How is established the security for the CA OPS/MVS OPSLOG WebView facilities?

Document ID : KB000027972
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction: 

The OPSLOG WebView feature allows users to browse the OPSLOG and to issue host commands from any platform running Java and a web browser. OPSLOG WebView provides a graphical user interface for submitting the full set of commands supported by OPSLOG Browse, including the ability to browse and issue host commands targeted for remote systems defined to the CA OPS/MVS Multi-System Facility (MSF). You can control access to CA OPS/MVS facilities from OPSLOG WebView through security rules: you can specify which users can view OPSLOG messages and which users can issue host commands.

With the default security options set on the OPSLOG WebView server, OPSLOG WebView validates user IDs and passwords entered in the login dialog box. You can set the OSFSECURITY parameter to CHECKUSERID on all systems accessible to OPSLOG WebView to control access permissions by user ID.

Question: 

How is established the security for the CA OPS/MVS OPSLOG WebView facilities?

Answer: 

When is an OPSLOG WebView security event generated?

  1. After establishing a OPSLOG WebView session request: Before an OPSLOG WebView session can be established, OPSLOG WebView prompts each user to log in using a valid user ID and password for the target z/OS system on which the OPSLOG WebView Server is installed. Following a successful login, OPSLOG WebView submits a request to browse OPSLOG messages, creating a security event for accessing the OPSBRW command processor. Access is permitted or restricted by user ID according to security rules. Once the security event is processed and the security rules return a value of ACCEPT, the OPSLOG WebView window displays OPSLOG messages and all window buttons are enabled. If the user is permitted to view the OPSLOG on the local system, the user is also permitted to view all remote system OPSLOGs. Conversely, if the security rules return a value of REJECT, the OPSLOG WebView window is blank and most buttons are disabled. Also, the user will not be permitted to view remote system OPSLOGs.
  2. A Host command request: Each time a user enters a host command from OPSLOG WebView window, a security event for accessing the OPSCMD command processor occurs. Access is permitted or restricted by user ID according to local security rules specified. The host command is issued only if security rules processing returns a value of ACCEPT.
  3. Via host command request over a remote system connection: Each time a user enters a host command from OPSLOG WebView over a remote system connection, a security event for accessing the OPSCMD processor on the local system occurs. The security event is processed through the local security rules. When local security rules processing returns a value of ACCEPT, another security event for accessing the OPSCMD processor on the remote system occurs. The security event is then processed through the remote security rules. The remote system host command is issued only if both the local and the remote security rules return a value of ACCEPT. Conversely, if the local security rules processing returns REJECT, the host command requested is rejected, regardless of access permissions specified by remote security rules.

What are the default access permissions?

By default, all users are permitted to view the OPSLOG from OPSLOG WebView but are not permitted to issue host commands. This assumes there are no pre-existing security rules for controlling access to the OPSLOG.

To override default permissions to display OPSLOG messages, create a security rule for event type OPSBRW, similar to the one which follows, to permit only users in the allow users list to view the OPSLOG.

)SEC OPSBRW
)PROC
allow_users = "TSOUSER1 TSOUSER2 TSOUSER3"
user = sec.opauusid
if WORDPOS(user,allow_users) = 0 then return "reject"
else return "accept"

Note that the security rule for event type OPSBRW has no influence over which users can issue host commands. To override default security restrictions to issue host commands, create a security rule for event type OPSCMD, similar to the one which follows, to permit only users in the allow_users list to issue host commands.

)SEC OPSCMD
)PROC
allow_users = "TSOUSER1 TSOUSER2 TSOUSER3"
user = sec.opauusid
if WORDPOS(user,allow_users) = 0 then return "reject"
else return "accept"

Will OPSLOG WebView security rules be compatible with the security rules already in use?

If security rules to control access to the OPSLOG using OPSLOG Browse are already in place, then the same rules can also be used to control access using OPSLOG WebView. 

Additional Information:

CA OPS/MVS - OPSLOG WebView Installation and Configuration Scenarios

CA OPS/MVS - Security Rules