Skip to content
CA View® - 14.0
Documentation powered by DocOps

Security Requirements

Last update December 10, 2018

Administrators meet the following security requirements for installing CA View, CA Deliver, and CA OM Web Viewer:

CA View Security Requirements

Consider these points:

  • If you are enabling ICSF encryption on a CA View database, you might require security privileges to access and update keys in the ICSF CKDS data set.
  • CA View does not access the ICSF CKDS data set directly but it does invoke ICSF services to create new keys and access existing keys.
  • If access to ICSF keys is restricted through an external security product, started task, batch jobs, and online users of CA View must have sufficient authority to access these ICSF keys.
  • All CA View started tasks, batch jobs, utilities, and online users that access report data in a CA View database require at a minimum READ access to the ICSF keys.

The following started tasks, batch jobs, utilities, and online users require WRITE access to ICSF keys:

  • Archival started tasks, including the CA View started task, CA View FSS Archival tasks, and any application job where data is written directly to the CA View database
  • Batch jobs that execute SARINIT
  • Batch jobs that execute SARDBASE to COPY, LOAD, MERGE, or RESTORE a CA View database
  • Batch jobs that execute SARBCH to LOAD a report or report index to a CA View database
  • Batch jobs that execute SARBCH to reindex a report in a CA View database
  • Online users that are able to perform an online LOAD of a report or a report index to a CA View database

For information about the security requirements for accessing a CA View database, or reports and data within the CA View database, see Security.

CA Deliver Security Requirements

For security requirements related to the ability to access data within the CA Deliver database, see Reference in the CA Deliver documentation.

CA Output Management Web Viewer 11.5 and 12.x Security Requirements

The CA OM Viewer Installation mounts a zFS file to your USS file system. The installer must have the proper authorities to create USS directories, update USS directories, and issue the USS mount command. 

Mainframe Team Center – Content Viewer 14.0 Security Requirements

Mainframe Team Center – Content Viewer runs as a deployed application under CCS Apache Tomcat. Users login to Mainframe Team Center – Content Viewer using the z/OS credentials for the system where CCS Apache Tomcat is running. Access to CA View repositories and reports are controlled by z/OS and CA View, based on the user that logged in to Mainframe Team Center – Content Viewer.

Requirement for CCS Tomcat User

The user ID that CCS Apache Tomcat is running as requires read access to the following IBM Facility entities:

  • BPX.SERVER
  • BPX.SRV.userid, where userid is the user ID that logs in to Mainframe Team Center – Content Viewer

Note: The user ID that CCS Apache Tomcat is running as does not need access to the CA View repositories and reports.

Requirement for Mainframe Team Center – Content Viewer Users

Mainframe Team Center – Content Viewer users require READ access to applid OMVSAPPL to log in to the product.

Repository Administrative Authority

To manage repositories and repository groups in Mainframe Team Center – Content Viewer, you must have Repository Administrative Authority. You should only grant Repository Administrative Authority to users who need to manage repositories or repository groups. Repository Administrative Authority for Mainframe Team Center – Content Viewer requires the following access:

Resource Class: CHA1VIEW

Resource Type: WEBVWR.ADMIN

Access: READ

Example Security Rule: TSS PERMIT(acid) CHA1VIEW(WEBVWR.ADMIN) ACCESS(READ)

When a user logs on, Mainframe Team Center – Content Viewer issues a security check and assigns the user either administrative access or non-administrative access. This access level remains in effect until the user either logs out explicitly or times out after 60 minutes of inactivity.

Repository Groups

Authorization for a repository group in Mainframe Team Center – Content Viewer requires the following access:

Resource Class: CHA1VIEW

Resource Type: WEBVWR.GROUP.grpname

Access: Read

Example Security Rule: TSS PERMIT(acid) CHA1VIEW(WEBVWR.GROUP.TEST) ACCESS(READ)

The group name (grpname) is subject to character translation. For details, see How to Configure Mainframe Team Center – Content Viewer in the documentation for Mainframe Team Center – Content Viewer.

SMF Records

If you want Mainframe Team Center – Content Viewerto create SMF records to monitor usage, appropriate security permissions are required for the BPX1SMF service. This service writes SMF records and the Mainframe Team Center – Content Viewer Tomcat server must have permission to the BPX.SMF resource profile in the FACILITY class.

Was this helpful?

Please log in to post comments.