Establishing external security system access rules

The following applies to your External Security System (such as RACF®). Application Performance Analyzer also provides its own access rules facility to complement the external security system. The Application Performance Analyzer access rules are described in Configuring Application Performance Analyzer.

Load library (SCAZAUTH)
You need to grant Application Performance Analyzer users execute access to the product load library SCAZAUTH.
Other libraries
Users should be granted read-only access to all other Application Performance Analyzer libraries.
Checkpoint file
The Application Performance Analyzer started task will allocate a checkpoint file. Application Performance Analyzer uses this data set to record the status of all measurement requests. The checkpoint file is named in the format yourhlq.CheckpointDSN. The Application Performance Analyzer started task must have full access to this data set. Additionally, you should grant full access to the appropriate product support personnel, and read-only access to all other users of Application Performance Analyzer.
Note: Some installations might need to pre-allocate the checkpoint file. See Pre-allocating a checkpoint data set to determine if this applies to your installation.
Log files
If you choose to activate the logging option, the Application Performance Analyzer started task will allocate and write to log data sets. These data sets record activity within the started task. The Application Performance Analyzer started task must have full access to these data sets. Additionally, you should grant full access to the appropriate product support personnel and deny access to all other users. These data sets have a name in the form:

yourhlq.LOG.Dyyyyddd.Thhmmsst

Common data store file
If you choose to enable the common data store option, the Application Performance Analyzer started task allocates the common data store file if one does not already exist. Application Performance Analyzer uses the common data store file, which is unique to each started task, to record and maintain a list of data set names and directories that contain source program mapping files. It includes source mapping file lists for individual users, as well as those that are common to all users. Individual users maintain their personal lists using the ISPF A03 and A04 panels or the GUI Mapping Repository feature. Administrators maintain the common list using the ISPF A05 panel or the GUI Mapping Repository feature. The common data store file is typically named in the format yourhlq.CDS. The Application Performance Analyzer started task must have full access to this data set. Additionally, you should grant full access to the appropriate product support personnel.
Note: Some installations might need to preallocate the common data store file. See Pre-allocating a common data store file to determine whether this applies to your installation.
Sample (measurement) files
The Application Performance Analyzer started task creates a measurement file (or "sample" file) for each measurement request that has completed. These data sets contain the measurement data that Application Performance Analyzer uses to produce the performance analysis reports. The Application Performance Analyzer started task must have full access to these data sets, unless you have enforced user level security for sample files. For more information on enforcing user level security, refer to the SampleDSUserLevelSecurity setting in CONFIG BASIC statement in Chapter 2. Additionally, you should grant full access to the appropriate product support personnel, and read-only access to all other Application Performance Analyzer users. These data sets are named in the format:

yourhlq.userid.Rnnnn.jobname.SF

You also have the option of overriding the Application Performance Analyzer generated sample data set name by specifying the SampleDSN setting in CONFIG SAMPLE.

Export files
The Application Performance Analyzer started task creates an export file in XMIT format when the export commands EXP (a single measurement) or EXPH (a hierarchy of measurements) is issued against a completed observation. The export data sets contain the measurement data that Application Performance Analyzer uses to produce the performance analysis reports, and are used as input to the Application Performance Analyzer IMPORT command and CAZIMPRT batch utility. The Application Performance Analyzer started task must have full access to these data sets unless you have enforced user level security for sample files and exported files using the SampleDSUserLevelSecurity configuration setting. For more information on enforcing user level security, refer to the SampleDSUserLevelSecurity setting in CONFIG BASIC statement in Chapter 2. Additionally, you should grant full access to the appropriate product support personnel and read-only access to all other users of Application Performance Analyzer.

These data sets are named in the format below:

tsoprefix.userid.Rnnnn.XMIT

You also have the option of overriding the Application Performance Analyzer generated export data set name by specifying the ExportDSN configuration setting. For more information on overriding the export data set name, refer to the ExportDSN setting in CONFIG SAMPLE statement in Chapter 2.

SAF FACILITY class authorities
When your installation has activated the SAF FACILITY class and has defined profiles for CSVDYNL and/or CSVDYNEX, you must authorize the Application Performance Analyzer started task as described in the table below:
Table 1. Class authorities required for SAF FACILITY
Class entity Access authority
CSVDYNL.linklist.TEST  1  READ
CSVDYNEX.LIST READ
CSVDYNEX.SYS.IEFUSI.CAZ00990 UPDATE
CSVDYNEX.SYSJES2.IEFUSI.CAZ00990 (for JES2 environments) UPDATE
CSVDYNEX.SYSJES3.IEFUSI.CAZ00990 (for JES3 environments) UPDATE
CSVDYNEX.SYSSTC.IEFUSI.CAZ00990 UPDATE
CSVDYNEX.SYSTSO.IEFUSI.CAZ00990 UPDATE
CSVDYNEX.BPX_POSPROC_INIT.CAZ00991 UPDATE
CSVDYNEX.SYS.IEFU83.CAZ00993 UPDATE
CSVDYNEX.SYSSTC.IEFU83.CAZ00993 UPDATE
CSVDYNEX.SYS.IEFU84.CAZ00994 UPDATE
CSVDYNEX.SYSSTC.IEFU84.CAZ00994 UPDATE
Note:  1  Where linklist is the name of the active LNKLST. This can be displayed on the console with the command: 
D PROG,LNKLST,NAME=CURRENT
RACF Authority for EMCS Consoles
Application Performance Analyzer collects data from SMF for WebSphere® measurements and additional DB2® accounting data for DB2+ measurements. In order to collect this data from SMF, the Application Performance Analyzer started task must have RACF authority to use an Extended MCS console. The following RACF General Resource Profile must be defined in the RACF OPERCMDS class: 
MVS.MCSOPER.consname

Where consname is eight characters long, left justified and padded with zeros. It begins with CAZ followed by the Application Performance Analyzer started task ID and ends with zeros. For example, if the Application Performance Analyzer started task ID is CZ12, consname would be CAZCZ120. The user ID associated with the Application Performance Analyzer started task must have READ access to this profile.

Non-RACF security
If you are running a security system other than RACF, you might need to give Application Performance Analyzer read access to any protected load libraries it might need to search. Application Performance Analyzer requires access to load libraries in order to gather information about all modules it encounters during an observation session. If the Application Performance Analyzer started task gets S913 abends in a non-RACF environment, protected loadlibs are a likely cause.
Parent topic: Planning for security