This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.
MainView Total Object Manager
What permissions may be needed for USS processing in TOM
Listed below are the various security authorizations related to USS that may be needed for the TOM PAS. Select/specify each one depending on the site’s security policies and usage of TOM.
- Enable UPM (USS Process Management) Extension
- Allow TOM PAS to query all USS processes.
- Required for any TOM PAS that enables the UPM Extension.
- RACF: PERMIT SUPERUSER.PROCESS.GETPSENT ACCESS(READ) ID(tom-pas-userid) CLASS(UNIXPRIV)
- USS-type commands for object definitions
- kill command
- Allow TOM PAS to kill any USS process using TOM user-id.
- Required for any object definition that specifies USS-type kill command without a different user-id.
- RACF: PERMIT SUPERUSER.PROCESS.KILL ACCESS(READ) ID(tom-pas-userid) CLASS(UNIXPRIV)
- Processes that need to switch to superuser (see notes below)
- Allow spawned processes with TOM user-id to inherit authorization to switch to superuser.
- Required for object definitions that specify USS-type commands that results in issuing setuid() (for example scripts that issue the “su” command).
- RACF: PERMIT BPX.SUPERUSER ACCESS(READ) ID(tom-pas-userid) CLASS(FACILITY)
- Using a different user-id
- Allow TOM PAS to issue object definition USS-type commands with a different user-id
- Required for USS-type commands in an object definition that specify a user-id
- FACILITY class
- PERMIT BPX.SERVER ACCESS(READ) ID(tom-pas-userid)
- PERMIT BPX.DAEMON ACCESS(READ) ID(tom-pas-userid)
- SURROGAT class (if BPX.SRV.userid is defined for a user you plan to use as the different user-id):
- PERMIT BPX.SRV.userid ACCESS(READ) ID(tom-pas-userid) CLASS(SURROGAT) (where userid is the user-id to be assigned to the process spawned by the TOM PAS)
- FACILITY class
- Using a different jobname
- Allow TOM PAS to issue object definition USS-type commands with a different jobname.
- Required for USS-type commands in an object definition that specify a spawn-job-name.
- RACF: PERMIT BPX.JOBNAME ACCESS(READ) ID(tom-pas-userid) CLASS(FACILITY)
- kill command
The TOM PAS spawns a new USS process for any USS-type command defined for an object (start, stop, Active Check Program, etc.). The spawned process inherits the attributes of the TOM PAS process that issues the spawn( ) callable service (with some exceptions, depending on the object definition).
If the TOM PAS is granted super user authority, new spawned processes are not spawned with super user authority, however the spawned process can still switch to super user authority (if it was spawned with the TOM user id, or a user id that has read access in BPX.SUPERUSER.)
Some processes may require extra permissions after being spawned by TOM. For example, permissions to access files, directories, and so on. Make sure the userid used to issue the USS command for each object has the needed permissions for that specific process.
TOM sets the HOME and PROGRAM environment variables for spawned processes based on the OMVS segment of the userid specified for each of the object’s USS-type commands. If the userid is not specified for a USS-type command, the HOME and PROGRAM environment variables will be set based on the OMVS segment of the TOM userid. Make sure to define the OMVS segment for the TOM userid based on your needs.
Here is an example on how to switch to super user authority using a shell script:
## #1 command to run as super user
## Run command as superuser
/bin/echo $1 | /bin/su