groups or resources inscope of a user or group, perform the following steps:1. Select the user or group.2. Select Navigate > Scope from the main menu.

Figure 9. Permits


A scope dialog displays the following fields and options:

List users and groupsSelect this option to get a list of users and groups that are in scope of thespecified userid or group. When you select this option, some of the otheroptions become disabled because they do not apply to these users and groups.

FilterUse this field only if you select List users and groups. You can enter a user orgroup filter, for example, IBM*, to select only users and groups that are inscope and match the filter. When you leave this field empty, all users andgroups in scope are selected. It leads to a large table.

List resourcesSelect this option to get a list of resources that are in scope of the specifieduserid or group.

ClassUse this field only if you select List resources. You can enter a class name orclass filter to select only resource profiles in a class that matches the filter. Ifyou leave this field empty, no class filter is used. It leads to a large table.

Profile filterUse this field only if you select List resources. You can enter a profile filter toselect only resource profiles that match the filter. If you leave this field empty,no profile filter is used. It leads to a large table.

UACCWhen selecting this option, resources that have a UACC other than None areconsidered in scope.

Figure 10. Scope


* on Access List, that grants access to all RACF defined usersWhen selecting this option, resources that have * on the Access List with anaccess other than None are considered in scope.

group auditor attributes (gAud) of IDBy selecting this option, the group auditor attributes of the selected user aretaken into account when determining whether a user, group, or resource iswithin scope. If you select a group, this option is disabled because groups haveno auditor attributes.

group operations attributes (gOper) of IDBy selecting this option, the group operations attributes of the selected user aretaken into account when determining whether a user, group, or resource iswithin scope. If you select a group, this option is disabled because groups haveno group auditor attributes.

group special attributes (gSpec) of IDBy selecting this option, the group special attributes of the selected user aretaken into account when determining whether a user, group, or resource iswithin scope. If you select a group, this option is disabled because groups haveno group special attributes.

ID is ownerWhen selecting this option, user, groups, or resources owned by the ID youselect are considered in scope.

ID can change password of owner of ...When selecting this option, users, groups, or resources owned by the ID youselect are considered in scope. It is because ID might change the password,logon, user, group or resource, and set the password back to the previousvalue.

group special attributes (gSpec) of ID allow new connects to groups in scopeBy selecting this option, the user with user ID ID can connect other users togroups that are in scope of his or her user ID. If you select a group, this optionis disabled because groups have no such group special attributes.

ID can change their own profileWhen selecting this option, users, groups, or resources, which become withinscope when ID has changed their own profile, are considered within scope.

ID has CKGRACF authorities over ...When selecting this option, users, group, or resources within the CKGRACFscope are considered within scope.

Global Access TableWhen selecting this option, a resource is considered within scope when theGlobal Access Table allows access.

Profile is in Warning Mode (allows ALTER)When selecting this option, all resources protected by profiles in Warning Modeare considered within scope. Warning Mode implies all access is accepted, but awarning message is generated where a violation occurs.

After you click OK, the requested table displays. Besides columns found in users,groups and resources tables, which are described in User management, Groupmanagement and Resource management, the table contains the following columns:

AccessThis field contains the access to the user, group, or resource. It can be in therange Execute-Read-Update-Control-Alter and has the following options:


OwnerThe user or group that owns the user, group or resource.

QualOwnerThe userid or group that is the first qualifier of a DATASET profile.

Alter-OperationsThe user that can alter the resource using their operations attribute.

CKGOwnerAccess granted by the CKGRACF authorized component of IBM TivolizSecure Admin.

CKGListRead access granted by the CKGRACF authorized component of IBM TivolizSecure Admin.

Alter-MThe user can alter ’myself’ - a user can alter some fields in their own userprofile.

Alter-PAlter access on a discrete profile, enabling you to issue PERMIT.

WhenIf this field is not blank, the access is granted only if the condition is met. If thefield is blank, the access is granted without restriction.

ViaThis field contains the userid, group, or connected group that has been used togain the specified access, or it contains one of the following options:

WarningAccess is granted because the profile is in warning mode.

* Access is granted because * is on the Access List with access other thanNone.

UACCThe access is granted because the UACC is not None or the Global AccessTable allows access.

AuditorThe access is granted because the user has a group auditor attribute.

OperationsThe access is granted because the user has a group operations attribute.

SCP.GThe access is granted because the group or the owner of the user, group, orresource lies within the CKGRACF scope according to a CKG.SCP.G.... scopeprofile.

SCP.UThe access is granted because the user or the owner of the user, group, orresource lies within the CKGRACF scope according to a CKG.SCP.U...scopeprofile.

SCP.IDThe access is granted because the user or group, or the owner of the user,group or resource lies within the CKGRACF scope according to aCKG.SCP.ID... scope profile.


GlobalAccess is granted because the Global Access Table allows access.

Notes:

1. When the Via column shows Global, the Access List and Effective Access Listoptions are deactivated. These lists do not yield any usable information.

2. This list is a snapshot. If you want to see any changes made after you displaythe list, you must close it and display it again.

A related function for resources is the effective Access List, which results in a listof all users and groups that have access according to the profile.

Using Scope *With this scope * function, you can get a list of resources that can be accessed byevery user. To find the users, groups or resources that can only be accessed by aspecific user, use Scope, see “Using Scope” on page 17. You can find the Scope *function by selecting Navigate > Scope * from the main menu.

Its dialog has the following fields and options:

ClassYou can enter a class name or class filter to select only resource profiles in aclass that matches the filter. If you do not know the class, click the button nextto the class field to get the Select class dialog. See “Finding classes with theSelect class dialog” on page 24. If you leave this field empty, no class filter isused. It can lead to a large table.

Profile filterYou can enter a profile filter to select only resource profiles that match the filter.If you leave this field empty, no profile filter is used. It can lead to a large table.

UACCWhen selecting this option, resources that have a UACC other than None isconsidered in scope.

* on Access List, that grants access to all RACF defined usersWhen selecting this option, resources that have * on the Access List with anaccess other than None are considered in scope.

After you click OK, the requested table displays. Besides columns found inresources tables, which are described in resource management, the table containsthe following columns:

Figure 11. Scope *


AccessThis field contains the access to the resource.

WhenIf this field is not blank, the access is only granted if the condition is met. If thefield is blank, the access is granted without restriction.

ViaThis field contains one of the following options:

WarningAccess is because the profile is in warning mode.

* Access is because * is on the Access List with access other than None.

UACCThe access is because the UACC is not None.

SCP.GThe access is because the group or the owner of the user, group, or resourcelies within the CKGRACF scope according to a CKG.SCP.G.... scope profile.

SCP.UThe access is because the user or the owner of the user, group, or resourcelies within the CKGRACF scope according to a CKG.SCP.U... scope profile.

SCP.IDThe access is because the user or group, or the owner of the user, group orresource lies within the CKGRACF scope according to a CKG.SCP.ID...scope profile.

Note: This list is a snapshot. If you want to see any changes made after youdisplay the list, you must close it and display it again.

Using RACF SETROPTS SettingsThe RACF SETROPTS Settings report shows the system-wide RACF options as setor is retrieved by the SETROPTS command. This report is read-only. The RACFSETROPTS Settings report can be found by selecting Navigate > System Audit >RACF SETROPTS Settings from the main menu.


Viewing Access ListTo view the access list of a resource profile, select a resource profile and selectNavigate > Access List. The columns of the resulting table are explained in“Access List” on page 65. The access list contains userids and groups. When agroup is on an access list, all its users get access. To see this effect, use Effectiveaccess list.

Viewing Effective Access ListTo view Effective Access List of a resource profile, select a resource profile andselect Navigate > Effective Access List from the main menu. The Effective AccessList contains all userids of the access list and all users that are in the groups on theaccess list. If a user is in more than one group on the access list, the highest accessis displayed, just as RACF would.

“Access List” on page 65 explains the columns of the resulting table except the Viacolumn, which contains the connect group of the user that results in the access. Inthe Options dialog, you can specify whether Group Operations or SystemOperations together with Universal Groups are taken into account whendetermining Effective Access List.When activated, the last option might cause asignificant drop in performance while creating the Effective access list. If a groupon the access list is out of your scope, the access list does not display its users butdisplays the group instead.

Notes:

1. When you load Effective Access List, the access list is loaded as well, so youcan quickly switch to the access list.

2. This list is a snapshot. If you want to see any changes made after you displaythe list, you have to close it and display it again.

Figure 12. RACF SETROPTS Settings


Viewing the Member listTo view the Member list of a general resource profile, select the profile and selectNavigate > Members from the main menu. For more information about thecolumns of the resulting table, see “Viewing and changing a member list” on page69.

Finding classes with the Select class dialogThe Select class dialog helps you find the class you need.

The table contains the following columns:

Class:Name of the class.

Active:Flag indicating whether RACF protection for the class is active.

Description:Description of the purpose of the class.

To limit the list of classes, use the Classes field:

All classesDisplays all classes that have been read from the class descriptor table duringlogon.

Active classesDisplays only classes that are active, as set by SETROPTS CLASSACT andSETROPTS NOCLASSACT commands on the mainframe.

Authorized classesDisplays only classes that you are authorized to change, according to your classauthorizations or system-wide special attribute.

Click OK to select the class, or Cancel.

Figure 13. Select class dialog


Chapter 3. User management

IBM Tivoli zSecure Visual enables you to view user table and properties, delete,duplicate, and resume users, set password, and use schedules. This chapterexplains how IBM Tivoli zSecure Visual manages users. It contains the followingtopics:See the related topics:v “User table”v “User properties” on page 27v “Deleting a user” on page 32v “Duplicating a user” on page 30v “Resuming a user” on page 33v “Disabling a user” on page 33v “Enabling a user” on page 34v “Setting passwords” on page 35v “Setting a default password” on page 37v “About Schedules” on page 38

Chapter 5, Chapter 5, “Connect management,” on page 51, explains in detail theconnections between users and groups.

User tableThe User table consists of a list of users and their properties. Use the Find dialogto open the User table. Every icon in the list can be either red or green. When anicon is green, it means that the user is active; when it is red, the user is revoked orinactive.

The User Table has the following columns:

UseridThe RACF userid.

NameReal name of the user, or any other description.

InstDataThis field has a site-defined layout and means. Typically it containsorganizational data on the userid.

Figure 14. User table


OwnerThe owner can change the user definition.

DefaultGrpThe default group is the group that the user automatically connects at logon.

RevokedA revoked user cannot logon, but the profile is still present. Users can getrevoked by an administrator or they can be revoked automatically. Users arerevoked automatically if they make too many unsuccessful password attempts,by scheduled actions, or if it is too long ago since their last uses. The status isderived from the revoke status flag, the current date, the revoke date, theresume date and the date the user last logged on.

InactiveA userid becomes inactive when it is not used for a period of time set by theSETROPTS INACTIVE command on the mainframe. An inactive user who triesto logon is revoked immediately. The field presented takes into account theRACF inactive setting and the last use date.

Note: If a userid has never been used, it does not become inactive.

ExpiredThis field indicates whether the password has expired. When the password hasexpired, the user must change the password at the next logon. The fieldpresented takes into account the current date, the password interval of the user,the system wide password interval, and the most recent password change date.

IntervalThe period in days after which the user needs to change the password.

AttemptsCount of logon attempts with an invalid password. This count is only kept ifthe RACF user revoke setting has been activated with the RACF SETROPTSPASSWORD(REVOKE(nn)) command on the mainframe. After nn invalidpassword attempts, the user is revoked.

LastConnectThis field contains the last RACINIT date for any group that the user isconnected to.

Note: RACF uses a different date to calculate the inactivity interval of the user.

LastPwdChangeThe most recent date the password is changed.

CreatedDate on which the user is defined.

MappingsCountThe number of distributed identity filters that are associated with the user ID.

The extra selection fields for users in the Find dialog are:


NameA substring that must exist in the name.

Installation dataA substring that must exist in the installation data.

OwnerSelect users by owner. The field is used as a filter.

Default GroupSelect users by default group. The field is used as a filter.

Revoke statusSelect users that are revoked, not revoked, or independent of the revoke status.

AttemptsSelect users that have more or less than a certain number of password attempts.A blank field selects users independent of the number of password attempts.

SegmentSelect the users that have the segment you specify. If you find this optiongrayed out, you cannot view segments or there are no segments. If you select"Any", you have the complete user list, whether the profiles have segments ornot.

User propertiesThe user property dialog presents the user properties in three categories:Attributes, More attributes, and Status. Your level of authorization decides whetheryou can edit the user properties. Follow one of these steps to view the propertiesof a user:v Select Navigate > Properties from the main menu.v Select and double-click the user.v Select the user from the user table and press Enter.v Right-click a user and select Properties from the pop-up menu.v Click Properties on the toolbar.

Figure 15. Find dialog for users

Chapter 3. User management 27

After editing the properties, click OK to accept the changes.

In the Attributes tag, you see the following fields:

UseridThe RACF userid.

NameReal name of the user, or any other description.

OwnerThe owner can change the user definition.

DefaultGrpThe defaultgroup is the group that the user automatically connects to at logon.

Installation dataThe purpose and layout of this field are site-defined. Typically it containsorganizational data on the userid. The installation data fields can contain asmuch as 255 characters. The field is displayed in multiple lines as it would bewhen displayed by the RACF LISTUSER command: the first line contains 62character and the succeeding lines contain 80 characters. A changed installationdata field can be composed of the separate lines. It is possible to change thefont of this field, see “Setting options” on page 5.

SpecialSystem-wide special attribute.

OperationsSystem-wide operations attribute.

AuditorSystem-wide auditor attribute.

Password intervalThe period in days after which the user must change the password.

In the More attributes tab, you see the following fields:

Security levelSecurity level.

CategoriesSecurity categories to which the user has access.

Figure 16. User properties dialog


Security labelSecurity label.

Class authorizationsClass in which the user is ed to define profiles.

In the Status tab, you see the following fields or button:

RevokedRevoked users cannot logon, but their profiles are still present. Anadministrator revokes the user, or the user is revoked automatically due to toomany unsuccessful password attempts, or by scheduled actions. The status isderived from the revoke status flag, the current date, the revoke date, theresume date, and the last used date.

InactiveAn inactive user that tries to logon is revoked immediately. A userid becomesinactive when it is not used for a period of time set by the SETROPTSINACTIVE command on the mainframe. The field presented takes into accountthe RACF inactive setting and the last use date.

Note: If a userid is not used yet, it does not become inactive.

ExpiredThis field indicates whether the password expires. When the password expires,the user must change the password at the next logon. The field presented takesinto account the current date, the password interval of the user, the systemwide password interval, and the most recent password change date.

Password attemptsCount of logon attempts with an invalid password. This count is only keptwhen the RACF user revoke setting is activated with the RACF SETROPTSPASSWORD(REVOKE(nn)) command on the mainframe. After nn invalidpassword attempts, the user is revoked.

Last password changeThe most recent date the password is changed.

Last connectThis field contains the last RACINIT date for any group the user is connectedto.

Note: RACF uses a different date to calculate the inactivity interval of the user.

Last logonThe last time the user logs on to RACF.

CreatedDate on which the user is defined.

Mappings countThe number of distributed identity filters that are associated with the user ID.

When you execute the corresponding commands on the mainframe, you can usethe following check box and buttons for actions on the userid.

ResumeDisplays the Resume dialog. See “Resuming a user” on page 33.

Set PasswordDisplays the Set Password dialog. See “Setting passwords” on page 35.


SchedulesDisplays the Schedules dialog. See “About Schedules” on page 38.

MappingsDisplays the Mappings window. See “About Mappings” on page 41.

Duplicating a userYou can generate new users by duplicating an existing user. You can take theexisting user as the prototype user. To duplicate a user, follow one of these steps:v Select the prototype user in a user window and select Action > Duplicate from

the main menu.v Click the toolbar Duplicate button.v Right-click the user and select Duplicate from the pop-up menu.

The Duplicate dialog contains the following fields:

New useridUserid of the new user.

NameName of the new user.

Installation dataInstallation data of the new user.

OwnerOwner of the new user.

Figure 17. Duplicate user dialog.


Default GroupDefault group of the new user. The default group must be one of the connectedgroups of the prototype user.

PasswordPassword of the new user. The password is optional.

Confirm passwordConfirmation of the password of the new user.

Default passwordDefault value that you can set the new password of the user. It is optional; formore information, see “Setting a default password” on page 37.

Confirm default passwordConfirmation of the default password. Must be equal to the Default password.

Enforce creation of dataset profileCreate a generic dataset profile with the new userid as High Level Qualifier orHLQ. It has the new userid as owner and a UACC of none. This command isavailable separately on the Action menu.

Note: If the existing, prototype user already has one or more dataset profileswith the HLQ equal to the userid, these profiles can be copied instead. Itis done regardless whether the check box here is on or off.

Define AliasDefine an alias for the user pointing to the user catalog. The user catalog dataset name must be known to use this option. This command is availableseparately on Action from the main menu.

Note: IBM Tivoli zSecure Visual attempts to retrieve the user catalog datasetname by searching the XFACILIT class, or the class configured as the SiteModule general resource class during the server setup as described inthe IBM Tivoli zSecure CARLa-Driven Components: Installation andDeployment Guide. It looks for profiles with names starting with″CKG.UCAT.″ using the SHOW MYACCESS command. If one or moresuch profiles are found, this option can be activated. If more than onedataset name is found, the user is asked to select one of them whenactivating the option.

Segments

Use the segment fields to store information about specific subsystems orcomponents of z/OS. If these segments are present for the original profile, thevalues are copied to the new user profile. Some of these values must bechanged while others can remain the same. If no value exists for the duplicateduser or the segment is not within your scope, the field is disabled. For moreinformation about authorities needed to manage segments, see “Authorities andsettings required to manage segments” on page 71.

The fields shown in the panel are just a subset of all fields that are present inthe segments. All other fields within your scope are copied unchanged. Thesegment fields are divided into two columns.

In the left column, you can find the segments that need unique values; youmust change the value for the new user profile:

KERB Kerberos nameKERB KERBNAME field that defines the local kerberos principal name ofthe user.


LNOTES Lotus® Notes® short usernameLNOTES SNAME field indicating the short name as found in the LotusNotes address book.

NDS NDS usernameNDS UNAME field defining the user name as stored in the Novell DirectoryServices for OS/390® directory.

In the right column, you can find the other segment fields. These values do notneed to be unique per user profile:

OMVS UNIX® user (uid)OMVS UID field with the user identifier. To have the system assign anunused value, use ″auto″. If you want more than one user to share the UID,add ″s″ at the end of the UID value.

OMVS Initial programOMVS PROGRAM field describing the path name of the first program to bestarted when an OMVS session is started.

OMVS UNIX home pathOMVS HOME field defining the hierarchical file system (HFS) directorypath name of the working directory.

DCE DCE UUIDDCE UUID field indicating the principal name of the user as defined in theDCE registry.

After you complete the fields on the Duplicate user dialog, click OK. The fieldvalues are validated to determine whether the unique fields differ from the originalvalues. If they are not changed, a warning popup displays with the following textand the dialog is not closed:Please change the <Name> field. It needs to be unique for this system.

Note: There is no check whether the value is unique within the RACF database.Checking on this scale triggers a full database read, which is an undesiredaction.

Click OK to start the duplication, or click Cancel to quit the dialog withoutchanges.

Deleting a userYou cannot delete users from the RACF database if you are using the IBM TivolizSecure Visual. However, it is possible to revoke their access by marking them fordeletion. You can revoke access for one or more selected users. Follow one of thesteps to revoke access of users:v Select a userid and select Action > Delete from the main menu.v Right-click a userid to display the pop-up menu and select Delete.v Select a userid and click Delete from the toolbar.v Drop the users on the Recycle Bin.

The result is that their userids are disabled by schedule $DELETE. You can enter areason for deletion. This reason is shown when undoing Delete.


To undo Delete, go to the schedules of the user and delete the disabled action inthe $DELETE schedule. If there are no other scheduled actions, you must alsoresume the user. A related dialog appears in that case.

Resuming a userA resume resets the revoke status of the user. It succeeds only if the revoke is notdue to scheduled actions. In that case, you must delete the scheduled action.

To resume one or more selected users, perform one of the following steps:v Select a userid and select Action > Resume from the main menu.v Right-click a userid to display the pop-up menu and select Resume.

v Select a userid and click Resume on the toolbar.

In the resume dialog, click OK to invoke the resume.

Disabling a userYou can disable a user to log on and the disabling schedule starts today. To disablea user, follow one of these steps:v Select a userid and select Action > Disable from the main menu.v Right-click a userid and select Disable from the pop-up menu.

Figure 18. Mark user for deletion dialog

Figure 19. Resume dialog


Enter the reason for disabling the user. If the user is already disabled, the reasoncan be shown in the Details field.

To use this option, you need UPDATE or better on resourceCKG.CMD.USER.REQ.SCHEDULE and at least one schedule in your scopeexcluding the reserved $DELETE schedule.

Enabling a userYou can enable a revoked or disabled user to log on again. When enabling a user,any schedule that disables the user expires. If there is more than one scheduleavailable to enable the user, you can select any one of them from the selection list.

To enable a user, follow one of these steps:v Select the userid and select Action > Enable from the main menu.v Right-click the userid to display the pop-up menu and select Enable.

Enter the reason for enabling the user. If a future schedule disables the user again,the reason can be shown in the Details field.

If there are not any schedules to disable the user, you get a dialog offering to do anormal resume. Exception: If you do not have the authority to resume, you get theEnable user dialog anyway. If the user is marked for deletion, you must confirmthe enabling action. Once confirmed, the user is no longer marked for deletion. Ifthe user is disabled with one or more schedules that are out of your scope, you getan error message listing the offending schedules.

Figure 20. Disable user dialog


To use this option, you need UPDATE or better on resourceCKG.CMD.USER.REQ.SCHEDULE and at least one schedule in your scopeexcluding the reserved $DELETE schedule.

Setting passwordsThe Set Password dialog lets you set the user password. To set password, performone of the following steps:v Select a userid and select Action > Set Password from the main menu.v Right-click a userid to display the pop-up menu and select Set Password.v Select a userid and click Set Password on the toolbar.

Figure 21. Enable user dialog


The Set Password dialog contains the following options and fields:

Reset PasswordSets the password to the default password. At the same time, the password isset to "expired".

Previous passwordSets the password back to the previous password. It works only if a passwordhistory is being maintained in RACF, and the user remembers the previouspassword.

Default passwordSets the password to the default password that is set previously by theadministrator.

New passwordSets the password to a new value. You must confirm the new value by retypingit in the Confirm new password field. This value must be compliant with thepassword rules. It must not occur in the password history unless you have thenecessary access to the corresponding resources to bypass these checks. Detailscan be found in the section ″Required access for generated commands″ ofChapter 3 ″Configuring client’s authorities″ in Tivoli zSecure Visual ServerManual.

ReasonLogs the reason why the password is changed. Depending on company policy,input might be required. Examples are Forgotten password, Never used, andRevoked.

Set password to expiredWhen this option is active, the new password becomes expired. When the userlogs on, the user has to specify a new password.

ResumeResumes the userid when resetting the password. When the user is revoked

Figure 22. Set password dialog


due to too many unsuccessful password attempts, a resume is required toenable the logon again. Using Resume to avoid setting the password.

Setting a default passwordThe default password is a fixed value the user can set. By default, the defaultpassword is set system wide. It is outside the scope of IBM Tivoli zSecure Visual.However, it is more secure to set an individual default password for each userespecially for users with important roles.

To set the default password, perform the following steps:1. Select a userid and select Navigate > Properties from the main menu to open

the properties dialog.2. Select the Status tab.3. Click Edit Default Password to open the Edit Default Password dialog.4. Check the Default Password box.5. Type and confirm the default password.6. Optionally, enter the reason why the default password is changed.7. Click OK.

Figure 23. Status


Removing the default passwordYou can remove the default password by following these steps:1. Select a userid and select Navigate > Properties from the main menu to open

the properties dialog.2. Select the Status tab.3. Click Edit Default Password to open the Edit Default Password dialog.4. Select the Remove Default Password box.5. Optionally, enter the reason why the default password is removed.6. Click OK.

When a default password is set, the Edit default password dialog shows you thefollowing information:v The userid of the person who changed the passwordv The date of the changev The time of the change

Note: Removing or changing the default password does not affect the normalpassword. The normal password only changes to the default password whenit is reset to it. If you change the default password after resetting, it does notaffect the normal password; it retains the ″old default″ value.

About SchedulesThe only way to revoke a user with IBM Tivoli zSecure Visual is to use schedules.Schedules are a facility provided by the CKGRACF mainframe program thatenables different groups of administrators to set the revoke status of a user.

Figure 24. Edit default password dialog


You can separately revoke and resume a user, or you can combine these twoactions. These are called intervals. The CKGRACF program updates the revokeflags of the user based on the schedules. A disabling interval starts with a revokeand ends with a resume; for an enabling interval, it is the other way around. Asingle revoke or resume corresponds with an interval without an end date. Allactions of an interval are written to the RACF database, together with the schedulename, date, author, and reason. The schedule name is used to categorize intervals.New intervals wipe previous conflicting actions only within the same schedule.When all past scheduled actions are deleted, CKGRACF leave the user's revokestatus unchanged.

The equivalent of revoking a user is Disable from today forever. The equivalent ofdeleting a user is Disable from today forever with schedule name $DELETE. Thedeletion is sent to the mainframe after you click OK in the schedules dialog.

Users are only able to log on when all scheduled actions enable them so. Schedulescan be set by centralized and decentralized administrators. When given access tojust a part of the defined schedule names while others reserved for centralizedadministrators only, decentralized administrators cannot undo intervals set by acentralized administrator.

Viewing and editing schedulesTo view the schedules of a user, perform one of the following steps:v Select the user and select Navigate > Schedules from the main menuv Right-click the user to display the pop-up menu and select Schedules

v Select the user and click Schedules on the toolbar.

A schedule dialog window displays the following columns:

NameName of the schedule

TypeType of the interval, either Enable or Disable.

StartStart date of the interval.

EndEnd date of the interval.

Figure 25. Schedules dialog


ReasonReason of the schedule.

AuthorAdministrator who enters the schedule.

CreatedDate and time the author enters the interval.

To edit schedules, perform the following steps:v Click Add to add an interval to the table.v Select an interval and click Repeat to enter a similar interval in the table.v Select an interval and click Delete or press the Delete key to delete an interval

from the table.

After you edit schedules, click OK to apply the changes to the RACF database, orclick Cancel to cancel the changes.

Adding a schedule intervalTo add a schedule interval, follow these steps:1. Select a user and select Navigate > Schedules > Add from the main menu. The

Add schedule interval dialog displays.2. Enter the fields and click OK to add the schedule to the table.

The new schedule interval becomes active after clicking OK in the Schedulesdialog.

The dialog contains the following fields:

NameName of the schedule. You can select one of the predefined names or type anew name.

TypeSelect Disable to disable the user for a certain period of time, select Enable toenable the user.

StartEnter the start date of the interval. The start date is included in the interval.

EndEither enter an end date, or select Forever to indicate there is no end date forthis interval. The end date is included in the interval.

Figure 26. Add schedule interval dialog


ReasonEnter a reason for the enabling or disabling the user.

Repeating a schedule intervalYou cannot edit an existing schedule, but with the Repeat function, you can makea new schedule based on the existing one. If the existing schedule and the newschedule overlap, the program creates a new schedule. The new schedule begins atthe earliest start date and end at the last termination date.

To create a new schedule using the existing schedule, select Navigate > Schedules> Repeat from the main menu.

Deleting a schedule intervalTo delete a schedule, follow these steps:1. select a schedule interval and click Delete.

The Delete schedule interval dialog displays the properties of the schedule. Forauditing reasons, you need to give a reason for deletion.

2. Click OK to delete the schedule interval.The deletion will be sent to the mainframe after you click OK in the schedulesdialog.

About MappingsRACF supports distributed identity filters which are mapping associations betweena RACF user ID and one or more distributed user identities, as they are known toWeb-based application servers and defined in distributed user registries. TheMappings window provides the information about distributed identity filtersassociated with the RACF user ID. These filters are in fact the IDIDMAP profiles.For the remainder of this chapter, such profiles are referred as mapping profiles.

Viewing MappingsTo view mapping information of a user, perform one of the following steps:v Select the user and select Navigate > Mappings from the main menu.v Right-click the user to display the pop-up menu and select Mappings.v Click the Mappings button on the User Properties dialog.

Figure 27. Delete schedule interval dialog


A Mappings window displays the following columns:

LabelThe label associated with this mapping profile.

Distributed Identity User Name FilterThe name of the mapping profile.

Registry nameThe registry name of the mapping profile.

Figure 28. Mapping information for a user


Chapter 4. Group management

This chapter describes how to manage groups using IBM Tivoli zSecure Visual.With IBM Tivoli zSecure Visual, you can display, add, duplicate, and delete groups.

This chapter consists of the following topics:v “Group table”v “Group properties” on page 45v “Adding a subgroup” on page 46v “Duplicating a group” on page 47v “Deleting a group” on page 49

Group tableYou can get a list of groups using the Find dialog. A group can be displayed intwo colors: blue as default and gray when the installation data of the group hasnot yet been loaded.

The list of groups has the following columns:

GroupThe ID of the RACF group.

InstDataThe purpose and layout of this field are site-defined. Typically it containsorganizational data on the group.

OwnerThe owner can change the group definition.

SupGroupThe superior group of the group. All groups except group SYS1 belong to onesuperior group.

Figure 29. Groups table


SubGroupsNumber of subgroups of the group. A subgroup is a group that belongs toanother group.

UniversalA universal group can have an unlimited number of users with USE authorityconnected to it.

Notes:

1. A group can be created as a universal group. It is not possible to change theattribute after creation.

2. In most cases, it is not possible to delete a universal group.3. The old limitation of 5957 connections is still valid for users with authority

higher than USE or with the attributes SPECIAL, OPERATIONS orAUDITOR at the group level.

4. For universal groups, the Connected Users table shows only the users withauthority higher than USE or with the attributes SPECIAL, OPERATIONS orAUDITOR at the group level.

5. On sites where universal groups are not yet supported, the Universalcolumn or field stays empty and disabled.

UsersNumber of users connected to the group.

CreatedDate of creation of the group.

The extra selection fields for groups in the Find dialog are:

Installation dataA substring that appears in the installation data.

OwnerSelect groups by owner. The field is used as a filter.

UsersSelect groups that have more or less than a certain number of connected users.

Figure 30. Find dialog for groups


A blank in the number field selects groups independently of this number.Typing ″<″ or ″>″ in the number field selects the corresponding operator.

SegmentSelect the groups that have the segment you specified. If this option is grayedout you cannot view segments or there are none. The option ANY gives youthe complete group list, whether the profiles have segments or not.

Group propertiesThe Group properties dialog provides detailed information about a specific group.To view the properties of a group, perform one of the following steps:v Select a group and select Navigate > Properties from the main menu.v Double-click on the group.v Select a group and press Enter.v Right-click a group and select Properties from the pop-up menu.v Select a group and click Properties on the toolbar.

The Properties dialog contains the following fields:

GroupThe ID of the RACF group.

SupGroupThe superior group of the group. All groups except group SYS1 belong to onesuperior group. You can change this field to another existing group name.

TermUACCTerminal access is granted through the UACC of TERMINAL profiles, as wellas through access list entries.

Figure 31. Group properties dialog

Chapter 4. Group management 45

OwnerThe owner can change the group definition. You can change this field foranother existing group name.

SubGroupsNumber of subgroups of the group. A subgroup is a group that belongs toanother group.

UniversalA universal group can have an unlimited number of users with USE authorityconnected to it. This field is read-only.

Notes:

1. A group can be created as universal group. It is not possible to change theattribute after creation.

2. In most cases, it is not possible to delete a universal group.3. The old limitation of 5957 connections is still valid for users with authority

higher than USE or with the attributes SPECIAL, OPERATIONS orAUDITOR at the group level.

4. For universal groups, the Connected Users table shows only the users withauthority higher than USE or with the attributes SPECIAL, OPERATIONS orAUDITOR at the group level.

5. On sites where universal groups are not yet supported, the Universalcolumn or field stays empty and disabled.

CreatedDate of creation of the group.

Installation dataThe purpose and layout of this field are site-defined. It is possible to changethis field.

Adding a subgroupYou can add a new subgroup to a group. To add a new subgroup to group,perform one of the following steps:v Select a group and select Action>Add subgroup from the main menu.v Click Add subgroup on the toolbar.v Right-click a group and select Add subgroup from the pop-up menu.


The Add subgroup dialog lists Group, Supgroup, Universal check box, and theInstallation Data of the group you select. The group and installation data valuesare used as default for the new group; they must be changed. You can also selectthe Additional Actions check boxes while creating the group:

Enforce creation of dataset profileCreate a generic dataset profile with the new group name as High LevelQualifier or HLQ. It has the new group as owner and a UACC of none. Thiscommand is available separately on the Action menu also.

Define AliasDefine an alias for the group pointing to the user catalog. The user catalog dataset name must be known in order to use this option. This command is availableseparately on the Action menu also.

Note: IBM Tivoli zSecure Visual attempts to retrieve the user catalog datasetname by searching the XFACILIT class, or the class configured as the SiteModule general resource class during the server setup as described inthe IBM Tivoli zSecure CARLa-Driven Components: Installation andDeployment Guide. It looks for profiles with names starting with″CKG.UCAT.″ using the SHOW MYACCESS command. If one or moresuch profiles are found, this option can be activated. If more than onedataset name is found, the user is asked to select one of them whenactivating the option.

Click OK to create the subgroup, or click Cancel to cancel the change.

Duplicating a groupYou can create a group by duplicating a group, or by adding a new subgroup to agroup. Adding a subgroup to a group is described in “Adding a subgroup” onpage 46.

Figure 32. Add subgroup dialog


The duplicated new group has the same connects, permits, and attributes as theoriginal group. To duplicate a group, perform one of the following steps:v Select a group and select Action > Duplicate from the main menu.v Select a group and click Duplicate on the toolbar.v Right-click a group and select Duplicate from the pop-up menu.

The Duplicate group dialog lists the Group, Supgroup, Universal check box, andthe Installation Data of the group you selected. The group and installation dataare used as default for the new group. It is possible to take additional actionswhile creating the group:

Enforce creation of dataset profileCreate a generic dataset profile with the new group name as High LevelQualifier or HLQ. It has the new group as owner and a UACC of none. Thiscommand is available separately on the Action menu also.

Note: If the existing, prototype group already has one or more dataset profileswith the HLQ equal to the group name, they can be copied instead. It isdone regardless whether the check box here is on or off.

Define AliasDefine an alias for the group pointing to the user catalog. The user catalog dataset name must be known to use this option. This command is availableseparately on the Action menu.

Note: IBM Tivoli zSecure Visual attempts to retrieve the user catalog datasetname by searching the XFACILIT class, or the class configured as the SiteModule general resource class during the server setup as described inthe IBM Tivoli zSecure CARLa-Driven Components: Installation and

Figure 33. Duplicate group dialog


Deployment Guide. It looks for profiles with names starting with″CKG.UCAT.″ using the SHOW MYACCESS command. If one or moresuch profiles are found, this option can be activated. If more than onedataset name is found, the user is asked to select one of them whenactivating the option.

Segments

OMVS OpenMVS group (grpid)The OMVS group identifier. To have the system assign an unused value, use″auto″. If you want more than one group to share the grpid, add ″s″ at theend of the grpid value.

If this segment is present for the original group profile, the value is copied tothe new group. It displays in the dialog grpid field. If no value exists for theduplicated group or if the segment is not within your scope, the field isdisabled. If the field is disabled, you cannot create this segment for the newgroup in this dialog. For more information about authorities needed to managesegments, see “Authorities and settings required to manage segments” on page71.

Change the fields as needed and click OK to create the duplicate group, or clickCancel to cancel the changes.

Deleting a groupIBM Tivoli zSecure Visual can delete a group only if the group does not ownresources. If the group owns resources, the group remains present. However,because all permits and connects have been removed, no user can use the group. Adialog appears to inform the IBM Tivoli zSecure Visual user about the incompletedeletion.

To delete a group, select the group and perform one of the following steps:v Select Action > Delete from the main menu.v Press Delete key.v Right-click a group and select Delete from the pop-up menu.v Click Delete on the toolbar.

The dialog lists the Group, SupGroup and Installation Data of the group to bedeleted. Click OK to delete the group, or click Cancel to cancel the changes.

Figure 34. Delete group dialog



Chapter 5. Connect management

This chapter explains the connection relationship between users and groups. Itcontains the following topics:v “Connects table”v “Viewing and changing Connect properties” on page 52v “Creating a connect” on page 54v “Deleting a connect” on page 55v “Copying, merging, and moving connects” on page 56

RACF users are connected to one or more groups. Different kinds of connectsresult in different authorizations for the users. Users get at least some of theauthorizations of their groups. Their authorizations depend on the attributes of theconnect, but they can use the resources that their groups have access to.

Connects tableThe Connects table displays the connects of a user or group. Follow one of thesesteps to open the connects table:v Select a user or group and select Navigate > Connects from the main menu.v Right-click a user or group and select Connects from the pop-up menu.v Select a user or group and click Connect on the toolbar.

The Connects table has the following fields:

AuthConnect authority. The value can be any of the following option:

UseThe user can access the resources that the group has access to.

CreateThe user has the same authorizations as with Use. The user is alsoauthorized to create data sets and data set profiles that have aHigh-Level-Qualifier (HLQ) as the name of the group.

ConnectThe user has the same authorizations as with Create and is also authorizedto connect existing users to the group.

JoinThe user has the same authorizations as with Connect and is alsoauthorized to create new subgroups.

Figure 35. Connects table


gSpecGroup special attribute. When a user is connected with the group specialattribute, the user can do everything with users, groups, and resources that arein the scope of the group, except changing auditing attributes.

gOperGroup operations attribute. When a user is connected to a group with thegroup operations attribute, the user can do everything with resources that arein the scope of the group.

gAudGroup auditor attribute. When a user is connected to a group with the groupauditor attribute, the user can change auditing attributes of the users, groups,and resources that are in the scope of the group.

For groups, the other columns are the same as the group table in “Group table” onpage 43.

Note: For universal groups, the Connected Users table shows only the users withauthority higher than USE or with the attributes SPECIAL, OPERATIONS orAUDITOR at the group level.

For users, the other columns are the same as the user table in “User table” on page25.

Viewing and changing Connect propertiesTo see the properties of the connected users of a group, perform one of thefollowing steps:v Select the users and select Navigate > Show Connects from the main menu.v Right-right the users and select Show Connects from the pop-up menuv Click Show Connects on the toolbar.

If you need to see the connects between a group and its users, the columns of theresulting table are described in Chapter 3, “User management,” on page 25. If youneed to see the connects between the groups of a user, the columns of the resultingtable are described in Chapter 4, “Group management,” on page 43.

To see or change the properties of a connect, perform one of the following steps:v Select the connected user or group and select Navigate > Properties from the

main menu.v Right-click a connected user or group and select Properties from the pop-up

menu.v Click Properties on the toolbar.

In the resulting dialog field, select the connect tab.


The Properties dialog has two tabs: Connect and Group. In the Connect tag, yousee the following fields:

UseridUserid of the connected user.

GroupGroup of the connect.

AuthorityConnect authority. From the connect authority dropdown list, you can selecteither Use, Connect, Create or Join.





gSpecGroup special attribute. When a user is connected to a group with the groupspecial attribute, the user can do everything with users, groups, and resourcesthat are in the scope of the group, except changing auditing attributes.



Figure 36. Connect properties dialog

Chapter 5. Connect management 53

CreatedDate that the connect was created.

Last connectMost recent time that the user was connected to the group.

In the Group tag, you see the Group Properties fields. For detailed description, see“Group properties” on page 45.

Your authorization to create connects on the mainframe decides which of thesefields are editable. To apply changes, click OK.

Creating a connectA connect is a relation between a user and a group. The kind of the relationbetween a user and a group depends on its attributes. To create a connect, selecteither users or groups and perform one of the following steps:v Select Action > Connect from the main menu.v Right-click a user or group and select Connect from the pop-up menu.v Click Connect on the toolbar.

Enter the userid or group. You can select from the following options:

AuthorityConnect authority. The connect authority is either Use, Connect, Create, or Join.





gSpecGroup special attribute. When a user is connected to a group with the group

Figure 37. Create connect dialog


special attribute, the user can do everything with users, groups, and resourcesthat are in the scope of the group, except changing auditing attributes.



Click OK to connect.

About Attributes gSpec, gOper and gAudIf the attributes GrpSpecial, GrpOperations and GrpAuditor display in gray, youcannot specify the attributes. The new connect cannot have them, unless theconnect exists with these attributes.

About drag-and-drop and copy-pasteAnother way to create connects is by drag-and-drop. A pop-up menu appears afterdropping users from one list on a group in another list, or vice versa. SelectConnect to create a connect.

Note: All new connects get the same attributes.

You can also use the Copy-Paste function available on the main menu bar. Thisfunction copies all the attributes. For more information, see “Copying and pasting”on page 9.

Deleting a connectTo delete connects, follow these steps:1. Select the connects in a Connects table and perform one of the following steps:v Select Action > Delete from the main menu.v Right-click the connects and select Delete from the pop-up menu.v Click Delete on the toolbar.v Press the Delete key.v Drag the connects and drop them on the Recycle Bin.

2. Specify that the user must be removed from all access lists of group resourcesin the ″Remove user permits from group resources″ option.

3. Click OK to delete or remove the connect.

Chapter 5. Connect management 55

Copying, merging, and moving connectsYou can copy, merge, and move connects by using Drag and Drop or Copy andPaste. If you use Drag and Drop, you can drag connects from one table and dropthem on a similar one. After the drop, a pop-up menu appears, listing thefollowing options:

CopyThe dragged connects are copied to the target table. If a connect exists and hasan authority higher than the dragged connect, the user can choose betweencopying and merging the connects. If copy is selected, the dragged connectsreplace the target connects. If merge is selected instead, every new connect hasthe attributes of both connects and have the highest connect authority.

MoveThe move action is a combination of a copy or merge followed by a delete ofthe successfully copied or merged connects. A dialog in which you can specifythe move options is displayed. The ″Remove user permits from groupresources″ option specifies whether the user must be removed from the accesslist of resource profiles of the group on the delete action.

Select Copy and Paste from the main menu to perform "copy and paste". For moreinformation about Copy and Paste, see “Copying and pasting” on page 9.

Figure 38. Delete connect dialog


Chapter 6. Resource management

You can manage resources to maintain the rules that determine the types of accessdifferent users and groups have to the resources. This chapter contains thefollowing topics:v “Resource profiles”v “Adding a resource profile” on page 60v “Duplicating a resource profile” on page 62v “Editing Resource profile properties” on page 63v “Deleting a resource profile” on page 64v “Access List” on page 65v “Adding a user or group to an access list” on page 66v “Editing an access list entry” on page 67v “Deleting an access list entry” on page 67v “Members” on page 68v “Viewing and changing a member list” on page 69v “Adding a member” on page 69v “Editing a member” on page 70v “Deleting a member” on page 70v “Refreshing a class” on page 70

Resource profilesThe rules that determine the access of a user are stored in profiles. Profiles arestored in classes. The class determines which type of resource is protected; theprofile name determines which resources within the class is covered by that profile.

In RACF, a distinction is made between DATASET profiles and all other profiles.The DATASET profiles reside in the DATASET class that is to control access to datasets. All other profiles are called General Resource Profiles. IBM Tivoli zSecure Visuallets you work with both types of profiles.

To protect a resource with a profile, the profile has to reside in the appropriateclass. The name of the profile needs to match the name of the resource. Forexample, to protect dataset C2R.CKR260.CKRLOAD, you can make a profilenamed C2R.CKR260.CKRLOAD in the DATASET class.

To avoid creating a resource profile for every resource, RACF enables you to usegeneric characters in the profile name. You can use character * to represent onequalifier, or the rest of the current qualifier. The ** sequence matches zero or morequalifiers. The following examples show the matches based on the use of the *character:C2R.CKR*.CKRLOAD matches C2R.CKR260.CKRLOAD.C2R.CKR260.CKRLOAD.* does not match C2R.CKR260.CKRLOAD,

because it has no fourth qualifier.C2R.** matches C2R.CKR260.CKRLOAD.C2R.**.CKRLOAD matches C2R.CKR260.CKRLOAD.


If there are different resource profiles that match a certain resource, RACF uses themost specific profile. It is the one with the most characters left of the first genericcharacter.

Resource tableUse the Find dialog to locate a list of all resources. You can use * in the class to getprofiles of different resource classes in one table. If you leave the class field empty,you can get all resources but without users or groups.

The resulting fields in the Resource table are:

ClassClass in which the profile resides.

ProfileName of the profile.

ProfTypeProfile type. For general resources, it can be discrete or generic. For data sets, itcan be generic, nonvsam, vsam, tapedsn, or model.

UAccAccess granted by the profile to any user whose access cannot be determinedfrom the access list.

WarningA profile in warning mode always allows access to the resource (!), but if theaccess is more than ed by the Access List or UACC, an audit log record iswritten.

EraseOverwrite the dataset on deletion. This flag is only taken into account if thecentral Erase flag has been set using a SETROPTS ERASE command.

AuditSAudit level for successes.

AuditFAudit level for failures.

ACLCountNumber of userids and groups on the access list of the profile.

OwnerUserid or group that can change the profile.

Figure 39. Resource table


NotifyUserid that receives a message when an audited violation occurs.

InstDataThe contents and means of this field are site defined.

AppldataThis field is only defined for generic resource profiles, which are all resourceprofiles except profiles in the DATASET class. Its contents and means dependon the class.

VolserFor discrete DATASET profiles, it contains the volumes the profile protects.

CreatedDate the profile was created.

UserIDcountFor the IDIDMAP profiles, it indicates the number of user ID associated withthis profile.

The extra selection fields for resources in the Find dialog are:

Installation dataSelect only resources that have the specified pattern in their installation data.

OwnerSelect only resources whose owner matches the specified filter.

SegmentSelect the resources that have the segment you specified. If this option isgrayed you cannot view segments or there are none. The option any gives youthe complete resource list, whether the profiles have segments or not.

Typically a profile contains an access list that specifies the access to the resources,which users and groups have, covered by the profile. Some general resourceclasses grant access by a different procedure.

Mapping informationFor the IDIDMAP profiles, you can view their associated mapping information byfollowing one of these steps:v Select the IDIDMAP profile and select Navigate > Mappings from the main

menu.v Right-click the IDIDMAP profile to display the pop-up menu and select

Mappings.

Chapter 6. Resource management 59

On the displayed window, you can view the following fields:

LabelThe label associated with the identity mapping.

User IDThe user ID associated with the identity mapping.

Registry nameThe registry name of the identity mapping.

Note: You cannot duplicate, add, edit, or delete an IDIDMAP profile. For moreinformation, see “Viewing Mappings” on page 41.

Adding a resource profileTo create a resource profile from scratch, you have to be in a resources table. Whenthe table is active, perform the following steps:1. Select the profile from the active resource table and select Action > Add

Resource.2. Enter the profile data, which is explained the following section.3. If you need the profile changes effective immediately for all users, click Refresh

to refresh the class. If you do not refresh the class, the profile becomes activeonly for those users that do not have it cached.

4. Click OK to apply your changes.

Note: you can only create generic DATASET profiles including fully qualifiedgenerics.

Figure 40. Mapping information of an IDIDMAP profile


The resource profile fields are described as follows:

ClassClass in which the profile resides. IBM Tivoli zSecure Visual uses as defaultclass the class of the profile you have selected. You can change the class.


UACCAccess granted by the profile to any user whose access cannot be determinedfrom the access list.


EraseThis flag is only valid when class is DATASET. When the flag is set, the datasetis overwritten on deletion, but only if the central Erase flag has been set usinga SETROPTS ERASE command.




NotifyUserid that can receive a message when an audited violation has occurred.

InstDataThe contents and means of this field are site defined.

AppldataThis field is only defined for generic resource profiles, which are all resourceprofiles except profiles in the DATASET class. Its contents and means dependon the class.

Figure 41. Add resource profile dialog


Refresh enables you to refresh the class, so the new profile becomes immediatelyeffective, even for users that have cached profiles of the class. If you do not specifyRefresh, the profile only becomes active for those users that do not have it cached.Click OK to create the profile, or click Cancel to cancel the new profile.

Note: You can only create generic DATASET profiles, including fully qualifiedgenerics.

Duplicating a resource profileYou can create a profile by duplicating an existing profile. Duplicating a profilecopies the access list and member list of the original profile to a new profile. Youcan customize the new profile and change the data as required.

To duplicate a resource profile, perform the following steps:1. Select the resource profile in a resources table and select Action > Duplicate

from the main menu.2. Click OK to create the profile.3. Change the data in the fields. For description of the all fields, see “Adding a

resource profile” on page 60.

Refresh enables you to refresh the class so that the new profile becomes effectiveimmediately. It works even for users that have cached profiles of the class. If youdo not refresh, the profile only becomes active for those users that do not have itcached.

Note: You cannot copy a resource profile from a DATASET class to a generalresource class or vice versa.

Figure 42. Duplicate resource profile dialog


Editing Resource profile propertiesTo change the properties of a resource profile, perform the following steps:1. Select the profile and select Navigate > Properties from the main menu.2. Edit the properties as needed.3. Click Refresh to refresh the class if you need the profile changes effective

immediately.4. Click OK to apply your changes.

You can specify the following properties for a resource profile:

ClassClass in which the profile resides.

Profile typeType of the RACF profile, for example, Generic, VSAM, Non VSAM, Model,Type DSN, and so on.


VolumesFor discrete DATASET profiles, this field contains the volumes that the profileprotects.


NotifyUserid that receives a message when an audited violation occurs.

Figure 43. Properties dialog



EraseOverwrite the dataset on deletion. This flag is only taken into account if thecentral Erase flag has been set using a SETROPTS ERASE command.

ACLCountNumber of userids and groups on the access list of the profile. You cannotdirectly change the number here. However, if you select the profile and selectNavigate > Access List from the main menu, you can extend or shorten theaccess list.

Application dataThis field is only defined for generic resource profiles, which are all resourceprofiles except profiles in the DATASET class. Its contents and means dependon the class.

Installation dataThe contents and means of this field are site defined.

Profile typeType of profile.

UACCAccess granted by the profile to any user whose access cannot be determinedfrom the access list.



User ID countFor the IDIDMAP profiles, it indicates the number of user IDs associated withthis profile.

Deleting a resource profileTo delete a resource profile, follow these steps:1. Select the resource profile in a resource table and select Action > Delete from

the main menu.2. Select Refresh to apply the deletion of profile immediately.3. Click OK to delete the profile.


Access ListThe name Access list is often abbreviated as ACL. A resource profile typically hasan Access List; that is a list of Userids and Groupids, their granted access, andoptionally, a condition.

To view the access list of a resource profile, select the profile and select Navigate >Access List from the main menu.

When a group is placed on the access list, all its users get access, see “ViewingEffective Access List” on page 23. Besides the user and group columns that aredescribed in Chapter 1, “Using IBM Tivoli zSecure Visual,” on page 1 andChapter 3, “User management,” on page 25, the columns in the resulting table aredescribed as follows:

IDUserid or group.

AccessGranted access. It is always one of the following options:

Figure 44. Delete resource profile dialog

Figure 45. Access list


NoneAll means of access is denied for the specified user or group.

ExecuteThe specified user or group can execute the resource. It is only effective fordata sets and programs.

ReadThe specified user or group can execute and read the resource.

UpdateThe specified user or group can execute, read, and update or write theresource.

ControlThe specified user or group can execute, read, update or write, and create orremove the resource.

AlterThe specified user or group can do anything with the resource and changethe resource profile, just as the owner.

WhenA blank field means there is no condition, so the access is granted withoutrestriction. If the field is non-blank, it is of the form: APPCPort appcport Consoleconsole JESInput class Program program SYSID id Terminal terminal

With the buttons Add, Edit and Delete, you can change the Access List entries.After you change them, the OK and Cancel buttons become available.

Refresh enables you to refresh the class, so the new Access List becomesimmediately effective, even for users that have cached profiles of the class. ClickOK to apply the changes to the mainframe.

Adding a user or group to an access listTo add a user or group to the access list, follow these steps:1. Display the access list and click Add in the table window.2. To add the same ID with different conditions to the access list, click OK. If the

same ID is added with the same condition but a different access, the newaccess overrides the previous access. The new ID is sent to the mainframe

3. Select Refresh to make the new ID immediately active for all users. If you donot refresh, the ID only becomes active for those users that do not have itcached.

The dialog has the following fields:

Figure 46. Add to an access list


IDA Userid or Groupid.

AccessThe access ed for ID.

WhenCondition for which access is granted.

Editing an access list entryTo edit the entry of a user or group in the access list, follow these steps:1. Select the entry and click Edit in the table window.2. Click OK to apply the changes to the access list.

The changes are sent to the mainframe. The changes do not become effective forthe users that have the concerned profiles cached until you refresh the class.

The dialog has the following editable fields:

IDA Userid or Groupid.

AccessThe access allowed for ID.

WhenCondition for which access is granted.

Deleting an access list entryYou can delete the entry of a user or group in the access list. Select the entry andfollow one of these steps:v Click Delete in the table window; or,v Select Action > Delete.

The deletion is sent to the mainframe when you click OK in the access list. Thechanges do not become effective for the users that have the concerned profilescached until you refresh the class.

Figure 47. Edit access list dialog


MembersAll resource profiles except DATASET profiles can have a member list. In practice,only some classes have profiles with members.

Profile membersThe typical way to use profile members is to access on groups of resources insteadof individual resources. You need a member and grouping class.

Member and grouping classes are linked together in the Class Descriptor Table.The member class can contain profiles that accept access of the normal way. Thegrouping class is used to grant access on groups of resources. A group isrepresented by a profile within the class. This grouping profile can have a list ofmembers, each of which contains a resource name. Any rights granted on thegrouping profile accepts access on all the resources named in the members.

Attention: The design of the group structure is important. For ease of use, a groupname must give a good indication of either the contents or the use ofthe resource group. You must avoid the following usage:v Use of both the member and grouping class simultaneously for the

same resource.v Recurrence of the same resource in more than one group, when you

plan to grant access on those resource groups to a user or group.

The various issues involved when merging access rights for multiplepresence of resources are rather involved and can result in unexpectedand undesired effects. Also, no clear report of the result is available.

ExampleThe main reason to use grouping is to avoid excessive administration overhead. Anexample of where this grouping can be useful is the administration of CICStransactions. TCICSTRN, the member class, can be used to grant access onindividual transactions. For every transaction, a profile is needed. However, itquickly becomes cumbersome. To avoid creating large piles of individualtransaction profiles, it is possible to organize them in the GCICSTRN groupingclass. A useful group division might be by CICS system and job description:

If the grouping is well-chosen, granting rights on the resource groups can be muchsimple and less error prone than granting rights on individual transactions.

Figure 48. Grouping class example


ExceptionsThere are some classes where profile members are used in different ways thanpreviously described. Explaining the mechanisms involved is beyond the scope ofthis manual. Some of the better known exceptions are:v The Global Access Table (GLOBAL class, DATASET profile).v NODES class.v PROGRAM class.v RACFVARS class.

Viewing and changing a member listTo display the member list of a resource profile and change the list, perform thefollowing steps:1. Select the profile and select Navigate > Members from the main menu.2. Click Add, Edit, or Delete to change the member list.3. Click Refresh to make the changes effective immediately. For users that have

cached profiles of the same class, the changes might not become effective untilyou refresh the class.

4. Click OK to apply the changes to the mainframe.

.

Adding a memberTo add a member, perform the following steps:1. Click Add in the member table window.2. Enter the new member and click OK to add it to the list.

Figure 49. Member list

Figure 50. Add member dialog


When adding a member to the PROGRAM class, the fields DSN, Volume, andPADCHK are used to construct the new member string. The new member is sentto the mainframe when you click OK in the member list. The changes do notbecome effective for the users that have the concerned profiles cached until yourefresh the class.

Editing a memberTo edit a member, perform the following steps:1. Select the member and click Edit in the member table window.2. Change the member and click OK to place it in the list.

When editing a member of the PROGRAM class, the fields DSN, Volume andPADCHK are used to construct the member string. The change is sent to themainframe when you click OK in the member list. The changes do not becomeeffective for the users that have the concerned profiles cached until you refresh theclass.

Deleting a memberTo delete a member, perform the following steps:1. Select the member and click Delete in the member table window, or2. Select Action > Delete from the main menu.3. Click OK in the member list to send the deletion to the mainframe.

The changes do not become effective for the users that have the concerned profilescached until you refresh the class.

Refreshing a classAfter changing resource profiles in the RACF database, a refresh is required topropagate the changes to cached profiles for all users. To refresh a class, performthe following steps:1. Select Action > Refresh from the main menu.2. Enter the class name in the Class field.3. Select the Refresh GLOBAL class to refresh the global access table for this class

instead of the class itself. If you do not know the class, click the button next tothe class field to get the Select class dialog. See “Finding classes with the Selectclass dialog” on page 24 for more information.

4. Click OK to refresh the class.

Figure 51. Edit member dialog


Chapter 7. Segment management

This chapter describes application segments. An application segment is part of aprofile that contains information about a mainframe application other than RACF,like TSO or OMVS. Users, Groups, and General Resources all have their ownsegments.

This chapter contains the following topics:v “Authorities and settings required to manage segments”v “Viewing and editing segment types” on page 72v “Viewing the segment list” on page 73v “Using the Segment Detail window” on page 74v “Adding a segment” on page 75v “Exceptions” on page 76v “Consulting IBM books” on page 89

Authorities and settings required to manage segmentsTo view segments you must set the Interface level option at administration levelFull. To select this level, go to View > Options on the main menu.

To edit segments, you need the following authorization:v user has UPDATE or better on XFACILIT 1) resource

CKG.CMD.CMD.EX.ALTUSERv user has UPDATE or better on XFACILIT 1) resource

CKG.CMD.CMD.EX.ALTGROUPv user has UPDATE or better on XFACILIT 1) resource

CKG.CMD.CMD.EX.ALTDSDv user has UPDATE or better on XFACILIT 1) resource

CKG.CMD.CMD.EX.RALTERv user has UPDATE or better on FIELD resource class.segment.field (or System

Special)

Figure 52. Refresh class dialog


Viewing and editing segment typesIBM Tivoli zSecure Visual enables you to view and edit segments. The optionNavigate > Segmenttypes on the main menu gives you the complete overview ofall segments that IBM Tivoli zSecure Visual can show.

The Segmenttypes table has the following columns:

ClassThe class that the segment belongs to.

SegmenttypeThe segment type.

SegmentcountThe number of segments.

Note: This number is not initially specified. Every time information about asegment is being viewed, the relevant number of that segment isupdated in the Segmenttypes list.

To view information about segments, right-click a row and select Segment List.See “Viewing the segment list” on page 73.

Application segmentsThe following table lists the segments of general resource profiles in their relatedclasses.

Class Segment

APPCLU SESSIONCDT CDTINFOCFIELD CFDEF

1. XFACILIT is the default name for the Tivoli zSecure Visual general resource class in the Site Module. If this name has beencustomized during the Tivoli zSecure Visual installation, verify that you have the required authorizations for the class configuredfor the installation.

Figure 53. Segment types


Class Segment

CSFKEYS, GCSFKEYS ICSFDATASET DFPDATASET TMEDIGTCERT CERTDATADIGTRING CERTDATADLFCLASS DLFDATAEJBROLE TMEFACILITY DLFDATAFACILITY EIMFACILITY PROXYFACILITY TMEICSF CSFKEY, XCSFKEYLDAPBIND EIMLDAPBIND PROXYPTKTDATA SSIGNONREALM KERBPROGRAM SIGVERROLE TMESTARTED STDATASYSMVIEW SVFMRXCSFKEY, GXCSFKEY ICSF

The segments of group profiles are DFP, CSDATA, OMVS, OVM, and TME®. Thesegments of user profiles are CICS, CSDATA, DCE, DFP, EIM, KERB, LANGUAGE,LNOTES, NDS, NETVIEW, OMVS, OPERPARM, OVM, PROXY, TSO, andWORKATTR.

Viewing the segment listThe segment list gives you the list of all segments of a class with a specificsegment type. To view the segment list, follow these steps:1. Open the Segment Types window.2. Select the class-segment type combination and select Navigate >Segment list

from the main menu, or3. Right-click the class-segment type and select Segment list.

Figure 54. Segment list

Chapter 7. Segment management 73

The segment list always starts with the name of the profile. The other fields aresegment specific. The names are abbreviations. You can find the complete names inthe segment detail window. For more information about the segment fields, see“Segment field” on page 77.

If you select a profile in the segment list, you have the following possibilities:v View the properties of the profile by performing one of the following steps:

– Select Navigate > Properties on the main menu and double-click the profile;or,

– Right-click the profile and select the option Properties.v View the segment detail window of the profile by performing one of the

following steps:– Select Navigate > Segments from the main menu; or,– Right-click the profile and select the option Segments.

v Add a segment to a profile. For more information, see “Adding a segment” onpage 75.

Using the Segment Detail windowThe segment detail window gives you all the information about the segments of asingle profile. From this window, you can also edit the profile. To access theSegment Detail Window, you have to be in the segment list or in either the user,group, resource, connected users, or connected groups table.

To open the Segment Detail Window, follow these steps:1. Select the specific profile you want to edit or look at.2. Select Navigate > Segments from the main menu, or3. Right-click the profile and select Segments from the pop-up menu.

When you open the segment detail window, on the left pane you see all segmentsof the profile. If you select a segment here, you get the detailed information aboutthe right pane. The right pane has three columns:

DescriptionA description of the segment.

Figure 55. Segment Detail Window


FieldvalueValue of the field. You can edit the value. All empty fields are shown with ablue-colored <Empty> in this column. When a repeating field count is zero, asingle <Empty> field is shown here, although it does not exists yet. It enablesthe user to create the first repeating field by simply entering a value.

ChangedThis column tells you whether any changes you made are yet to be applied onthe mainframe by clicking Apply.

The buttons on the right are the edit options.

To edit a field, follow these steps:1. Click the text you want to change. If the field value is too long, the Edit

window appears.2. Type the new value. In case the Edit window appears, you can press either the

ENTER key or the TAB key to save the new value. By closing the Edit windowor pressing the ESC key, your changes will not been saved. You can then clickApply on the Segment Detail window.

3. Click OK to apply any pending changes and close the window; or,4. Click Cancel to close the window without applying the changes.

The edit options are listed as follows:

Add segmentClicking this button opens the pop-up menu Add segment. You can select thesegment you want to add.

Delete segmentSelect the segment you want to delete and click the button. You get a warningbox with the question if you want to delete the selected segment. Click Yes todelete it or Cancel to undo the deletion.

Add FieldThis option is only possible for repeating fields. To add a new, empty field,select the field you want to add. The Add Field button becomes enabled. Clickthe button to add the field.

RefreshAfter changing a field, you check the box to refresh it to propagate the changesto cached profiles for all users. You must have the right authorization to refreshthe profiles.

ApplyTo apply the changes to the mainframe, click Apply. All indications in theChanged column disappear while the changes take effect.

Adding a segmentYou can add segments directly to a profile or from the segment detail window.

To directly add a segment, perform the following steps:1. In the table, right-click the profile you want to add a segment to.2. Select Action > Add segment from the main menu, or3. Select Add segment from the pop-up menu.4. On the Add segment dialog, select the segment to add. Then, click OK.


You can also add segments in the segment detail window, see “Using the SegmentDetail window” on page 74.

ExceptionsMost segments exist in the segment list and can be edited with the segment detailwindow. There are the exceptions:v CSDATA segments are shown in Segmenttypes, SegmentList, and Segment Detail

only if present.v DIGTCERT-CERTDATA cannot be edited, so it only appears in SegmentTypes

and SegmentList, not in Segment Detail.v DIGTCERT-CERTDATA-CERT is not read from the mainframe, as it causes errors

while doing so.v DIGTCERT-CERTDATA-*RSV* is not read from the mainframe, they are reserved

fields and must not be shown.v DIGTCRIT cannot be edited, so it only appears in SegmentTypes and

SegmentList, not in Segment Detail.v DIGTNMAP cannot be edited, so it only appears in SegmentTypes and

SegmentList, not in Segment Detail.v DIGTRING cannot be edited, so it only appears in SegmentTypes and

SegmentList, not in Segment Detail.v FACILITY PROXY-BINDPW and BINDPWKY are read-only fields, so they only

exist in SegmentList, not in Segment Detail.v REALM-KERB-CURKEY, CURKEYV, ENCTYPE, PREVKEY, PREVKEYV, SALT

are read-only fields, so they only exist in SegmentList, not in Segment Detail.v PTKTDATA-SSIGNON contains an encryption key only, so it only appears in

SegmentTypes, not in SegmentList or Segment Detail.v USER-KERB-CURKEY,CURKEYV,DEFTKTLF,ENCTYPE, MINTKTLF, PREVKEY,

PREVKEYV, SALT are read-only fields, so they only exist in SegmentList, not inSegment Detail.

v USER PROXY-BINDPW and BINDPWKY are read-only fields, so they only existin SegmentList, not in Segment Detail.

Figure 56. Add Segment


v USER-TSO-TCONS, TOPTION, TPERFORM, TRBA, TUPT are read-only fields,so they only exist in SegmentList, not in Segment Detail.

Segment fieldTo view the segment fields for a segment type, click on the segment name. In thesegment field table, each column is explained as follows:

FieldnameThe names of the fields as you see them in the segment list.

RepeatsIf the fields of the segment display more than once, you find them all in thesegment detail window. In the segment list, you find the number of repetitions.

DescriptionThe descriptions of the fields as you see them in the segment detail window.

Command parameter

Lists the parameter used to identify the field in RACF commands thatmanipulate the field. This column is filled in only when this parameter isdifferent from Fieldname.

Segments of general resource profilesThe following section lists the segment of general resource profiles:v “APPCLU - SESSION” on page 78v “CDT - CDTINFO” on page 78v “CFIELD - CFDEF” on page 78v “CSFKEYS, GCSFKEYS, XCSFKEY, GXCSFKEY - ICSF” on page 79v “DATASET - DFP” on page 79v “DATASET - TME” on page 79v “DIGTCERT - CERTDATA” on page 79v “DIGTRING - CERTDATA” on page 80v “DLFCLASS - DLFDATA” on page 80v “EJBROLE - TME” on page 80v “FACILITY - DLFDATA” on page 81v “FACILITY - EIM” on page 81v “FACILITY - PROXY” on page 81v “FACILITY - TME” on page 81v “LDAPBIND - EIM” on page 81v “LDAPBIND - PROXY” on page 82v “PROGRAM - SIGVER” on page 82v “PTKTDATA - SSIGNON” on page 82v “REALM - KERB” on page 82v “ROLE - TME” on page 82v “STARTED - STDATA” on page 83v “SYSMVIEW - SVFMR” on page 83


APPCLU - SESSION

Fieldname Repeats Description Command parameter

CONVSEC No Conversation security flagsKEYDATE No Session key last change

dateKEYINTVL No Session key days to expiry

#INTERVAL

MAXFAIL No Failed tries before lockout #SENTCNT No Session entities in list #SENTFLCT Yes Failed attempts #SENTITY Yes Session entity nameSESSKEY No Session keySLSFAIL No Invalid attempts #SLSFLAGS No Session flag byte LOCK

CDT - CDTINFOThe CDTINFO segment is only valid for the CDT resource class. It is used todefine classes in the dynamic CDT.


CDTCASE No Profile names case sensitiveCDTDFTRC No Default not-found RCCDTFIRST No Syntax 1st character (raw)CDTGEN No GENERIC/GENCMD

statusCDTGENL No GENLIST statusCDTGROUP No Related grouping classCDTKEYQL No Generic scan limit (quals)CDTMAC No MAC checkingCDTMAXLN No Maximum length with

ENTITYCDTMAXLX No Maximum lengthCDTMEMBR No Related member classCDTOPER No OPERATIONS honoredCDTOTHER No Syntax remainder (raw)CDTPOSIT No POSIT (options set id)CDTPRFAL No Profile definition edCDTRACL No RACLIST statusCDTSIGL No Send ENF signalCDTSLREQ No SECLABELs requiredCDTUACC No Default UACC

CFIELD - CFDEFThe CFDEF (Custom Field DEFinition) segment for CFIELD class profiles definesthe characteristics of the field.


CFDTYPE No Custom field typeCFFIRST No Custom field first charCFHELP No Custom field help textCFLIST No Custom field listing headerCFMIXED No Custom field mixed charsCFMNVAL No Custom field min value



CFMXLEN No Custom field max lengthCFMXVAL No Custom field max valueCFOTHER No Custom field other chars

CSFKEYS, GCSFKEYS, XCSFKEY, GXCSFKEY - ICSFThe ICSF segment is used to store Integrated Cryptographic Service Facilityattributes for the keys that are controlled by general resources profiles in classesCSFKEYS, GCSFKEYS, XCSFKEY, and GXCSFKEY.


CSFSEXP No Symmetric key exportoption.

SYMEXPORTABLE

CSFSKLCT No Count of PKDS labels.CSFSKLBS Yes PKDS labels which might

be used to export thissymmetric key.

SYMEXPORTKEYS

CSFSCLCT No Count of certificate labels.CSFSCLBS Yes Certificate labels which

might be used to exportthis symmetric key.

SYMEXPORTCERTS

CSFAUSE No Asymmetric key usage. ASYMUSAGE

DATASET - DFP


RESOWNER No DFP - resource owner

DATASET - TME


ROLEN No # TME role access specsROLES Yes TME role access specs

DIGTCERT - CERTDATABecause this segment cannot be edited, it appears only in Segment List andSegment Types.


CERT No Digital certificateCERTCT No # Digital certificatesCERTDFLT Yes Default cert for this

keyringCERTEND No Certificate enddateCERTLABL Yes Digital certificate labelsCERTLSER No Certificate lseCERTNAME Yes Digital certificate namesCERTPRVK No Private KeyCERTPRVS No Private Key SizeCERTPRVT No Private Key TypeCERTSJDN Yes Distinguished name of

Subject



CERTSTRT No Certificate startdateCERTUSAG Yes Cert. usage in this keyringRINGCT No Number of keyringsRINGNAME Yes Name of the keyringRINGSEQN No Ring sequence number

DIGTRING - CERTDATABecause this segment cannot be edited, it appears only in Segment List andSegment Types.


CERT No Digital certificateCERTCT No # Digital certificatesCERTDFLT Yes Default cert for this

keyringCERTEND No Certificate enddateCERTLABL Yes Digital certificate labelsCERTLSER No Certificate lseCERTNAME Yes Digital certificate namesCERTPRVK No Private KeyCERTPRVS No Private Key SizeCERTPRVT No Private Key TypeCERTSJDN Yes Distinguished name of

SubjectCERTSTRT No Certificate startdateCERTUSAG Yes Cert. usage in this keyringRINGCT No Number of keyringsRINGNAME Yes Name of the keyringRINGSEQN No Ring sequence number

DLFCLASS - DLFDATA


JOBNAMES Yes Job namesOBNMCNT No Job names #RETAIN No Retain flag byte

EJBROLE - TME


CHILDN No # TME child rolesCHILDREN Yes TME child rolesGROUPN No #TME associated groupsGROUPS Yes TME associated groupsPARENT No TME parent roleRESN No #TME resource access specsRESOURCE Yes TME resource access specsROLEN No # TME role access specsROLEN Yes TME role access specs


FACILITY - DLFDATA


JOBNAMES Yes Job namesJOBNMCNT No Job names #RETAIN® No Retain flag byte

FACILITY - EIMDefinition of the Enterprise Identity Mapping (EIM) domain.


DOMAINDN No EIM Domain DistinguishedName

LOCALREG No Local RACF registry forEIM

LOCALREGISTRY

OPTIONS No EIM options

FACILITY - PROXYBINDPW and BINDPWKY are read-only fields, so they only exist in SegmentList,not in Segment Detail.


LDAPHOST No LDAP Server URLBINDDN No Bind Distinguished NameBINDPW No Bind PasswordBINDPWKY No Bind Password Mask |

Encrypt Key

FACILITY - TME


CHILDN No # TME child rolesCHILDREN Yes TME child rolesGROUPN No # TME associated groupsGROUPS Yes TME associated groupsPARENT No TME parent role2RESN No # TME resource access

specsRESOURCE Yes TME resource access specsROLEN No # TME role access specsROLES Yes TME role access specs

LDAPBIND - EIMDefinition of the Enterprise Identity Mapping (EIM) domain.


DOMAINDN No EIM Domain DistinguishedName

LOCALREG No Local RACF registry forEIM

LOCALREGISTRY

OPTIONS No EIM options


LDAPBIND - PROXYThe PROXY segment is used to store LDAP proxy server information.


BINDDN No Bind information for LDAPserver being contacted

LDAPHOST No Host of LDAP server tocontact

PROGRAM - SIGVERThe SIGVER (SIGnature VERification) segment for PROGRAM class profilescontains fields that are used to verify digital signatures of program modules.


SIGREQD No Module must have asignature.

SIGREQUIRED

FAILLOAD No Loader failure conditionsSIGAUDIT No RACF audit condition

PTKTDATA - SSIGNONPTKTDATA - SSIGNON contains an encryption key only, so it only appears inSegmentTypes, not in SegmentList or Segment Detail.


SSKEY No Single Signon key

REALM - KERBREALM - KERB/CURKEY, CURKEYV, ENCTYPE, PREVKEY, PREVKEYV, andSALT are read-only fields, so they only exist in SegmentList, not in Segment Detail.


CURKEY No Current Kerberos keyCURKEYV No Current Kerb key versionDEFTKTLF No Default ticket lifeENCTYPE No Kerberos encryption typeENCRYPT No ed encryption typesKERBNAME No Kerberos nameMAXTKTLF No Maximum ticket life MAXTKTLFEMINTKTLF No Minimum ticket life MINTKTLFEPREVKEY No Previous Kerberos keyPREVKEYV No Previous Kerb key versionSALT No Seed for Kerberos

Randomizer

ROLE - TME


CHILDN No # TME child rolesCHILDREN Yes TME child rolesGROUPN No # TME associated groupsGROUPS Yes TME associated groups



PARENT No TME parent role2RESN No # TME resource access

specsRESOURCE Yes TME resource access specsROLEN No # TME role access specsROLES Yes TME role access specs

STARTED - STDATA


FLAGPRIV No Privileged - any, nolog PRIVILEGEDFLAGTRAC No Trace - issue IRR812I TRACEFLAGTRUS No Trusted - any, log all TRUSTEDSTGROUP No Started task RACF group GROUPSTUSER No Started task RACF userid USER

SYSMVIEW - SVFMR


PARMN No SVFMR parameter list PARMNAMESCRIPTN No Default logon scripts SCRIPTNAME

Segments of group profilesThis section describes the fields for the group segment types.v “GROUP - CSDATA”v “GROUP - DFP”v “GROUP - OMVS”v “GROUP - OVM” on page 84v “GROUP - TME” on page 84

GROUP - CSDATAThe CSDATA segment of a GROUP profile is where custom fields of that profileare added. You can add fields using the RACF CFIELD class to define the newfields to GROUP profiles and the labels you want to use for them. The fields ofthis segment are installation defined.

GROUP - DFP


DATAAPPL No DFP - Data ApplicationDATACLAS No DFP - Data ClassMGMTCLAS No MDFP - Management ClassSTORCLAS No DFP - Storage Class

GROUP - OMVSThe OMVS segment contains logon information for OMVS. OMVS, sometimes alsocalled Open MVS™, stands for 0S/390 or z/OS Unix System Services. The OMVSsegment provides an OS/390 or z/OS Unix Security context, which you need tolog on to OMVS.



GID No OpenMVS group (grpid) GID

GIDThe OMVS group identifier. To have the system assign an unused value, use″auto″. If you want more than one group to share the GID, add ″s″ at the endof the GID value.

GROUP - OVMThe OVM segment is used to store Unix System Services information.


GID No UNIX group (gid)

GROUP - TME


ROLEN No # TME role access specsROLES Yes TME role access specs

Segments of user profilesThis section describes the fields for the user segment types.v “USER - CICS”v “USER - CSDATA” on page 85v “USER - DCE” on page 85v “USER - DFP” on page 85v “USER - EIM” on page 85v “USER - KERB” on page 85v “USER - LANGUAGE” on page 86v “USER - LNOTES” on page 86v “USER - NDS” on page 86v “USER - NETVIEW” on page 86v “USER - OMVS” on page 86v “USER - OPERPARM” on page 87v “USER - OVM” on page 87v “USER - PROXY” on page 87v “USER - TSO” on page 88v “USER - WORKATTR” on page 88

USER - CICSThe CICS segments show information about CICS, an online transaction processingsystem. CICS is used to handle large numbers of data transactions from largecomputer or terminal networks. This topic shows the fields of the segment.


OPCLASS Yes Operator classOPCLASSN No Operator class values #OPIDENT No Operator identification



OPPRTY No Operator priorityTIMEOUT No Terminal time-out valueXRFSOFF No XRF Re-signon option

USER - CSDATAThe CSDATA segment of a USER profile is where custom fields of that profile areadded. You can add fields using the RACF CFIELD class to define the new fieldsto USER profiles and the labels you want to use for them. The fields of thissegment are installation defined.

USER - DCE


DCEENCRY No DCE password encr. keyno.

DCEFLAGS No DCE Autologin AUTOLOGINDCENAME No DCE usernameDPASSWDS No DCE passwordHOMECELL No DCE homecellHOMEUUID No DCE homecell UUIDUUID No DCE UUID

USER - DFP


DATAAPPL No DFP - Data ApplicationDATACLAS No DFP - Data ClassMGMTCLAS No DFP - Management ClassSTORCLAS No DFP - Storage Class

USER - EIMSegment to store the name of an LDAPBIND class profile. This profile contains theinformation needed to connect to the EIM domain on the LDAP host it resides on.


LDAPPROF No LDAP Profile

USER - KERBUSER - KERB/CURKEY, CURKEYV, DEFTKTLF, ENCTYPE, MINTKTLF,PREVKEY, PREVKEYV, and SALT are read-only fields, so they only display inSegmentList, not in Segment Detail.


CURKEY No Current Kerberos keyCURKEYV No Current Kerb key versionDEFTKTLF No Default ticket life DEFTKTLFEENCTYPE No Kerberos encryption typeENCRYPT No ed encryption typesKERBNAME No Kerberos nameMAXTKTLF No Maximum ticket life MAXTKTLFE



MINTKTLF No Minimum ticket life MINTKTLFEPREVKEY No Previous Kerberos keyPREVKEYV No Previous Kerb key versionSALT No Seed for Kerberos

Randomizer

USER - LANGUAGE


USERNL1 No Primary language of a user PRIMARYUSERNL2 No Secondary language of a

userSECONDARY

USER - LNOTES


SNAME No Lotus Notes shortusername

USER - NDS


UNAME No NDS username

USER - NETVIEW


CONSNAME No Default console nameCTL No Scope of controlDOMAINS Yes Cross-domain authority DOMAINSDOMAINSN No # cross-domain authoritiesIC No Initial command listMSGRECVR No Receive undelivered

messagesNETVIEW No Admin auth Graphic Mon

FacNGMFADMN

NGMFVSPN No View span optsGraph.Mon.Fac.

OPCLASS Yes Operator classOPCLASSN No Operator class values #

USER - OMVSThe OMVS segment contains logon information for OMVS. OMVS, sometimes alsocalled Open MVS, stands for 0S/390 or z/OS Unix System Services. The OMVSsegment provides an OS/390 or z/OS Unix Security context, which you need tolog on to OMVS.


ASSIZE No Max. address space size ASSIZEMAXCPUTIME No Maximum CPU time CPUTIMEMAX



FILEPROC No Max. files open per proc FILEPROCMAXHOME No OpenMVS home pathMMAPAREA No Max. data space for

mappingMMAPAREAMAX

PROCUSER No Max. nr. of active procs PROCUSERMAXPROGRAM No Conditional access programTHREADS No Max. nr. of active threads THREADSMAXUID No OpenMVS user (uid)

UIDOMVS UID field with the user identifier. To have the system assign an unusedvalue, fill in ″auto″. If you want more than one user to share the UID, add ″s″at the end of the UID value.

USER - OPERPARM


OPERALTG No Alternate console group ALTGRPOPERAUTH No Console authority AUTHOPERAUTO No Receive msgs automated by

MPFAUTO

OPERCMDS No System to send commandsto

CMDSYS

OPERDOM No Delete operator messagestype

OM

OPERKEY No KEY keyword ofD,CONSOLES,KEY

KEY

OPERLEVL No LEVEL of msgs to bereceived

LEVEL

OPERLOGC No Command response logging LOGCMDRESPOPERMCNT No MSCOPE systems #OPERMFRM No Message format MFORMOPERMGID No Migration id to be assigned MIGIDOPERMON No Events to be monitored MONITOROPERMSCP Yes MSCOPE systems MSCOPEOPERROUT No ROUTCODEs for msg

receptionROUTCODE

OPERSTOR No STORAGE in MB for msgqueuing

STORAGE

OPERUD No Receive undeliveredmessages

UD

USER - OVM


FSROOT No OpenVM file system rootHOME No OpenMVS home pathROGRAM No Conditional access programUID No OpenMVS user (uid)

USER - PROXYBINDPW and BINDPWKY are read-only fields, so they only exist in SegmentList,not in Segment Detail.



LDAPHOST No LDAP Server URLBINDDN No Bind Distinguished NameBINDPW No Bind PasswordBINDPWKY No Bind Password Mask |

Encrypt Key

USER - TSOTSO is the abbreviation of Time Sharing Option, a specific way to communicatewith MVS by entering line commands, the mainframe equivalent of a DOS prompt.The TSO segment contains information about how to log on to MVS.

USER - TSO/TCONS, TOPTION, TPERFORM, TRBA, TUPT are read-only fields, sothey only exist in SegmentList, not in Segment Detail.


TACCNT No Default account number ACCTNUMTCOMMAND No Default command COMMANDTCONS No Consoles supportTDEST No Destination identifier DESTTHCLASS No Default held sysout class HOLDCLASSTJCLASS No Default job class JOBCLASSTLPROC No Default logon procedure PROCTLSIZE No Default logon region

size(KB)SIZE

TMCLASS No Default message class SGCLASSTMSIZE No Maximum region size MAXSIZETOPTION No Mail/Notice/Recon/OID

optionsTPERFORM No Performance groupTRBA No RBA of user broadcast areaTSCLASS No Default sysout class SYSOUTCLASSTSOSLABL No Default logon SECLABEL SECLABELTUDATA No Site data TSO user (2 byte) USERDATATUNIT No Default unit name UNITTUPT No UPT control block data

USER - WORKATTR


WAACCNT No Account numberWAADDR1 No SYSOUT address line 1WAADDR2 No SYSOUT address line 2WAADDR3 No SYSOUT address line 3WAADDR4 No SYSOUT address line 4WABLDG No Building for deliveryWADEPT No Department for deliveryWANAME No User name for SYSOUTWAROOM No Room for delivery


Consulting IBM booksYou can find information about segments and segment fields in the IBM Bookshelfnamed EZ239118, with in the title V1R11.0 Base Elements, Optional Features. Acomplete listing of all segments and their fields can be found in “Segment field”on page 77. In the following example, the IBM names and titles refer to z/OSV1R11.0. In other versions, the names and titles might differ.

To find information about a particular field, follow these steps:1. Open IBM Books.2. Go to the bookshelf named EZ239118.3. Select Search >All Books Listed from the main menu.4. Enter the name of the field in the Search Request field of the Search dialog. If

the Segment Field section provides a command parameter, use this nameinstead of the field name.

5. Click Run Search.6. In the Search Result dialog, you get all the books that contain the name of the

field.7. Select a book and click OK. Typically you get the most useful information in

ICH1A420, the Security Server Command Language Reference.8. In the new Search Result dialog, you get a list of all matches found.9. To open a match, select and double-click it.



Chapter 8. Maintenance

To access the server, an IBM Tivoli zSecure Visual client needs a local serverdefinition and a corresponding client definition on the server. With thesedefinitions, a safe communication channel is created. To set up a new, previouslyunused channel, an initial password is needed once. The client definition containsmore information than the server definition; other than that they are similar.

On the mainframe, there is also some limited support to manage client definitions.For more information, see the Configuring Tivoli zSecure Visual clients in the serverchapter in the IBM Tivoli zSecure Visual: Server Manual.

Maintaining client definitionsThe Maintain Client window helps manage the client definitions. You can createclient definitions, edit or delete existing ones, and generate initial passwords. Toopen the Maintain Client window, select Maintenance > Client from the mainmenu. The Maintain Client window opens, listing all existing client definitions onthe IBM Tivoli zSecure Visual server.

PC

Tivoli zSecureVisual client

Tivoli zSecureVisual server

Server definition

Server IDServer IP address or nameServer TCP PortClient IDLocal port--Initial password

Client definition

Server IDServer IP address or nameServer TCP PortClient IDLocal port-StatusRemarksInitial password

Mainframe

Figure 57. The server and client definitions needed for communication between the serverand a client


For more information about the client side creation of server definitions, see“Adding and editing a server definition” on page 100.

The server attributes are shown at the top of the window: Server ID, IP address orname, TCP Port.

For more information about server fields, refer to “Adding and editing a serverdefinition” on page 100.

There are other fields shown as a list:

Client IDOptional. Needs to be unique for the server. If it is left empty, the servergenerates one for you. This field is also known as ″Agent id″ on the server.

StatusRead only. Shows ″deleted″ or ″active″. If a client definition is deleted, it cannotbe used to log on.

RemarksOptional. Stores any notes for this client definition.

Initial passwordRead only. Needed to initiate communication for a new client. It is generatedby the server. The validity is limited to seven days or the length of the serverrun, whichever ends first.

Note: The initial password is displayed only after being generated and only aslong as the window remains open. Newly created client definitionsautomatically have an initial password.

Adding a single definition can be done with the Add button. To edit a definition,first select it and then click Edit. A deleted definition can be activated again withthe Undelete button. Deleting a definition or generating a new password for it canbe done similarly, except that more than one definition can be selected.

Figure 58. Maintain Client Window


Batch-adding of Client definitionsThe Batch Add dialog window provides the fields of Client ID base number,Remarks, and the number of definitions for you to enter the data to createdefinitions. You can add several definitions at one time.

The server generates a unique free Client ID for every definition created. If theClient ID base number is entered, the generated IDs start at this value. Up to 100client definitions can be created in one go. When the definition creation iscomplete, you are back in the Maintain Client Window. See Figure 58 on page 92.Now the initial passwords are displayed.

Upload of a client definition to IBM Tivoli zSecure VisualAfter a client definition is created, the following attributes have to becommunicated to the IBM Tivoli zSecure Visual client involved:v Server IDv Server IP address or namev Server TCP port numberv Client IDv Initial password

With this information, the corresponding server definition can be created withwhich the client can log on the server. See “Adding and editing a serverdefinition” on page 100 for further details.

Copying a client definition to the clipboardFrom the Maintain Client Window, you can copy selections of Client IDs and InitialPasswords to the clipboard and mail them to your users.

To copy client definitions to the clipboard, perform the following steps:1. Open the Maintain Client Window.2. Generate client definitions and Initial Passwords needed for distribution.3. Select all client definitions to be distributed.4. Copy all selected items to the clipboard. The server attributes are added at the

top as header. For the client definitions, a basic layout of tabbed columns isused. It can be pasted to a spreadsheet, neatly retaining the columns, or to ane-mail, giving in a rather ragged layout because of field length variation.

Clipboard example:ServerID: 12.1.1IP address or name: testTCP Port: 8000

Figure 59. Batch Add Dialog

Chapter 8. Maintenance 93

Client ID Remarks Status Initial password12.1.100 secadmin HTR active 63F693FF9612.1.101 generic 100 active 99F239EF6F12.1.102 generic 100 active 01E671F0A6


Chapter 9. Setup and configuration

This chapter explains the installation, configuration, maintenance, and removal ofIBM Tivoli zSecure Visual from the client side.

To be able to use IBM Tivoli zSecure Visual on a client, each client has to bedefined on the mainframe. The client needs to install the client software and defineservers. For the installation of the product on the server, see our separate manual:IBM Tivoli zSecure Visual Server, version 1.11.0. For information about any knownproblems and limitations, refer to the topic ″Known problems and limitations″ ofRelease Information for zSecure Release 1.11.0 from the IBM information center:http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc/welcome.htm.

This chapter consists of the following topics:See the related topics:v “Prerequisites for installation”v “IBM Tivoli zSecure Visual installation” on page 96v “Maintaining Tivoli zSecure Visual” on page 98v “Upgrade of IBM Tivoli zSecure Visual” on page 99v “IBM Tivoli zSecure Visual configuration” on page 99v “Automated Setup and Configuration” on page 102

Prerequisites for installationTo install IBM Tivoli zSecure Visual, you need to prepare your system to meet thefollowing requirements:v Pentium® 166 MHz.v Minimum 155MB disk space.v Minimum S-VGA display.v Microsoft Windows XP with Service Pack 2, Microsoft Windows XP with Service

Pack 3, or Windows Vista. You can check the operating system when you startthe workstation.

v z/OS V1R11, RACF Security Server FMID HRF7760, TCP/IP installed on themainframe

v IBM Tivoli zSecure Visual 1.11.0 on the mainframe.v Connection to the mainframe with a well-configured TCP/IP network.v Localhost is defined.v To work with the IBM Eclipse Help System, you need to install Microsoft

Internet Explorer Version 6.0, 7.0 or Firefox 2.0 or 3.0. To ensure that all thefunctions of this version of the IBM Eclipse Help System are usable, you need toenable cookies and JavaScript™ in the browser and disable the browser’sfunction of blocking pop-up windows.

After installing, a server definition needs to be created to connect to themainframe. The server definition includes:v Server IDv Server IP address or namev Server TCP port number




v Client IDv Initial password

You can obtain this information from your system administrator.

IBM Tivoli zSecure Visual installationThe IBM Tivoli zSecure Visual client software for Windows is available on CD. TheCD also contains both IBM Tivoli zSecure Visual client and IBM Tivoli zSecureVisual server manuals in PDF format. The installation starts automatically afterinserting the CD. If the automatic installation fails or is cancelled, you can start theinstallation by activating: \autorun\autorun.exe.

When you install IBM Tivoli zSecure Visual, you can select to install a typical,compact, or custom version of the program. This section describes the Setupprogram and provides instructions to complete each type of installation.

The Setup program automatically starts when you put the IBM Tivoli zSecureVisual CD-Rom in the drive.

On the Software License Agreement panel, review the terms of the licenseagreement, and select one of the following options:v I accept both the IBM and non-IBM termv I do not accept the terms in the license agreement

If you select that you do not accept the license agreement, the installation will notcontinue. If you accept the license agreement, the setup wizard will guide youthrough the installation procedure by first showing the Welcome screen. You canprint the terms of the license agreement by clicking Print.

The Welcome screen shows you which version of IBM Tivoli zSecure Visual it isgoing to install.

From the Information dialog, you can find general information before beginningthe installation. The information dialog provides the prerequisites needed to runIBM Tivoli zSecure Visual and any last-minute remarks about the program orsetup.

From the Choose Destination Location dialog, you can choose where Setup placesIBM Tivoli zSecure Visual. The default is C:\Program Files\IBM\IBM TivolizSecure Visual\1.11.0. Every version of IBM Tivoli zSecure Visual needs its ownfolder. You must leave the version number in the folder title so you are able todistinguish between the different versions.

You can find the license files in the directory: <ApplicationDirectory>\License. Thelicense files are written using operating system and specific code pages. You canview the license in English and the locale language configured on your machine,but other languages are not guaranteed to be viewable. The file association of thelicense files might be incorrect as it is being controlled at the operating systemlevel.

From the Setup window, you can select from one of three options to install IBMTivoli zSecure Visual:


1. Typical: This option enables a complete installation of all program components.You need this installation for normal use of IBM Tivoli zSecure Visual. Forinstallation instructions, see “Conducting typical installation.”

2. Compact: This option enables you to install a minimal version of IBM TivolizSecure Visual without components like the built-in help. For installationinstructions, see “Conducting compact Installation.”

3. Custom: This option enables you to select the components to install. If youselect this option, the next screen gives you the components list. Check thecomponents you want. This option is for advanced users only. For installationinstructions, see “Conducting custom Installation.”

Conducting typical installationFor typical installation, perform the following steps:1. Select Typical from the Setup Type dialog.2. From the Select Program Folder dialog, select the folder from which you run

IBM Tivoli zSecure Visual. You must use the default, IBM Tivoli zSecure Visual.You can also select a folder from the list of existing folders, or make a new one.

3. Click Next.4. From the Start Copying Files dialog, review the setup type, destination location,

and program folder selections you made in the previous steps. To change thesettings, click Back. To complete the installation, click Next.

5. From the Setup Complete window, click Finish.

Note: If you need to restart the computer, a message is displayed to informyou.

Before you can use IBM Tivoli zSecure Visual, you have to configure it. You canmanually or automatically configure it. For more information about configuration,see “IBM Tivoli zSecure Visual configuration” on page 99.

Conducting compact InstallationIf you select the Compact installation type from the Setup Type dialog, follow theprocedure described in “Conducting typical installation.” When the product isinstalled, several non-essential files are omitted.

Conducting custom InstallationYou can select the components you want to install by selecting the Custom optionin the installation process. Follow these steps to perform the custom installation:1. From the Setup Type dialog, click Custom and then click Next to display the

Select Components dialog.

Note:

At the bottom of the select components window, you can see how muchspace is required in total for the installation of the selected componentson the destination drive. You can also see how much space is availableon the destination drive.

2. From the Select Components dialog, select the check box for the componentsyou want to install. If a check box is grayed out, the setup program onlyinstalls the component required.

Chapter 9. Setup and configuration 97

Program FilesSelect this option if you need to install the files required to run IBM TivolizSecure Visual.

Help FilesSelect this option if you want to have the context-sensitive helpdocumentation available.

MDAC ComponentSelect this option to install the Microsoft Data Access Component, whichprovides an extended set of data communication files. This component isonly required to resolve incidental data communication problems.

RDO ComponentSelect this option to install the Remote Data Objects component, a packageof Microsoft data communication files. This component is required to runthe product.

3. Click Next to continue with the installation process as described in Steps 2through 5 of “Conducting typical installation” on page 97.

Attention: If the Windows system folder is not located on the destination drive,you might find the previous installation instructions confusing. Therecould be a situation that you seem to have enough disk space, but afterclicking [Next] you get the following warning:There is not enough space to install these option(s).Please free some disk space or modify your selections.

This warning refers to the drive that contains the Windows systemfolder. In the description area in the Select Components dialog, you cansee which components are installed in the Windows system folder. Youcan also see how much space these components approximately need.

Maintaining Tivoli zSecure VisualYou can uninstall, modify, and repair the Tivoli zSecure Visual. This sectionprovides the procedures to perform these tasks.

Uninstalling IBM Tivoli zSecure VisualTo completely remove IBM Tivoli zSecure Visual and all of its components,perform the following steps:1. Go to Control Panel.2. Select Add/Remove Programs.3. Select IBM Tivoli zSecure Visual 1.11.0.4. Click Add/Remove to start the setup program.5. In the Welcome dialog for the maintenance program, select Remove. Then, click

Next.6. In the Confirm uninstall dialog, click OK.7. When Maintenance detects a shared file, you get a warning message. Click Yes

to continue.8. Maintenance starts to remove IBM Tivoli zSecure Visual.9. When Maintenance is complete, you get the Maintenance Complete screen.

Restart your computer.


Modifying IBM Tivoli zSecure VisualIf you are an advanced user, you can modify your installation of IBM TivolizSecure Visual. To add new program components or remove currently installedcomponents, perform the following steps:1. Start Control Panel and select Add/Remove Programs to start modifying IBM

Tivoli zSecure Visual.2. Select IBM Tivoli zSecure Visual 1.11.0 and Click Add/Remove.3. In the Welcome dialog window, select Modify. Then, click Next.4. In the Select Components window, select components to be modified.5. Click Next to modify your installation. The Setup Status dialog is displayed to

monitor the setup process.6. When Maintenance has finished the modifications, it ends with the

Maintenance complete screen. Restart your computer.

Repairing IBM Tivoli zSecure VisualIf you find damaged files, you need to reinstall all program components. Toreinstall all program components or to install a fix pack, perform the followingsteps:1. Start Control Panel and select Add/Remove Programs to start repairing IBM

Tivoli zSecure Visual.2. Select IBM Tivoli zSecure Visual 1.11.0 and Click Add/Remove.3. In the Welcome dialog window, select Repair. Then, click Next.4. After the repair process completes, click Finish.

Upgrade of IBM Tivoli zSecure VisualYou can upgrade IBM Tivoli zSecure Visual using the method described in “IBMTivoli zSecure Visual installation” on page 96. The new installation does notcontain any server definitions. You can copy the server definitions from theprevious version as described in “Copying of a server definition” on page 102. Thewhole process can be automated also, see “Automation of the upgrade path” onpage 109.

IBM Tivoli zSecure Visual configurationConfiguration of IBM Tivoli zSecure Visual is to define servers on the client side. Ifno servers have been defined yet, you enter the configuration part of the programautomatically after you start the program. Otherwise you can select File >Configure from the main menu.


The configuration window displays all defined servers and enables you to add,copy, edit, and delete server definitions. When ″Edit required″ appears in the list,you must complete the corresponding server definition before you can use theserver.

With the Import function, you can read server definition information from aconfiguration file prepared for you. With Export, you can create configuration files,which enables automatic setup and configuration.

After adding, editing or deleting one or multiple server definitions, click OK toapply all changes. A status window appears, showing the steps performed toconfigure the program.

Adding and editing a server definitionA server definition contains the parameters listed in the following section. Aftercompleting the fields, click OK to accept them. You can use Test Connection toverify if the server is active. You can leave all fields blank except Name andcomplete the definition in another run of IBM Tivoli zSecure Visual.

Figure 60. Configure dialog


To use the server, you need a certificate. When you enter the correct initialpassword, you get the certificate.

Attention: When you obtain a new certificate, make sure that the clock of yourlocal workstation is synchronized with the mainframe server clock. Ifthere is too much difference, you might get errors.

Refer to the following list for information about the server definition parameters:

NameThis arbitrary name is used to refer to this specific server definition. It appearsin the Logon dialog. The name must be unique on the PC. The name must be avalid filename for Windows, because a subdirectory is created to store filesrelated to the server.

HelpContact (optional)Enter the name of a person, department name, or anything else that informs theuser who to contact in case of trouble. If the field is non-blank it appears inerror dialogs as follows: Error 3: Time Out. Contact helpcontact.

Client IDThis number is unique to identify the client to its server. It is always 12.1.nwith n 2 - 2,147,483,647. Typically these IDs are defined on the server. Beforeyou can use a client, you have to ask for its ID, and enter it.

Server IDThe ID of the server. It is defined on the server. The format of the ID is thesame as the format of the client ID. In most cases, this ID is 12.1.1.

Server IP address or nameThe IP address or the fully qualified host name of the server.

Server PortThe port that the server agent listens to. A port number is a number 0 - 65535.

Local port (optional)The client agent uses two port numbers to communicate with the server andwith the IBM Tivoli zSecure Visual user interface. By default these portnumbers are the server port number and the server port number + 1. If there

Figure 61. Server definition dialog


are two servers with equal port numbers, port conflicts occur. With this field,you can override the default local port number. The user interface uses localport number + 1.

Initial passwordA 10 hex digit password required to obtain a new certificate. The certificate isused for encryption. Usually the initial password can be obtained from yourmainframe system administrator.

Test connectionTo verify if the Server IP address or fully qualified host name and the ServerPort are correct, click Test Connection. After some time Connect succeeded orConnect failed appears in the status field.

Note: Connection fails if the server parameters are correct but the server is notrunning.

Copying of a server definitionA client needs a definition for each server to access, see “Adding and editing aserver definition” on page 100. However, it is not always necessary to enter thewhole definition from scratch. You can copy server definitions between differentversions of IBM Tivoli zSecure Visual. Avoid port conflicts when doing so. Ifneeded, consult your system administrator.

The Copy function shows you an exact copy of the existing server definition. Someof the fields in the definition are disabled so that you cannot change them.

Automated Setup and ConfigurationUse automated setup and configuration for an initial installation. This sectiondescribes how you can use automated setup and configuration to install IBM TivolizSecure Visual.

Running the setup with predefined or default settingsWhen you enter /a in the command line, you can run the installation withoutchanging the settings. You can see all settings shown for verification, but youcannot edit them. It prevents risks of unintentional typographical errors manglinga standard installation. All dialogs except Welcome, Start Copying Files and Finishare suppressed. If present, configuration file settings are used; otherwise defaultsettings are used.

Used with /a, the command-line option /k suppresses the installation of the RDOComponent. This component contains ODBC and OLE automation files. Installingthis component sometimes triggers the need to reboot. The option must be usedonly when it is certain that the target system already contains the neededcomponents. It is provided for incidental situations where a reboot needs to besuppressed.

Configuration fileWith the configuration file, you do not need to type the same information again.You write parameters to a file. The target computers read it during their setup andconfiguration.


Creating a configuration fileUse IBM Tivoli zSecure Visual to create a configuration file. When you are creatingthe configuration file, the changes do not affect your PC. All the server and setupdata options you configure are saved to a file. To create a configuration file,perform the following steps:1. Select File > Configure from the main menu to enter the configure dialog.2. Click Export to switch to Export mode. The following window displays:

Note: To prevent an accidental switch in or out of Export mode, the Exportbutton is disabled after any of the following actions: Add, Edit, Deleteor Import.

From this point, all changes in the configuration do not affect your PC; but theresulting server and setup data can be written to a configuration file by clickingOK. You can save an intermediate state by using Save As.

3. Specify manual or automated configuration parameters:

Manual setupUse the Add, Copy, Edit, Delete , and Import functions to specify theserver and setup data.

In general, you do not save all servers defined on your PC in the file. Youcan delete all servers that you do not want to include and clear the fieldsthat you do not want to specify, such as Client ID.

Automated setupTo setup an automated configuration, click Setup to display the Setupparameters window.

Figure 62. Configuration dialog in export mode


Specify the Installation directory and Program folder. Select the Promptcheck box next to each field to enable the setup program to change thedefault installation directory or program folder specified. When you selectPrompt, the corresponding dialog is shown during setup. In the dialog, theuser can change the default value. If you do not check Prompt, setup usesthe default value specified.

4. To save an interim version of the configuration file at any point in theconfiguration process, click Save As and specify the configuration file name.

5. To save the configuration file, click OK.

Configuration file layoutThe settings for the installation are in the SETUP section:v DefaultDir=d:\path: Target location default is set to d:\path.v DefaultFolder=FolderName: Target startup folder default is set to FolderName.v FixedDir=d:\path: Target location is set to d:\path and Ask Destination Path

dialog is suppressed.v FixedFolder=FolderName: Target startup folder is set to FolderName and Ask

SelectFolder dialog is suppressed.

The settings that define a server are in a SERVER34 section:v NAME=server_definition_name: Server definition name.v CLIENTID=12.1.n: Where n is a number 0 - 4,294,967,295.v SERVERID=12.1.1: In most cases, the Server ID is 12.1.1.v SERVERIP=Servername: Server IP address or name.v SERVERPORT=8000: Server IP port.v HELPCONTACT=System support: Help contact as shown in the error dialogs.

A configuration file can contain more than one server section.

Running a configuration file on the target machineOn the target machine, run setup with the configuration filename as acommand-line argument:

<full path>\setup <full path to configuration file>

Setup reads the configuration file, skips the dialogs to be skipped, and startscopying files. If a reboot is not necessary, setup starts IBM Tivoli zSecure Visualwith the configuration file as an argument to continue with automatedconfiguration.

Figure 63. Setup parameters dialog


Attention: IBM Tivoli zSecure Visual is able to find the configuration file onlywhen the full path is given.

Configuring a configuration file on the target machineOn the target machine, run IBM Tivoli zSecure Visual with the configurationfilename as command-line argument:

<full path>\c2racv<full path to configuration file>

The server definitions are updated according to the parameters found in theconfiguration file. After this update, the program exits directly.

Configuration limitationsThere are configuration limitations:

Storing initial passwords in configuration filesFor security reasons, initial passwords cannot be saved to configuration files.

Renaming a server on the target machineYou cannot rename a system on the target machine, since the old name cannotbe written to the configuration file.

Same version needed for creating and using configuration filesIBM Tivoli zSecure Visual can only read configuration files that were createdusing the same version. If the versions differ, no server definitions are copied.

NotesSkipping dialogs during setup

To skip most dialogs during setup, use command-line option /a. All selectionand input dialogs are skipped, even if the configuration file specified to promptfor a parameter.

Using a configuration file to copy a certificateIt is possible to copy a certificate by using a configuration file. When you arepreparing the configuration file, perform the copy as if it were on your system.The copying is performed on the target machine when it reads theconfiguration file. To copy a certificate that is not on the machine on which youare making the configuration file, you can enter the server name and versiondirectly.

Blank fields in configuration filesServer parameters that you leave blank are not stored in the configuration file.If a server with the same name exists on the target machine, blank fields areleft unchanged.

Client IDs in configuration filesThe target computers must have unique Client IDs, so you cannot specify aClient ID in a configuration file used by multiple target computers. If youspecify a dot in the Client ID field after 12.1, the target machine replaces thedot by the Client ID of its other server definitions. This only works if all itsother server definitions contain the same Client ID.

Modifying an existing configuration fileTo modify an existing configuration file, perform the following steps:1. Switch to Export mode.2. Delete all servers.3. Import the configuration file to be edited.4. Edit the data.


5. Save it with the same name.

Configuration file examplesExample 1: Prepare automated setup and configuration with one server formultiple clients

1. Start IBM Tivoli zSecure Visual.2. Select File > Configure from the main menu.3. Select Export and confirm you are going to prepare configuration files.4. Edit the server definitions using the Add, Edit , and Delete functions until

you only have the server definition you want to configure on the targetmachines.Specify only Name, HelpContact, ServerID, Server IP address or name andServer Port. Leave the Client ID field blank, because this field needs to beunique for each target machine. In this example, Local Host and Local Portare also left blank.

5. Select Setup to specify the directory and target program folder that setupuses. Because in this example command-line option /a for setup is used, thePrompt checks are ignored.

6. Click OK to save the configuration file.7. To complete the configuration file, name the file setup1.cfg

8. On each target machine run the following command: setup /a <fullpath>\setup1.cfg

After completing these steps, specify the correct Client ID and Initial Passwordon the target machine.

Example 2: Add a new server to multiple clients

1. Start IBM Tivoli zSecure Visual.2. Select File > Configure from the main menu.3. Select Export and confirm you are going to prepare configuration files.4. Edit the server definitions using the Add, Edit , and Delete functions until

you only have the server definition you want to configure on the targetmachines.Specify only Name, HelpContact, ServerID, Server IP address or name andServer Port. Leave the Client ID field blank, because this field needs to beunique for each target machine. In this example, Local Host and Local Portare also left blank.

5. Click OK and save the configuration file as setup2.cfg. Now theconfiguration file is finished.

6. On each target machine run the following command:c2racv setup2.cfg

After completing these steps, specify the correct Initial Password on the targetmachine to obtain a certificate.

Silent installationTo perform a silent installation, follow these steps:1. Complete installation is recorded on an initial machine, and all user actions are

saved to a response file.2. The recorded installation is played back on all target machines using the

response file. No user interference is needed, or indeed possible.


For the installation to succeed, the initial machine as well as all target machinesmust have similar configurations. Any deviation which has influence on the setupprocedure, such as the existence or non-existence of the target folder to install, cancause the playback to fail.

If you have accepted the license agreement, during the installation in the initialmachine, silent installation assumes that the license agreement is accepted for thetarget machines. Therefore, the silent installation copies the license files to thedesignated directory on the target system and creates the status file without userinteraction. If the license agreement is not accepted during the initial installation,both initial installation and silent installation will not be completed.

To help troubleshoot any such problems, you must log the installation process.

Recording the installation in a response fileRun an initial installation using the Recording command-line options. Everyselection and input of data you perform is written to the response file. Thecommand must look like as follows:<full path>\setup.exe -r -f1<full path to response file>

Installing silently using the response fileTo play back a silent installation you need a response file containing all useractions the installation needs. Start the silent installation by using the followingcommand-line options:<full path>\setup.exe -s -f1<full path to response file>-f2<full path to log file>

Setup log fileWhen performing a silent install, a log file is created. If the -f2<full path tolog file> command-line option is omitted, it is created as setup.log in thefolder that contains setup.exe. The Setup log file contains three sections:

[InstallShield Silent]Identifies the version of InstallShield used to run the silent setup. It alsoidentifies the file as a log file.

[Application]Identifies the name and version of the installed application and thecompany name.

[ResponseResult]Contains the result code indicating whether the silent setup succeeded. Anumber is assigned to the ResultCode field in the [ResponseResult] section.The setup places one of the following return values in the ResultCode field:

Table 2. Silent Install log file return code descriptions

Result code Return value

0 Success.

-1 General error.

-2 Invalid mode.

-3 Required data not found in the Setup.iss file.

-4 Not enough memory available.

-5 File does not exist.

-6 Cannot write to the response file.

-7 Unable to write to the log file.


Table 2. Silent Install log file return code descriptions (continued)

Result code Return value

-8 Invalid path to the InstallShield Silent response file.

-9 Not a valid list type (string or number).

-10 Data type is invalid.

-11 Unknown error during setup.

-12 Dialogs are out of order.

-13 License agreement declined; installation on initial machine was notcompleted.

-51 Cannot create the specified folder.

-52 Cannot access the specified file or folder.

-53 Invalid option selected.

Attention: By default, the ResultCode is filled with 0 when the log is created. Ifthe setup fails or even crashes at a later stage, and is unable toupdate the log, ResultCode indicates success erroneously. In thiscase the failure might not be obvious at first glance, and the failurereason might be difficult to discover.

Create a detail log (optional).For diagnostics, it is possible to create a detail log with command-line option:/g<full path to detail log>. It contains the steps of the installation process,including any error messages. This information must provide pointers to solvewhat went wrong during the installation.

Attention: Take care to avoid any filename conflicts with the setup log!

Remote installation example.Because no human interference is needed, it is possible to launch the silentinstallation remotely; therefore, the Microsoft Task Schedule service might beused. The normal requirements as to user authority and service availabilityapply. The command line might look like: at \\remotemachine 3:23n:\install\disk1\setup /s /f1n:\install\respons.iss /f2n:\feedback\setup.log-gn:\feedback\detail.log

Attention: You can reboot the remote machine this way. To do sounannounced, during working hours, might cause problems.

Note: The installation image and locations for the response and log files mustbe readily available for the setup process.

Example of a setup log file:[InstallShield Silent] Version=v6.00.000 File=Log File[ResponseResult] ResultCode=0 [Application] Name=Tivoli zSecureVisual 1.11.0 Version=1.11.0 Company=IBM Lang=0009

Example of a response file:[InstallShield Silent] Version=v6.00.000 File=Response File [FileTransfer] OverwrittenReadOnly=NoToAll [{4A7059A8-F170-11D6-8718-0050DA4DD7B4}-DlgOrder] Dlg0={4A7059A8-F170-11D6-8718-0050DA4DD7B4}-SdWelcome-0 Count=7 Dlg1={4A7059A8-F170-11D6-8718-0050DA4DD7B4}-SdShowInfoList-0 Dlg2={4A7059A8-F170-11D6-8718-0050DA4DD7B4}-SdAskDestPath-0 Dlg3={4A7059A8-F170-11D6-8718-0050DA4DD7B4}-SetupType-0Dlg4={4A7059A8-F170-11D6-8718-0050DA4DD7B4}-SdSelectFolder-0


Dlg5={4A7059A8-F170-11D6-8718-0050DA4DD7B4}-SdStartCopy-0Dlg6={4A7059A8-F170-11D6-8718-0050DA4DD7B4}-SdFinish-0[{4A7059A8-F170-11D6-8718-0050DA4DD7B4}-SdWelcome-0] Result=1[{4A7059A8-F170-11D6-8718-0050DA4DD7B4}-SdShowInfoList-0] Result=1[{4A7059A8-F170-11D6-8718-0050DA4DD7B4}-SdAskDestPath-0]szDir=C:\Program Files\IBM\Tivoli zSecure Visual\1.11.0 Result=1[{4A7059A8-F170-11D6-8718-0050DA4DD7B4}-SetupType-0] Result=301[{4A7059A8-F170-11D6-8718-0050DA4DD7B4}-SdSelectFolder-0]szFolder=Tivoli zSecure Visual Result=1 [{4A7059A8-F170-11D6-8718-0050DA4DD7B4}-SdStartCopy-0] Result=1 [Application] Name=TivolizSecure Visual 1.11.0 Version=1.11.0 Company=IBM Lang=0009[{4A7059A8-F170-11D6-8718-0050DA4DD7B4}-SdFinish-0] Result=1 bOpt1=0bOpt2=0 [{23F5BE43-343E-11D7-874B-0050DA4DD7B4}-DlgOrder] Count=0[{23F5BE44-343E-11D7-874B-0050DA4DD7B4}-DlgOrder] Count=0[{23F5BE45-343E-11D7-874B-0050DA4DD7B4}-DlgOrder] Count=0[{23F5BE46-343E-11D7-874B-0050DA4DD7B4}-DlgOrder] Count=0[{23F5BE47-343E-11D7-874B-0050DA4DD7B4}-DlgOrder] Count=0[{23F5BE48-343E-11D7-874B-0050DA4DD7B4}-DlgOrder] Count=0

Automation of the upgrade pathAfter an initial installation IBM Tivoli zSecure Visual needs some configurationbefore the user can log on to a server. For an upgrade, it can be automated withthe setup command-line option /copyservers. Any server definition alreadydefined on the machine is replicated to the newly installed version, so they areready for use immediately after installation.

Note: If the machine contains more than one version of IBM Tivoli zSecure Visual,the server definitions of the most recent version are copied. Older versionsare skipped.



Appendix A. Support information

This section describes the options for obtaining support for IBM products. Itincludes the following topics:v “Searching knowledge bases”v “Obtaining fixes” on page 112v “Registering with IBM Software Support” on page 113v “Receiving weekly support updates” on page 112v “Contacting IBM Software Support” on page 113

Searching knowledge basesYou can often find solutions to problems by searching IBM knowledge bases. Learnhow to optimize your results by using available resources, support tools, andsearch methods and how to receive automatic updates.

Available technical resourcesIn addition to the Tivoli zSecure information center, you can access the followingtechnical resources to help you answer questions and resolve problems:v Access the Tivoli support site to view technote, APARs (problem reports) and

other related information athttp://www-01.ibm.com/software/sysmgmt/products/support/IBMTivolizSecureSuite.html

v Access the Redbooks® Domain to locate current Redbooks for Tivoli zSecure athttp://www.redbooks.ibm.com/

v Access Tivoli support forums and communities athttp://www-01.ibm.com/software/sysmgmt/products/support/Tivoli_Communities.html

Searching with support toolsThe following tools are available to help you search IBM knowledge bases:v IBM Support Assistant (ISA) is a free software serviceability workbench that

helps you resolve questions and problems with IBM software products.Instructions for downloading and installing the ISA can be found on the ISAWeb site: http://www.ibm.com/software/support/isa.

v IBM Software Support Toolbar is a browser plug-in that provides you with amechanism to easily search IBM support sites. You can download the toolbar athttp://www.ibm.com/software/support/toolbar/.

Searching tipsThe following resources describe how to optimize your search results:v Searching the IBM Support Web site: http://www-01.ibm.com/support/us/

srchtips.htmlv Using the Google search engine:http://www.google.com/support/


http://www-01.ibm.com/software/sysmgmt/products/support/IBMTivolizSecureSuite.html

http://www-01.ibm.com/software/sysmgmt/products/support/IBMTivolizSecureSuite.html

http://www.ibm.com/redbooks

http://www-01.ibm.com/software/sysmgmt/products/support/Tivoli_Communities.html

http://www-01.ibm.com/software/sysmgmt/products/support/Tivoli_Communities.html

http://www.ibm.com/software/support/isa

http://www.ibm.com/software/support/toolbar/

http://www-01.ibm.com/support/us/srchtips.html

http://www-01.ibm.com/support/us/srchtips.html

http://www.google.com/support/

Obtaining fixesA product fix might be available to resolve your problem. To determine whichfixes are available for your Tivoli software product, follow these steps:1. Go to the IBM Software Support Web site at http://www.ibm.com/software/

support.2. Under Select a brand and/or product, select Tivoli.3. Click the right arrow to view the Tivoli support page.4. Use the Select a category field to select the product.5. Select your product and click the right arrow that shows the Go hover text.6. Under Download, click the name of a fix to read its description and, optionally,

to download it.If there is no Download heading for your product, supply a search term, errorcode, or APAR number in the field provided under Search Support (thisproduct), and click the right arrow that shows the Go hover text.

For more information about the types of fixes that are available, see the IBMSoftware Support Handbook at http://techsupport.services.ibm.com/guides/handbook.html.

Receiving weekly support updatesTo receive weekly e-mail notifications about fixes and other software support news,follow these steps:1. Go to the IBM Software Support Web site at http://www.ibm.com/software/

support.2. Click My support in the far upper &hyphen;&right corner of the page under

Personalized support.3. If you have already registered for My support, sign in and skip to the next

step. If you have not registered, click register now. Complete the registrationform using your e-mail address as your IBM ID and click Submit.

4. The Edit profile tab is displayed.5. In the first list under Products, select Software. In the second list, select a

product category (for example, Systems and Asset Management). In the thirdlist, select a product sub-category (for example, Application Performance &Availability or Systems Performance). A list of applicable products isdisplayed.

6. Select the products for which you want to receive updates.7. Click Add products.8. After selecting all products that are of interest to you, click Subscribe to

e-mail on the Edit profile tab.9. In the Documents list, select Software.

10. Select Please send these documents by weekly e-mail.11. Update your e-mail address as needed.12. Select the types of documents you want to receive.13. Click Update.

If you experience problems with the My support feature, you can obtain help inone of the following ways:


http://www.ibm.com/software/support


http://techsupport.services.ibm.com/guides/handbook.html

http://techsupport.services.ibm.com/guides/handbook.html



OnlineSend an e-mail message to [email protected], describing your problem.

By phoneCall 1-800-IBM-4You (1-800-426-4968).

Registering with IBM Software SupportBefore you can receive weekly e-mail updates about fixes and other news aboutIBM products, you need to register with IBM Software Support. To register withIBM Software Support, follow these steps:1. Go to the IBM Software Support site at the following Web address:

http://www.ibm.com/software/support2. Click Register in the upper right corner of the support page to establish your

user ID and password.3. Complete the form, and click Submit.

Contacting IBM Software SupportIBM Software Support provides assistance with product defects.

Before contacting IBM Software Support, your company must have an active IBMsoftware maintenance contract, and you must be authorized to submit problems toIBM. The type of software maintenance contract that you need depends on thetype of product you have:v For IBM distributed software products (including, but not limited to, Tivoli,

Lotus, and Rational® products, and DB2® and WebSphere® products that run onWindows or UNIX operating systems), enroll in Passport Advantage® in one ofthe following ways:

OnlineGo to the Passport Advantage Web site at http://www-306.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm .

By phoneFor the phone number to call in your country, go to the IBM SoftwareSupport Web site at http://techsupport.services.ibm.com/guides/contacts.html and click the name of your geographic region.

v For customers with Subscription and Support (S & S) contracts, go to theSoftware Service Request Web site at https://techsupport.services.ibm.com/ssr/login.

v For customers with IBMLink™, CATIA, Linux®, OS/390, iSeries®, pSeries®,zSeries®, and other support agreements, go to the IBM Support Line Web site athttp://www.ibm.com/services/us/index.wss/so/its/a1000030/dt006.

v For IBM eServer™ software products (including, but not limited to, DB2 andWebSphere products that run in zSeries, pSeries, and iSeries environments), youcan purchase a software maintenance agreement by working directly with anIBM marketing representative or an IBM Business Partner. For more informationabout support for eServer software products, go to the IBM Technical SupportAdvantage Web site at http://www.ibm.com/servers/eserver/techsupport.html.

If you are not sure what type of software maintenance contract you need, call1-800-IBMSERV (1-800-426-7378) in the United States. From other countries, go tothe contacts page of the IBM Software Support Handbook on the Web at

Appendix A. Support information 113


http://www.lotus.com/services/passport.nsf/WebDocs/Passport_Advantage_Home

http://www.lotus.com/services/passport.nsf/WebDocs/Passport_Advantage_Home

http://techsupport.services.ibm.com/guides/contacts.html


https://techsupport.services.ibm.com/ssr/login

https://techsupport.services.ibm.com/ssr/login

http://www.ibm.com/services/us/index.wss/so/its/a1000030/dt006

http://www.ibm.com/servers/eserver/techsupport.html

http://techsupport.services.ibm.com/guides/contacts.html and click the name ofyour geographic region for phone numbers of people who provide support foryour location.

To contact IBM Software support, follow these steps:1. “Determining the business impact”2. “Describing problems and gathering information”3. “Submitting problems”

Determining the business impactWhen you report a problem to IBM, you are asked to supply a severity level. Usethe following criteria to understand and assess the business impact of the problemthat you are reporting:

Severity 1The problem has a critical business impact. You are unable to use the program,resulting in a critical impact on operations. This condition requires animmediate solution.

Severity 2The problem has a significant business impact. The program is usable, but it isseverely limited.

Severity 3The problem has some business impact. The program is usable, but lesssignificant features (not critical to operations) are unavailable.

Severity 4The problem has minimal business impact. The problem causes little impact onoperations, or a reasonable circumvention to the problem was implemented.

Describing problems and gathering informationWhen describing a problem to IBM, be as specific as possible. Include all relevantbackground information so that IBM Software Support specialists can help yousolve the problem efficiently. To save time, know the answers to these questions:v Which software versions were you running when the problem occurred?v Do you have logs, traces, and messages that are related to the problem

symptoms? IBM Software Support is likely to ask for this information.v Can you re-create the problem? If so, what steps were performed to re-create the

problem?v Did you change the system? For example, did you change the hardware,

operating system, networking software, and so on.v Are you currently using a workaround for the problem? If so, be prepared to

explain the workaround when you report the problem.

Submitting problemsYou can submit your problem to IBM Software Support in one of two ways:

OnlineClick Submit and track problems on the IBM Software Support site athttp://www.ibm.com/software/support/probsub.html. Type your informationinto the appropriate problem submission form.

By phoneFor the phone number to call in your country, go to the contacts page of the




IBM Software Support Handbook at http://techsupport.services.ibm.com/guides/contacts.html and click the name of your geographic region.

If the problem you submit is for a software defect or for missing or inaccuratedocumentation, IBM Software Support creates an Authorized Program AnalysisReport (APAR). The APAR describes the problem in detail. Whenever possible,IBM Software Support provides a workaround that you can implement until theAPAR is resolved and a fix is delivered. IBM publishes resolved APARs on theSoftware Support Web site daily, so that other users who experience the sameproblem can benefit from the same resolution.

Appendix A. Support information 115




Appendix B. Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user’s responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.3-2-12, Roppongi, Minato-ku, Tokyo 106-8711 Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION ″AS IS″ WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.


IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM’s future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

All IBM prices shown are IBM’s suggested retail prices, are current and are subjectto change without notice. Dealer prices may vary.

This information is for planning purposes only. The information herein is subject tochange before the products described become available.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment to


IBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment toIBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM‘s application programming interfaces.

Each copy or any portion of these sample programs or any derivative work, mustinclude a copyright notice as follows:

© (your company name) (year). Portions of this code are derived from IBM Corp.Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rightsreserved.

If you are viewing this information in softcopy form, the photographs and colorillustrations might not be displayed.

TrademarksIBM, the IBM logo, and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at “Copyright andtrademark information” at www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.

Cell Broadband Engine and Cell/B.E. are trademarks of Sony ComputerEntertainment, Inc., in the United States, other countries, or both and is used underlicense therefrom.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

ITIL is a registered trademark, and a registered community trademark of the Officeof Government Commerce, and is registered in the U.S. Patent and TrademarkOffice.

Java and all Java-based trademarks and logos are trademarks orregistered trademarks of Sun Microsystems, Inc. in the United States,other countries, or both.

Appendix B. Notices 119

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Other company, product, and service names may be trademarks or service marksof others.


Glossary

CKG profile. A number of profiles in the XFACILITclass control access to the CKGRACF commands. Theprofile names start with ″CKG″. Note: If the SiteModule general resource class name has beencustomized during the server setup as described in theIBM Tivoli zSecure CARLa-Driven Components: Installationand Deployment Guide, the class with the specified namecontrols access to the CKGRACF commands rather thanthe XFACILIT class.

Access authority. The authority a user needs to accessa protected resource. The higher the authority, the morea user is ed to do.

Class. All RACF entities like users and resources arecategorized into classes. The Class Descriptor Tablecontains a description of all classes except USER,GROUP and DATASET.

Class Descriptor Table. An assembled RACF tablethat contains entries for all general resource classes.

CKGRACF. Short mainframe program name for autility to fire authority sensitive RACF commands.Component of IBM Tivoli zSecure.

CKRCARLA. Short mainframe program name for theIBM Tivoli zSecure application.

Connect. A profile that connects a user to a group.Depending on the attributes of the connect a user hasdifferent authorizations.

General Resource. Anything that RACF can protectexcept users, groups and datasets. For instance, theCKG profiles by default reside in the XFACILIT class,which is a general resource class.

Global Access Table (GAT). A fast way to access on alist of resources to all users except restricted users.Most RACF authority processing is bypassed. The list isstored in the DATASET profile of the GLOBAL class.

HLQ. High Level Qualifier or first qualifier. Theleft-most part of a dataset name, until the first period.

ID. Userid or group name.

Member. Profile members are used to create a list ofentries associated with a profile.

MVS. A mainframe operating system.

OS/390. A mainframe operating system that includesMVS, among others. Renamed to z/OS.

Owner. Every profile has an owner. The user or groupthat owns the profile can view, change and delete thatprofile.

Permit. ed access ability of a user or group tospecified resources.

Profile. A description of the security relevantcharacteristics of one or more users, groups orresources. A profile is divided into segments.

Proftype. Profile type. For general resources, it can bediscrete or generic. For datasets, it can be generic,nonvsam, vsam, tapedsn or model.

RACF. Resource Access Control Facility. A securityprogram that provides access control on an MVS or aVM environment by user identification, accessauthorization etc. Renamed to SecureWay™ SecurityServer.

Schedule. Schedules are the IBM Tivoli zSecure wayto provide timed commands like revoke intervals. Forexample, this allows the administrator to define aninterval in the future that a user will be on holiday. Onthe start date defined, the user will be revokedautomatically. At the end of the holiday, the user willbe resumed again by the system.

Segment. Part of a profile that contains a specific partof the identification.

Setropts. A command to set system-wide z/OSoptions related to resource protection (Set RACFOptions).

Setropts erase. RACF command.

Subgroup. A group becomes subgroup of the group ishas as superior group.

Supgroup. Every group except SYS1 has one superiorgroup. The hierarchy created this way plays animportant role in the way access is granted.

Universal Access Authority (UACC). Part of a datasetor resource profile. It defines the default access grantedif a user or group has no explicit access granted.(Except restricted users, which have no access viaUACC). Note that for sensitive resources, the UACC isusually set to NONE.

Userid. User ID, unique identification for a RACFuser.

z/OS. A mainframe operating system, containing MVSas a component. Used to be known as OS/390.



Index

Special characters? 11/a 102/k 102$DELETE 32, 38

AAccess 1, 65, 66, 67

GlobalRefesh 70

Resource 51Segment 71

Access list 7, 23, 65Access List 17

Access 65Add

Access 66ID 66When 66

Delete 67Edit 67ID 65Print 11When 65

Access to Resources 17accessibility

See customer supportACLCount 57Action 45

Add Resource 60Add Subgroup 46Delete 49, 67, 70Refresch 70Remove 55

Action Delete 64Action Duplicate 62Active 25Add

ConnectSee Connect

Field 74Member 69schedules 40Segment 74

From Segment Detail Window 75To Profile 75

server 100subgroup 46User

See UserAdd resource profile

Appldata 60AuditF 60AuditS 60Class 60Erase 60InstData 60Notify 60Owner 60

Add resource profile (continued)Profile 60UACC 60Warning 60

Add to an access listAccess 66ID 66When 66

Add/Remove Programs 98Administrator

Set Schedule 38Ambiguous Class 15APPCLU - SESSION 78Appldata 57, 60Attempts 25Attribute 47

Connect 51Audit 22AuditF 57, 60Auditor 27Audits 57AuditS 60Auth 51, 52Author 39Authorization

Automatic 7Dependent on Connect 51Interface

Access list 7Connect 7Full 7Group 7Helpdesk 7User 7

Automatic 7

Bbooks

see publications vi, viii

CCategories 27CDT - CDTINFO 78CDTINFO 78CERTDATA 79, 80CFDEF 78CFIELD - CFDEF 78Change

Column sequence 10Default Password 37

Change password 1Change Program 99Changed 74CICS 84CKG 1, 7CKGRACF 1, 4

Information 11requests 4

CKRCARLA 4Information 11requests 4

CKRCARLA date format 8Class 17, 57, 60

Active 24All 24Ambiguous 15Authorized 24Refresh 70

Class authorizations 27Client

Requirements 95Client definition

Maintenance 91Column

Access 65Changed 74Description 74Fieldvalue 74ID 65Sort by entry 1When 65

Column sequenceChange 10

Command line 102Commands

Access 1Communication channel 1Communication to 4Communication window 4Communication Window 10Compact 96, 97Configuration file layout 104Configure

Automated setup and configure 102Configuration file 102Configuration file examples 106Configuration file limitations 105Configuration file notes 105Configuration file usage 104, 105Configure 99Create a configuation file 102Setup and Configure 95Upgrade 109

Connect 7, 47, 49Attribute 51Auth 51, 52Copy and Paste 9, 54Copy, merge and move 56Create 54Created 52Default owner 5Defining names 10Delete 55Drag and drop 9Drag and Drop 54gAud 51, 52gOper 51, 52Group 52gSpec 51, 52


Connect (continued)Last Connect 52management 51Properties 52table 51Userid 52

Connect TablePrint 11

Connects 15conventions

typeface xCopy

Connects 56Resource Profile 62server definition 102

Copy and PasteConnect 54Paste Special 9

CreateConnect 54User

See UserCreate dataset profile 31, 47, 48Created 25, 27, 39, 43, 45, 52, 57CSDATA 83, 85CSFKEYS, GCSFKEYS, XCSFKEY,

GXCSFKEY - ICSF 79CSV 10Custom 96, 97

Date Format 8customer support

See also Software Supportregistering with 113searching knowledge bases 111searching tips 111searching with support tools 111

DDATASET - DFP 79DATASET - TME 79Dataset profile 16DATASET Profile 57Date

Format 5Date Format

CKRCARLA date format 8ISO date format 8Windows long date 8Windows short date 8

DCE 85Default

connect owner 5Password 31, 35, 37

Default Group 25DefaultGrp 25, 27Define Alias 31, 47, 48Define Client 95Defining names 10Delete

Access List Entry 67connect 55Group 49Member 70Resource Profile 64schedules 41Segment 74

Delete (continued)server 100Undo 32User 32

Description 74DFP 79, 83, 85DIGTCERT - CERTDATA 79DIGTRING - CERTDATA 80Disable

User 32, 33Display

Group as Resource Profile 15User as Resource Profile 15

DLFCLASS - DLFDATA 80DLFDATA 80, 81drag and drop

Create connect 55Drag and drop 9Drag and Drop

Connect 54Copy, merge, and move connects 56

DuplicateGroup 47group segments 49user 30user segments 31

Duplicate groupOMVS segment

GID 49OpenMVS group (grpid) 49

Duplicate resource profile 62Duplicate user

DCE segmentUUID 32

KERB segmentKerberos name 31KERBNAME 31

LNOTES segmentLotus Notes short username 32SNAME 32

NDS segmentUNAME 32username 32

OMVS segmentInitial program 32OMVS HOME 32OMVS UNIX home path 32PROGRAM 32UID 32UNIX user (uid) 32

EEdit

Access List entry 67Member 70Segment Detail Window

Add Field 74Add Segment 74Apply 74Delete Segment 74Refresh 74

server 100education

see Tivoli technical training ixEffective access list 23

Effective Access ListPrint 11

EIM 81, 85EJBROLE - TME 80Enable

User 34End 39Enforce creation of dataset profile 31,

47, 48Entry

Delete 67Edit 67

Erase 57, 60Exact 13, 14Excel 10Exit

Confirm exit option 5Exit 2

Expire Password 35Expired 27Export 10

Create a configuration file 102Server 100

Export to rtf 4

FF1 1FACILITY - DLFDATA 81FACILITY - EIM 81FACILITY - PROXY 81FACILITY - TME 81Fieldvalue 74Filter 13, 14Find

Exact 13extra fields for groups 44extra fields for users 26Filter 13Find window always on top option 5Group 13Installation data 57Mask 13Owner 57Resource 13Segment 57Segments 13User 13

Find dialogExtra Fields 25

Find DialogExtra Selection Fields Groups 43

fixes, obtaining 112Folder 96

Program 97font

change font dialogs 5change font table 5

FormatDate 5, 8

Full 7

GgAud 51, 52Generic Resource Profile 57


GID 49Global

AccessRefresh 70

Global Access Table 17gOper 51, 52Gray

Unauthorized functions 7Green 25Group 7, 43, 52

Access to Resources 17Add subgroup 46Attribute 47Connect 47, 49Delete 49Display as Resource Profile 15Duplicate 47extra fields in find dialog 44Extra Selection Fields Find Dialog 43management 43Permit 47, 49properties 45Resource 49Scope 16, 17Superior group 16Supgroup 16table 43Wrong Display 15

GROUP - CSDATA 83GROUP - DFP 83GROUP - OMVS 83GROUP - OVM 84GROUP - TME 84Group management 19Group operations attribute 17Group special attribute 17Group Table 11

Print 11Group tree

Load Complete 16Scope 16

Groupid 65gSpec 51, 52

HHelp 1Helpdesk 7Hide

Unauthorized functions 7High Level Qualifier 16HLQ 16

IIBM Books 89Icon 25ICSF 79ID 17, 66, 67Import

Server 100Inactive 25, 27Information

CKGRACF 11CKRCARLA 11Segment 89

Information (continued)Server 11

information centers, searching 111Initial program 32Install 95

Command line 102Modify 99Repair 99Uninstall 98

Installation 96Compact 97Custom 97Prerequisites 95Requirements 95Setup 96

Installation data 25, 27, 43, 57Installation Data 45, 46Installation type

Compact 96Custom 96Typical 96

InstData 25, 43, 57, 60Interface Authorization

Access list 7Connect 7Full 7Group 7Helpdesk 7User 7

Internet, searching 111Interval 25, 38IP 95

KKERB 82, 85Kerberos name 31KERBNAME 31Key 13knowledge bases

searching knowledge bases 111searching tips 111searching with support tools 111

LLANGUAGE 86Last connect 27Last Connect 52Last logon 27Last password change 27LastConnect 25LastPwdChange 25LDAPBIND - EIM 81LDAPBIND - PROXY 82List Resources 17LNOTES 86Load Complete 16Localhost 95Log on 1Logon Attempts 25Lotus Notes short username 32

MMainframe 4

Logon 1Requirements 95

MaintenanceClient definition 91Repair 98, 99

ManagementConnect 51Group 43User 25

manualssee publications vi, viii

Mask 13, 14Member

Add 69Delete 70Edit 70

Member list 24, 69Members 68

Print 11Merge

Connects 56Microsoft Excel

CSV 10RTF 10

Microsoft Windows 2000 95Microsoft Windows 98 95Microsoft Windows XP 95Modify 99Move

Connects 56

NName 25, 27, 39Navigate 13

Access 65Access List 23, 65Connect 15, 51Effective Access List 23Find 13Group tree 16ID 65Member 68, 69Members 24Permit 16Properties 52Schedule 39, 40, 41Scope 17Segment List 73When 65

NDS 86NETVIEW 86New Password 1Notify 57, 60

OOMVS 83, 86OMVS HOME 32OMVS UNIX home path 32online publications

accessing viiiOpenMVS group (grpid) 49Operations 27

Index 125

OPERPARM 87Options

change font dialogs 5change font table 5Confirm exit 5Date format 5Default connect owner 5dialog 5Find window always on top 5

Options dialogFind window always on top 13

ordering publications viiiOVM 84, 87Owner 25, 27, 43, 45, 57, 60

PPassword

Change 1Default 31, 35, 37New 1, 35Previous 35Resume 35Set 35Set to be expired 35

Password attempts 27Password interval 27PC 4Permit 47, 49Permits 16

Print 11Remove user permits 55

Port conflictavoid 101

Prerequisites 95Preview 11Print 10

Preview 11Table 11

problem determination andresolution 114

Profile 57, 60Add Segment 73, 75DATASET Profile 57Generic Profile 57Resource Profile

Duplicate 62Remove 64

Segment Detail WindowChanged 74

View properties 73View Segment Detail Window 73Warning mode 17

Profile filter 17ProfType 57PROGRAM 32PROGRAM - SIGVER 82Program Folder 96, 97Properties

Auditor 27Auth 52Categories 27Class authorizations 27Connect 52Created 27, 45, 52DefaultGrp 27Expired 27

Properties (continued)gAud 52gOper 52Group 45, 52gSpec 52Inactive 27Installation data 27Installation Data 45Last connect 27Last Connect 52Last logon 27Last password change 27Name 27Operations 27Owner 27, 45Password attempts 27Password interval 27Resource Profile 63Revoked 27Security label 27Security level 27Special 27SubGroup 45SupGroup 45TermUACC 45User

See UserUserid 27, 52

PROXY 81, 82, 87PTKDATA - SSIGNON 82publications vi

accessing online viiiordering viii

QQuit

See Exit, Exit

RRACF 1, 4, 32, 51RACF SETROPTS Settings 22RDO Component 102REALM- KERB 82Reason 39Red 25Refresh 60, 62, 64

Segment 74Refresh class 70Remove

Connect 55IBM Tivoli zSecure Visual 98Resource Profile 64Undo 32User 32User permits from group

resources 55Repair 99Repeat 41

Schedules 41Requests 4Requirements 95Resource 49

Access 51Permit 16

Resource management 19Resource Management 57Resource profile 16Resource Profile

Delete 64Duplicate 62Refresh 62, 64

Resource profile properties 63Resource profiles

DATASET Profile 57Generic Resource Profile 57

Resource Table 15ACLCount 57Appldata 57AuditF 57AuditS 57Class 57Created 57Erase 57InstData 57Notify 57Owner 57Print 11Profile 57ProfType 57UACC 57Volser 57Warning 57

ResourcesRemove user permits 55

Resume 33Password 35

Revoke status 25Revoked 25, 27Right mouse button 10ROLE - TME 82RTF 4, 10

SSchedule

$DELETE 32Disable 33Enable 34

Schedules$DELETE 38Add 40Author 39Delete 41Edit 39End 39Interval 38Name 39Reason 39Repeat 41Revoke 38Start 39Type 39

Scope 16, 17Scope *

Class 21Profile filter 21UACC 21

Scope*Print 11

Search string 13Security label 27


Security level 27Segment 43, 57

Access 71Add 74, 75Add Field 74authorities 71Delete 74Edit 74Exceptions 76List 73more information 89Segment Detail Window

Description 74Fieldvalue 74

settings 71Types 72View 71

Segments 13, 25Select class dialog

Activate 24Active Classes 24All Classes 24Authorized Classes 24Class 24Description 24

SequenceColumn 10

ServerAdd 100Copy definition 102Define 99Delete 100Edit 100Export 100Import 100Information 11Test Connection 100

SESSION 78Set

Default Password 31, 37Set password 35Set up

Communication channel 1SETROPTS 22Setup

Automated setup and configure 102Command line 102Compact 97Configuration file 102Configuration file examples 106Configuration file limitations 105Configuration file notes 105Configuration file usage 104, 105Create a configuration file 103Custom 97Installation 96Modify 99Prerequisites 95Repair 99Setup and Configure 95Silent 106Uninstall 98Upgrade 99, 109

Setup typeCompact 96Custom 96Typical 96

SIGVER 82SNAME 32Software Support

contacting 113receiving weekly updates 112

SortBy entry 1

Special 27Special Characters 11SSIGNON 82Start 39STARTED - STDATA 83Status 38STDATA 83SubGroup 43, 45SupGroup 43, 45support

See customer supportSVMR 83SYS1 16SYSMVIEW - SVMR 83SYSPRINT 4System audit 22SYSTERM 4

TTable 10

Auth 51Connect 51Export 10gAud 51gOper 51Group 43gSpec 51Installation data 43InstData 43Member 69Owner 43Print 11Resource 57Segment 43SubGroup 43SupGroup 43User 25Users 43

TCP 95TermUACC 45Test

connection 100Tivoli Information Center viiiTivoli technical training ixTivoli user groups ixTME 79, 80, 81, 82, 84To the Mainframe

Communication window 4Toolbar 9training, Tivoli technical ixTSO 88Type 39

Segment 72typeface conventions xTypical 96

UUACC 17, 57, 60UID 32UNAME 32Unauthorized functions 7Undo

Delete 32Uninstall 98UNIX user (uid) 32Upgrade

Copy server definition 102User 7

Access 16, 51Access to Resources 17Active 25Copy and Paste 9Defining names 10Delete 32Disable 32, 33Display as Resource Profile 15Drag and drop 9Duplicate 30Enable 34extra find fields 26Inactive 25management 25Properties 25, 27Resource 51Resume 33Revoked 25Schedules 38Scope 17Set password 35Status 38table 25Wrong Display 15

USER - CICS 84USER - CSDATA 85USER - DCE 85USER - DFP 85USER - EIM 85USER - KERB 85USER - LANGUAGE 86USER - LNOTES 86USER - NDS 86USER - NETVIEW 86USER - OMVS 86USER - OPERPARM 87USER - OVM 87USER - PROXY 87USER - TSO 88USER - WORKATTR 88user groups, Tivoli ixUser management 19User Table

Print 11Userid 1, 25, 27, 52, 65username 32Users 43usr

Auditor 27Categories 27Class authorizations 27Created 27DefaultGrp 27Expired 27Inactive 27

Index 127

usr (continued)Installation data 27Last connect 27Last logon 27Last password change 27Name 27Operations 27Owner 27Password attempts 27Password interval 27Revoked 27Security label 27Security level 27Special 27User

See UserUserid 27

UUID 32

VView

Segment 71Volser 57

WWarning 57, 60Warning mode 17When 66, 67Windows 2000 95Windows 98 95Windows long date 8Windows Millenium Edition 95Windows short date 8Windows XP 95WORKATTR 88

XXP 95


��

Printed in USA

SC23-6548-03