What is required for ACF2 for setup of z/OSMF?
search cancel

What is required for ACF2 for setup of z/OSMF?

book

Article ID: 11540

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction



What is required for ACF2 for setup of z/OSMF?

Environment

Release: ACF2..001AO-16-ACF2
Component:

Resolution

This knowledge document provides update details for z/OSMF.

z/OSMF Updates can be found as PTFs SO04740, SO04537 and SO08630:
SO04740 Z/OSMF CLOUD PROVISIONING REXX EXEC 
SO04537 SAMPLE JCL FOR ZOSMF SECURITY SETUP

SO08630 ZOSMF CLOUD PROVISIONING REXX EXEC ERRORS

Note: The PTF SO04740 is PE'd and corrected by SO08630.

This File consists of the z/OSMF security configuration commands converted for ACF2 environments.  The original RACF commands used for the conversion come from the Z/OSMF Configuration Guide,  Appendix F. Contents of the RACF commands execs (SA38-0657-00).

 Jobs             Desciption

 CORE        Commands for configuring CORE functions of z/OSMF
 CAPPROV     Commands for configuring Capacity Provisioning plug-in
 CIM         Authorizing users to the CIM server resources
 CNFGAST     Commands for configuring Configuration Assistant plug-in
 INCLOG      Commands for configuring Incident Log plug-in
 ISPF        Commands for configuring ISPF plug-ins
 RSRCMON     Commands for configuring Resource Monitoring plug-in
 SFDEPLOY    Commands for configuring Software Deployment plug-in
 WRKLMGMT    Commands for configuring Workload Management plug-in

 

Requirements:

 -  Before running any of these sample ACFBATCH jobs, you must identify your site specific values for the
     userids, ACF2 resource type codes, and the UID string values for the logonids that are to be allowed 
     access, and update the members accordingly.

 -  Run the CORE member job first (after making above updates).

 -  Run additional members for the plug-ins as needed.

 

Additional Notes:

 -  The original IBM version had many duplications and issued unneeded commands.  This duplication is noted with comments.

 -  The original IBM permit statments reference group names.  The converted commands for ACF2 specify UID strings,
    so there may instances where a site may need to add multiple rule lines to account for the allowed users/administrators.

 -  The HOME values specified in the various OMVS USER profiles specify the IBM prvided default values.  If your site has 
    made any changes to the directory path structure then the HOME values need to be updated to match those changes.

 -  ACF2 allows the insertion of the OMVS segment with the initial INSERT of the logonid.  If the logonid being used already 
    exists then you will need to change the INSERT into 2 separate statements, one to CHANGE the logonid and one for the OMVS segment.

Example:

 Member CORE contains these INSERTs for logonids.

SET LID
INSERT IZUSVR NAME(zOSMF Started Task) STC GROUP(IZUADMIN) UID(9010) -
OMVSPGM(/bin/sh) HOME(/var/zosmf/data/home/izusvr) FILEPROC(10000)
INSERT IZUGUEST NAME('zOSMF GUEST USER') GROUP(IZUUNGRP) LIMITED -
 UID(9011)

If the (STC) logonid IZUSVR exists, then use these commands to update the logonid and INSERT the OMVS Segment:

SET LID
CHANGE IZUSVR GROUP(IZUADMIN)

SET PROFILE(USER) DIV(OMVS)
INSERT IZUSVR UID(9010) HOME(/var/zosmf/data/home/izusvr) -
OMVSPGM(/bin/sh) FILEPROC(10000)

If the OMVS Segment exists for IZUSVR then use this CHANGE command:

INSERT IZUSVR UID(9010) HOME(/var/zosmf/data/home/izusvr) -
OMVSPGM(/bin/sh) FILEPROC(10000)

If logonid IZUGUEST exists, use these commands:

SET LID
CHANGE IZUGUEST GROUP(IZUUNGRP) RESTRICT
UID(9011)

SET PROFILE(USER) DIV(OMVS)
INSERT IZUGUEST NAME('zOSMF GUEST USER') GROUP(IZUUNGRP) RESTRICT -
UID(9011)

If the OMVS Segment exists for IZUGUEST then use this CHANGE command:

CHANGE IZUGUEST UID(9011)  FILEPROC(10000)

 

//CORE JOB your standard job card information
//*
//* CORE       Commands for configuring CORE functions of z/OSMF
//*
//*-------------------------------------------------------------------
//* DESCRIPTION:
//* ACF command equivelents for RACF commands from:
//*
//* Figure 1. Sample RACF commands for configuring the core functions
//*   of z/OSMF (Part 1 of 4)
//*
//*  NOTE:  the RACF statements are commented for reference, and
//*         are noted if there no ACF2 equivalent commands.
//*
//*-------------------------------------------------------------------
//*-------------------------------------------------------------------
//*  RACF:  "Core" Setup
//*
//*  Activate the APPL class
//*  SETROPTS CLASSACT(APPL)
//*  SETROPTS RACLIST(APPL) GENERIC(APPL)
//*
//*  Activate the EJBROLE class
//*  SETROPTS CLASSACT(EJBROLE)
//*  SETROPTS RACLIST(EJBROLE) GENERIC(EJBROLE)
//*
//*  Activate the FACILITY class
//*  SETROPTS CLASSACT(FACILITY)
//*  SETROPTS RACLIST(FACILITY) GENERIC(FACILITY)
//*
//*  Activate the SERVER class
//*  SETROPTS CLASSACT(SERVER)
//*  SETROPTS RACLIST(SERVER)
//*
//*  Activate the STARTED class
//*  SETROPTS CLASSACT(STARTED)
//*  SETROPTS RACLIST(STARTED) GENERIC(STARTED)
//*
//*  Activate the ZMFAPLA class
//*  SETROPTS CLASSACT(ZMFAPLA)
//*  SETROPTS RACLIST(ZMFAPLA) GENERIC(ZMFAPLA)
//*
//*  There are no ACF2 equivalents for the SETROPTS statements.
//*
//*  ACF2 provides default (internal) CLASMAP records to specify the
//*  3 character ACF2 resource type code.  These defaults are:
//*
//*  Resource class   3 char. type code
//*  --------------   -----------------
//*      APPL               SAF
//*      EJBROLE            EJB
//*      FACILITY           FAC
//*      SERVER             SAF
//*      STARTED            SAF    (not used by ACF2 here)
//*      ZMFAPLA            ZMF
//*
//*  We recommend changing the default type code for the APPL
//*  resource class from SAF to APL, and the default type code for
//*  the SERVER resource class from SAF to SRV.  You may choose a
//*  different 3 character type code (especially if you are already
//*  using APL or SRV for other purposes).
//*
//*
//*  If you already have a CLASMAP for APPL to use a type code other
//*  than SAF, eliminate the INSERT and REFRESH, and specify your
//*  defined type code in the SET RESOURCE(typ) statement
//*  where "typ" is your defined type code.
//*  Be sure to change the SET RESOURCE(typ) to your type codes
//*  in the other members/jobs.
//*
//*
//STEP010  EXEC PGM=ACFBATCH
//SYSPRINT DD  SYSOUT=*
//SYSIN    DD  *
SET CONTROL(GSO)
INSERT CLASMAP.APPL RESOURCE(APPL) RSRCTYPE(APL)
INSERT CLASMAP.SERVER RESOURCE(SERVER) RSRCTYPE(SRV)
F ACF2,REFRESH(CLASMAP)
//*
//*-------------------------------------------------------------------
//* DESCRIPTION:
//* ACF command equivalents for RACF commands from:
//*
//* Figure 2. Sample RACF commands for configuring the core functions
//*  of z/OSMF (Part 2 of 4)
//*
//*-------------------------------------------------------------------
//*  RACF:  Create the z/OSMF Administrators group
//*
//*  Create the z/OSMF Administrators group
//*  ADDGROUP IZUADMIN OMVS(GID(9003))
//*
//*  Create the z/OSMF Users group
//*  ADDGROUP IZUUSER OMVS(GID(9004))
//*
//*  Create the z/OSMF Unauthenticated group
//*  ADDGROUP IZUUNGRP OMVS(GID(9012))
//*
//*  Create the started task USERID for the z/OSMF Server
//*  Please note, the HOME directory is created in the -finish step.
//*  If this directory is AUTOMOUNT managed, pre-create it before
//*  the -finish step
//*  ADDUSER IZUSVR DFLTGRP(IZUADMIN) OMVS(UID(9010)
//*    HOME(/var/zosmf/data/home/izusvr) PROGRAM(/bin/sh))
//*    NAME('zOSMF Started Task OWNER')  NOPASSWORD NOOIDCARD
//*
//*  Change concurrent open file number for started task USERID
//*  ALTUSER IZUSVR OMVS(FILEPROC(10000))
//*
//*  Create the z/OSMF unauthenticated USERID
//*  ADDUSER IZUGUEST RESTRICTED DFLTGRP(IZUUNGRP)
//*    OMVS(UID(9011)) NAME('zOSMF GUEST USER') NOPASSWORD NOOIDCARD
//*
//*  Define the STARTED profiles for the z/OSMF server
//*  RDEFINE STARTED IZUSVR1.* UACC(NONE) STDATA(USER(IZUSVR)
//*    GROUP(IZUADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
//*
//*  RDEFINE STARTED IZUANG1.* UACC(NONE) STDATA(USER(IZUSVR)
//*    GROUP(IZUADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
//*
//*
//*  Define the APPL profile for the z/OSMF server
//*  RDEFINE APPL IZUDFLT UACC(NONE)
//*  Define the SERVER profiles for the z/OSMF server
//*  RDEFINE SERVER BBG.SECPFX.IZUDFLT UACC(NONE)
//*  RDEFINE SERVER BBG.ANGEL UACC(NONE)
//*  RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE)
//*  RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE)
//*  RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.ZOSWLM UACC(NONE)
//*  RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.TXRRS UACC(NONE)
//*  RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.ZOSDUMP UACC(NONE)
//*
//*  These (above) RDEFINE statements have no ACF2 equivalents.
//*
//*
//*  Permit the z/OSMF unauthenticated USERID access
//*  PERMIT IZUDFLT  CLASS(APPL) ID(IZUGUEST) ACCESS(READ)
//*
//*  Permit the started task USERID access
//*  PERMIT BBG.SECPFX.IZUDFLTSCLASS(SERVER) ACCESS(READ)
//*    ID(IZUSVR)
//*  PERMIT BBG.ANGEL CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
//*  PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
//*  PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCREDsCLASS(SERVER) ACCESS(READ)
//*    ID(IZUSVR)
//*  PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSWLM CLASS(SERVER) ACCESS(READ)
//*    ID(IZUSVR)
//*  PERMIT BBG.AUTHMOD.BBGZSAFM.TXRRS CLASS(SERVER)
//*    ACCESS(READ) ID(IZUSVR)
//*  PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSDUMP CLASS(SERVER)
//*    ACCESS(READ) ID(IZUSVR)
//*
//*
//*  Define the BPX.CONSOLE profile to supress the BPXM023I message
//*  prefix for console messages
//*  RDEFINE FACILITY BPX.CONSOLE UACC(NONE)
//*  RDEFINE not supported for FACILITY class
//*
//*  Define the Sync-to-OS-thread FACILITY profile
//*  RDEFINE FACILITY BBG.SYNC.IZUDFLT UACC(NONE)
//*
//*  Define the FACILITY profile for working with digital certificates
//*  RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
//*  RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
//*
//*  These (above) RDEFINE statements have no ACF2 equivalents.
//*
//*
//*  Permit the started task USERID access
//*  PERMIT BPX.CONSOLE CLASS(FACILITY) ID(IZUSVR) ACCESS(READ)
//*
//*  Permit the started task USERID access
//*  PERMIT BBG.SYNC.IZUDFLT CLASS(FACILITY) ID(IZUSVR) ACCESS(CONTROL)
//*
//*  Permit the started task USERID access
//*  PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(IZUSVR) ACCESS(READ)
//*  PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(IZUSVR) ACCESS(READ)
//*
//*
//STEP020  EXEC PGM=ACFBATCH
//SYSPRINT DD  SYSOUT=*
//SYSIN    DD  *
SET PROFILE(GROUP) DIV(OMVS)
INSERT IZUADMIN GID(9003)
INSERT IZUUSER GID(9004)
INSERT IZUUNGRP GID(9012)
SET LID
INSERT IZUSVR NAME(zOSMF Started Task) STC GROUP(IZUADMIN) UID(9010) -
OMVSPGM(/bin/sh) HOME(/var/zosmf/data/home/izusvr) FILEPROC(10000)
INSERT IZUGUEST NAME('zOSMF GUEST USER') GROUP(IZUUNGRP) RESTRICT -
UID(9011)

SET CONTROL(GSO)
INSERT STC.IZU001 LOGONID(IZUSVR) STCID(IZUSVR1-)
INSERT STC.IZU002 LOGONID(IZUSVR) STCID(IZUANG1-)
F ACF2,REFRESH(STC)
//*
//STEP025  EXEC PGM=ACFBATCH
//SYSPRINT DD  SYSOUT=*
//SYSIN    DD  *
SET RESOURCE(APL)
RECKEY IZUDFLT ADD( uid(UID string for IZUGUEST) SERVICE(READ) ALLOW)

SET RESOURCE(SRV)
RECKEY BBG ADD(SECPFX.IZUDFLT uid(UID string for IZUSVR) -  
SERVICE(READ) ALLOW)
RECKEY BBG ADD(ANGEL uid(UID string for IZUSVR) SERVICE(READ) ALLOW)
RECKEY BBG ADD(AUTHMOD.BBGZSAFM uid(UID string for IZUSVR) -
SERVICE(READ) ALLOW)
RECKEY BBG ADD(AUTHMOD.BBGZSAFM.SAFCRED uid(UID string for IZUSVR) -
SERVICE(READ) ALLOW)
RECKEY BBG ADD(AUTHMOD.BBGZSAFM.ZOSWLM uid(UID string for IZUSVR) -
SERVICE(READ) ALLOW)
RECKEY BBG ADD(AUTHMOD.BBGZSAFM.TXRRS uid(UID string for IZUSVR) -
SERVICE(READ) ALLOW)
RECKEY BBG ADD(AUTHMOD.BBGZSAFM.ZOSDUMP uid(UID string for IZUSVR) -
SERVICE(READ) ALLOW)

SET RESOURCE(FAC)
RECKEY BPX ADD(CONSOLE uid(UID string for IZUSVR) SERVICE(READ) ALLOW)
RECKEY BBG ADD(SYNC.IZUDFLT uid(UID string for IZUSVR) -
SERVICE(READ,ADD,DELETE,UPDATE) ALLOW)
RECKEY IRR ADD(DIGTCERT.LIST uid(UID string for IZUSVR) -
SERVICE(READ) ALLOW)
RECKEY IRR ADD(DIGTCERT.LISTRING uid(UID string for IZUSVR) -
SERVICE(READ) ALLOW)
//*
//*-------------------------------------------------------------------
//* DESCRIPTION:
//* ACF command equivelents for RACF commands from:
//*
//* Figure 3. Sample RACF commands for configuring the core functions
//*  of z/OSMF (Part 3 of 4)
//*
//*-------------------------------------------------------------------
//*  RACF:  Create the CA certificate for the z/OSMF server
//*
//*  RACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('z/OSMF
//*  CertAuth for Security Domain') OU('IZUDFLT')) WITHLABEL('zOSMFCA')
//*  TRUST NOTAFTER(DATE(2021/07/31))
//*
//*  RACDCERT ADDRING(IZUKeyring.IZUDFLT) ID(IZUSVR)
//*
//*
//*  Create the server certificate for the z/OSMF server
//*
//*  RACDCERT ID(IZUSVR) GENCERT
//*    SUBJECTSDN(CN('PEV051.POK.IBM.COM') O('IBM') OU('IZUDFLT'))
//*    WITHLABEL('DefaultzOSMFCert.IZUDFLT')" , "SIGNWITH(CERTAUTH
//*    LABEL('zOSMFCA')) NOTAFTER(DATE(2021/07/31)) TRUST
//*
//*  RACDCERT ID(IZUSVR) CONNECT (LABEL('DefaultzOSMFCert.IZUDFLT')
//*    RING(IZUKeyring.IZUDFLT) DEFAULT)
//*
//*  RACDCERT ID(IZUSVR) CONNECT (RING(IZUKeyring.IZUDFLT)
//*    LABEL('zOSMFCA') CERTAUTH)
//*
//*
//*  List-of-groups authority checking supplements the normal RACF
//*  access authority checking by allowing all groups of which a user
//*  ID is a member to enter into the access list checking process.
//*  Un-comment the following line to activate this.
//*  SETROPTS GRPLIST"
//*
//*  Create the z/OS Security Administrators group
//*  ADDGROUP IZUSECAD OMVS(GID(9006))
//*
//*
//*  Define the z/OSMF Server profile
//*  RDEFINE ZMFAPLA IZUDFLT.ZOSMF.** UACC(NONE)
//*
//*  The EJBROLE definitions are case-sensitive in RACF.
//*  Insure you preserve case for these commands
//*  Assumption: EJBROLE is defined, activated, and raclisted.
//*  RDEFINE EJBROLE IZUDFLT.*.izuUsers UACC(NONE)
//*
//*  Define the ZMFAPLA profile for the z/OSMF server
//*  RDEFINE SERVER BBG.SECCLASS.ZMFAPLA UACC(NONE)
//*
//*  These (above) RDEFINE statements have no ACF2 equivalents.
//*
//*
//*  Permit the started task USERID access
//*  PERMIT BBG.SECCLASS.ZMFAPLA CLASS(SERVER) ID(IZUSVR) ACCESS(READ)
//*
//*
//*  Roles processing will permit the z/OSMF Server groups to the
//*  Application Server resources
//*  Assumption: APPL class has been defined, activated, and raclisted.
//*
//*  Profile Definitions for "Core"
//*  RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.** UACC(NONE)
//*  RDEFINE ZMFAPLA IZUDFLT.ZOSMF.LINK.** UACC(NONE)
//*  RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.*.VIEW UACC(NONE)
//*  RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.*.MODIFY UACC(NONE)
//*
//*  These (above) RDEFINE statements have no ACF2 equivalents.
//*
//*
//*  Profile Definitions for "Workflow"
//*  RDEFINE ZMFAPLA IZUDFLT.ZOSMF.WORKFLOW.** UACC(NONE)
//*
//*  The (above) RDEFINE statements has no ACF2 equivalents.
//*
//*
//STEP030  EXEC PGM=ACFBATCH
//SYSPRINT DD  SYSOUT=*
//SYSIN    DD  *
SET PROFILE(USER) DIVISION(CERTDATA)
GENCERT CERTAUTH.zosmfsrv LABEL(zOSMFCA) SIZE(2048) -
SUBJSDN(CN='z/OSMF CertAuth for Security Domain' OU='IZUDFLT') -
EXPIRE(07/31/2021)
GENCERT IZUSVR.cert01 LABEL(DefaultzOSMFCert.IZUDFLT) SIZE(2048) -
SUBJSDN(CN='PEV051.POK.IBM.COM' O='IBM' OU='IZUDFLT')     -
SIGNWITH(CERTAUTH LABEL(zOSMFCA))                         -
EXPIRE(07/31/2021)
CHKCERT CERTAUTH.zosmfsrv
CHKCERT IZUSVR.cert01
*
SET PROFILE(USER) DIVISION(KEYRING)
INSERT IZUSVR.keyr01 RINGNAME(IZUKeyring.IZUDFLT)
*
CONNECT CERTDATA(CERTAUTH.zosmfsrv) LABEL(zOSMFCA) -
KEYRING(IZUSVR.keyr01) RINGNAME(IZUKeyring.IZUDFLT) -
USAGE(CERTAUTH)
CONNECT CERTDATA(IZUSVR.cert01) LABEL(DefaultzOSMFCert.IZUDFLT)   -
KEYRING(IZUSVR.keyr01) RINGNAME(IZUKeyring.IZUDFLT) DEFAULT
LIST IZUSVR.keyr01
SET PROFILE(GROUP) DIV(OMVS)
INSERT IZUSECAD GID(9006)
SET RESOURCE(SRV)
RECKEY BBG ADD(SECCLASS.ZMFAPLA uid(UID string for IZUSVR) -
SERVICE(READ) ALLOW)
//*
//*-------------------------------------------------------------------
//* DESCRIPTION:
//* ACF command equivelents for RACF commands from:
//*
//* Figure 4. Sample RACF commands for configuring the core functions
//*  of z/OSMF (Part 4 of 4)
//*-------------------------------------------------------------------
//*  RACF:  "zOSMF User Role" Setup
//*
//*  PERMIT IZUDFLT  CLASS(APPL) ID(IZUUSER) ACCESS(READ)"
//*
//*  PERMIT IZUDFLT.*.izuUsers  CLASS(EJBROLE) ID(IZUUSER) ACCESS(READ)
//*
//*  PERMIT IZUDFLT.ZOSMF.** CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
//*
//*  Permit definitions for "Core"
//*  PERMIT IZUDFLT.ZOSMF.LINK.** CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
//*  PERMIT IZUDFLT.ZOSMF.SETTINGS.*.VIEW CLASS(ZMFAPLA) ID(IZUUSER)
//*  ACCESS(READ)
//*
//*  Permit definitions for "Workflow"
//*  PERMIT IZUDFLT.ZOSMF.WORKFLOW.** CLASS(ZMFAPLA) ID(IZUUSER)
//*  ACCESS(READ)
//*
//*  Begin "zOSMF Administrator Role" Setup
//*  PERMIT IZUDFLT  CLASS(APPL) ID(IZUADMIN) ACCESS(READ)
//*  PERMIT IZUDFLT.*.izuUsers CLASS(EJBROLE) ID(IZUADMIN) ACCESS(READ)
//*  PERMIT IZUDFLT.ZOSMF.** CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
//*
//*  Permit definitions for "Core"
//*  PERMIT IZUDFLT.ZOSMF.ADMINTASKS.** CLASS(ZMFAPLA) ID(IZUADMIN)
//*  ACCESS(READ)
//*  PERMIT IZUDFLT.ZOSMF.LINK.** CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
//*  PERMIT IZUDFLT.ZOSMF.SETTINGS.*.VIEW CLASS(ZMFAPLA) ID(IZUADMIN)
//*  ACCESS(READ)
//*  PERMIT IZUDFLT.ZOSMF.SETTINGS.*.MODIFY CLASS(ZMFAPLA) ID(IZUADMIN)
//*  ACCESS(READ)
//*
//*  Permit definitions for "Workflow"
//*  PERMIT IZUDFLT.ZOSMF.WORKFLOW.** CLASS(ZMFAPLA) ID(IZUADMIN)
//*  ACCESS(READ)
//*
//*-------------------------------------------------------------------
//*  Begin "zOS Security                   " Setup
//*
//*  PERMIT IZUDFLT CLASS(APPL) ID(IZUSECAD) ACCESS(READ)
//*
//*  PERMIT IZUDFLT.*.izuUsers CLASS(EJBROLE) ID(IZUSECAD) ACCESS(READ)
//*
//*  PERMIT IZUDFLT.ZOSMF.** CLASS(ZMFAPLA) ID(IZUSECAD) ACCESS(READ)
//*
//*  PERMIT IZUDFLT.ZOSMF.WORKFLOW.** CLASS(ZMFAPLA) ID(IZUSECAD)
//*  ACCESS(READ)
//*
//*-------------------------------------------------------------------
//*  Begin "zOS Security Administrator Role" Setup
//*
//*  Need to REFRESH these classes for Roles
//*  SETROPTS RACLIST(APPL) REFRESH
//*  SETROPTS RACLIST(EJBROLE) REFRESH
//*  SETROPTS RACLIST(ZMFAPLA) REFRESH
//*  SETROPTS RACLIST(SERVER) REFRESH
//*  SETROPTS RACLIST(STARTED) REFRESH
//*  SETROPTS RACLIST(FACILITY) REFRESH
//*  SETROPTS RACLIST(FACILITY) GENERIC(FACILITY)
//*  above SETROPTS command has no ACF2 equivalent
//*
//*
//STEP040  EXEC PGM=ACFBATCH
//SYSPRINT DD  SYSOUT=*
//SYSIN    DD  *
SET RESOURCE(APL)
RECKEY IZUDFLT ADD(uid(UID string for z/OSMF users) -
SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(uid(UID string for z/OSMF sec admins) -
SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(uid(UID string for IZUSVR) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(uid(UID string for z/OS sec admins) -
SERVICE(READ) ALLOW
*
SET RESOURCE(EJB)
RECKEY IZUDFLT ADD(-.izuUsers uid(UID string for z/OSMF users) -
SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(-.izuUsers uid(UID string for z/OSMF sec admins) -
SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(-.izuUsers uid(UID string for IZUSVR) -
SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(-.izuUsers uid(UID string for z/OS sec admins) -
SERVICE(READ) ALLOW)
SET RESOURCE(ZMF)
RECKEY IZUDFLT ADD(ZOSMF.- uid(UID string for z/OSMF users) -
SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.LINK.- uid(UID string for z/OSMF users) -
SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.SETTINGS.*.VIEW -
uid(UID string forz/OSMF users) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.WORKFLOW.- uid(UID string for z/OSMF users) -
SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.- uid(UID string for z/OSMF sec admins) -
SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.- uid(UID string for IZUSVR) -
SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.ADMINTASKS.- -
uid(UID string for z/OSMF sec admins) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.ADMINTASKS.- uid(UID string for IZUSVR) -
SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.LINK.- uid(UID string for z/OSMF sec admins) -
SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.LINK.- uid(UID string for IZUSVR) -
SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.SETTINGS.*.VIEW -
uid(UID string for z/OSMF sec admins) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.SETTINGS.*.VIEW uid(UID string for IZUSVR) -
SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.SETTINGS.*.MODIFY -
uid(UID string for z/OSMF sec admins) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.SETTINGS.*.MODIFY uid(UID string for IZUSVR) -
SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.WORKFLOW.-
uid(UID string for z/OSMF sec admins) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.WORKFLOW.- uid(UID string for IZUSVR) -
SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.WORKFLOW.- -
uid(UID string for z/OS sec admins) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.- uid(UID string for z/OS sec admins) -
SERVICE(READ) ALLOW)
*
* Most sites have TYPE(APL), TYPE(EJB), TYPE(ZMF), TYPE(SER), TYPE(SRV) and TYPE(FAC) defined
* in the ACF2 GSO INFODIR record, however if any of the TYPEs are not defined, the REBUILD command
* will fail with the following message:
* ACF8A039 DIRECTORY Rxxx NOT IN GSO INFODIR - NOT BUILT
* To define(add) any of these TYPEs to the ACF2 GSO INFODIR record issue the following
* TSO, ACF CHANGE commands.
*
* SET CONTROL(GSO)
* CHANGE INFODIR TYPES(R-RAPL) ADD
* CHANGE INFODIR TYPES(R-REJB) ADD
* CHANGE INFODIR TYPES(R-RZMF) ADD
* CHANGE INFODIR TYPES(R-RSER) ADD
* CHANGE INFODIR TYPES(R-RSRV) ADD
* CHANGE INFODIR TYPES(R-RFAC) ADD
* F ACF2,REFRESH(INFODIR)
*
F ACF2,REBUILD(APL)
F ACF2,REBUILD(EJB)
F ACF2,REBUILD(ZMF)
F ACF2,REBUILD(SER)
F ACF2,REBUILD(SRV)
F ACF2,REBUILD(FAC)
//*

 

//CAPPROV JOB your standard job card information
//*
//* CAPPROV    Commands for configuring Capacity Provisioning plug-in
//*
//* -----------------------------------------------------------------
//* DESCRIPTION:
//* ACF command equivelents for RACF commands from:
//*
//* Figure 6. Sample RACF commands for configuring the Capacity
//* Provisioning plug-in (Part 1 of 2)
//*
//*-------------------------------------------------------------------
//*-------------------------------------------------------------------
//*  RACF:  "Capacity Provisioning" Setup
//*
//*  Profile Definitions for "Capacity Provisioning"
//*  RDEFINE ZMFAPLA
//*  IZUDFLT.ZOSMF.CAPACITY_PROVISIONING.CAPACITY_PROVISIONING.VIEW
//*  UACC(NONE)
//*
//*  RDEFINE ZMFAPLA
//*  IZUDFLT.ZOSMF.CAPACITY_PROVISIONING.CAPACITY_PROVISIONING.EDIT.**
//*  UACC(NONE)
//*
//*  There are no ACF2 equivalents for these RDEFINE statements.
//*
//*-------------------------------------------------------------------
//*  RACF:  "zOSMF User Role" Setup
//*
//*  PERMIT IZUDFLT  CLASS(APPL) ID(IZUUSER) ACCESS(READ)
//*  PERMIT IZUDFLT.*.izuUsers  CLASS(EJBROLE) ID(IZUUSER) ACCESS(READ)
//*  PERMIT IZUDFLT.ZOSMF.**  CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
//*
//*  Note that the above 3 permits were performed in CORE.
//*
//*
//*  Permit definitions for "Capacity Provisioning"
//*  PERMIT
//*  IZUDFLT.ZOSMF.CAPACITY_PROVISIONING.CAPACITY_PROVISIONING.VIEW
//*  CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
//*
//*
//*  The CORE member/job inserts the CLASMAP to define the APL type
//*  code for the APPL resource class.
//*  If that has not been performed and you wish to make this change
//*  now, insert/copy the SET, INSERT, and F (modify) commands below
//*  to follow the ACF statement in the ACFBATCH execution (below).
//*
//*  SET CONTROL(GSO)
//*  INSERT CLASMAP.APPL RESOURCE(APPL) RSRCTYPE(APL)
//*
//*  F ACF2,REFRESH(CLASMAP)
//*
//*
//STEP010  EXEC PGM=ACFBATCH
//SYSPRINT DD  SYSOUT=*
//SYSIN    DD  *
SET RESOURCE(ZMF)
RECKEY IZUDFLT -
ADD(ZOSMF.CAPACITY_PROVISIONING.CAPACITY_PROVISIONING.VIEW -
uid(UID string for z/OSMF users) SERVICE(READ) ALLOW)

F ACF2,REBUILD(ZMF)
//*
//*
//*  NOTE:  these comments commands were performed in CORE.
//*  If (for whatever reason) these were not performed when CORE
//*  was run, then uncomment these commands.
//*
//*  SET RESOURCE(APL)
//*  RECKEY IZUDFLT ADD(uid(UID string for z/OSMF users) -
//*  SERVICE(READ) ALLOW)
//*
//*  SET RESOURCE(EJB)
//*  RECKEY IZUDFLT ADD(-.izuUsers uid(UID string for z/OSMF users) -
//*  SERVICE(READ) ALLOW)
//*
//*  SET RESOURCE(ZMF)
//*  RECKEY IZUDFLT ADD(ZOSMF.- uid(UID string for z/OSMF users) -
//*  SERVICE(READ) ALLOW)
//*
//*  F ACF2,REBUILD(APL)
//*  F ACF2,REBUILD(EJB)
//*  F ACF2,REBUILD(ZMF)
//*
//*

 

//CIM JOB your standard job card information
//*
//* CIM        Authorizing users to the CIM server resources
//*
//* NOTHING to run
//*
//* -----------------------------------------------------------------
//* DESCRIPTION:
//* ACF command equivelents for RACF commands from:
//*
//* Figure 5. Sample RACF command for authorizing users to the CIM
//*  server resources
//*
//*-------------------------------------------------------------------
//*-------------------------------------------------------------------
//*
//* Connect the started task USERID to the CIM USER group
//*  CONNECT (IZU_STARTED_TASK_USERID_NAME)
//*  GROUP(IZU_CIM_USER_GROUP_NAME)
//*
//*
//* There is no ACF2 equivalent command for thus usage of CONNECT
//*

 

//CNFGAST JOB your standard job card information
//*
//* CNFGAST    Commands for configuring Configuration Assistant plug-in
//*
//* -----------------------------------------------------------------
//* DESCRIPTION:
//* ACF command equivelents for RACF commands from:
//*
//* Figure 8. Sample RACF commands for configuring the Configuration
//*   Assistant plug-in (Part 1 of 2)
//*
//*-------------------------------------------------------------------
//*-------------------------------------------------------------------
//*  RACF:  Profile Definitions for "Configuration Assistant"
//*
//*  RDEFINE ZMFAPLA IZUDFLT.ZOSMF.CONFIGURATION_ASSISTANT.** UACC(NONE)
//*
//*  ACF2 provides ZMF as the default type code for the ZMFAPLA class
//*
//*-------------------------------------------------------------------
//*  RACF:  "zOSMF User Role" Setup
//*
//*  PERMIT IZUDFLT  CLASS(APPL) ID(IZUUSER) ACCESS(READ)
//*  PERMIT IZUDFLT.*.izuUsers  CLASS(EJBROLE) ID(IZUUSER) ACCESS(READ)
//*  PERMIT IZUDFLT.ZOSMF.**  CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
//*
//*  Note that the above 3 permits were performed in CORE.
//*
//*
//*  The CORE member/job inserts the CLASMAP to define the APL type
//*  code for hte APPL resource class.
//*  If that has not been performed and you wish to make this change
//*  now, insert/copy the SET, INSERT, and F (modify) commands below
//*  to follow the ACF statement in the ACFBATCH execution (below).
//*
//*  SET CONTROL(GSO)
//*  INSERT CLASMAP.APPL RESOURCE(APPL) RSRCTYPE(APL)
//*
//*  F ACF2,REFRESH(CLASMAP)
//*
//*
//*  Permit definitions for "Configuration Assistant"
//*
//*  PERMIT IZUDFLT.ZOSMF.CONFIGURATION_ASSISTANT.** CLASS(ZMFAPLA)
//*   ID(IZUUSER) ACCESS(READ)
//*
//*  Need to REFRESH these classes for Roles
//*  SETROPTS RACLIST(APPL) REFRESH
//*  SETROPTS RACLIST(EJBROLE) REFRESH
//*  SETROPTS RACLIST(ZMFAPLA) REFRESH
//*  SETROPTS RACLIST(SERVER) REFRESH
//*  SETROPTS RACLIST(STARTED) REFRESH
//*  SETROPTS RACLIST(FACILITY) REFRESH
//*
//*  SETROPTS RACLIST(FACILITY) GENERIC(FACILITY)
//*  this (above) SETROPTS command has no ACF2 equivalent
//*
//*
//STEP010  EXEC PGM=ACFBATCH
//SYSPRINT DD  SYSOUT=*
//SYSIN    DD  *
SET RESOURCE(ZMF)

RECKEY IZUDFLT -
ADD(ZOSMF.CONFIGURATION_ASSISTANT.- uid(UID string for z/OSMF users) -
SERVICE(READ) ALLOW)

F ACF2,REBUILD(ZMF)
//*
//*
//*  NOTE:  these commented commands were performed in CORE.
//*  If (for whatever reason) these were not performed when CORE
//*  was run, then uncomment these commands.
//*
//*  SET RESOURCE(APL)
//*  RECKEY IZUDFLT ADD(uid(UID string for z/OSMF users)
//*  SERVICE(READ) ALLOW)
//*
//*  SET RESOURCE(EJB)
//*  RECKEY IZUDFLT ADD(-.izuUsers uid(UID string for z/OSMF users) -
//*  SERVICE(READ) ALLOW)
//*
//*  SET RESOURCE(ZMF)
//*  RECKEY IZUDFLT ADD(ZOSMF.- uid(UID string for z/OSMF users)
//*  SERVICE(READ) - ALLOW)
//*
//*  F ACF2,REBUILD(APL)
//*  F ACF2,REBUILD(EJB)
//*  F ACF2,REBUILD(ZMF)
//*
//*
//*-------------------------------------------------------------------
//*  RACF:  "zOSMF Administrator Role" Setup
//*
//*  PERMIT IZUDFLT  CLASS(APPL) ID(IZUADMIN) ACCESS(READ)
//*  PERMIT IZUDFLT.*.izuUsers  CLASS(EJBROLE) ID(IZUADMIN) ACCESS(READ)
//*  PERMIT IZUDFLT.ZOSMF.** CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
//*
//*  Note that the above 3 permits were performed in CORE.
//*
//*
//*  PERMIT IZUDFLT.ZOSMF.CONFIGURATION_ASSISTANT.** CLASS(ZMFAPLA)
//*   ID(IZUADMIN) ACCESS(READ)
//*
//*  Need to REFRESH these classes for Roles
//*
//*  SETROPTS RACLIST(APPL) REFRESH
//*  SETROPTS RACLIST(EJBROLE) REFRESH
//*  SETROPTS RACLIST(ZMFAPLA) REFRESH
//*  SETROPTS RACLIST(SERVER) REFRESH
//*  SETROPTS RACLIST(STARTED) REFRESH
//*  SETROPTS RACLIST(FACILITY) REFRESH
//*
//*  SETROPTS RACLIST(FACILITY) GENERIC(FACILITY)
//*  this RACF SETROPTS command has no ACF2 equivalent
//*
//STEP020  EXEC PGM=ACFBATCH
//SYSPRINT DD  SYSOUT=*
//SYSIN    DD  *
SET RESOURCE(ZMF)
RECKEY IZUDFLT ADD(ZOSMF.CONFIGURATION_ASSISTANT.-  -
uid(UID string for z/OSMF sec admins) SERVICE(READ) ALLOW) 
RECKEY IZUDFLT ADD(ZOSMF.CONFIGURATION_ASSISTANT.-  -
uid(UID string for IZUSVR) SERVICE(READ) ALLOW)

F ACF2,REBUILD(ZMF)
//*
//*  NOTE:  these commented commands were performed in CORE.
//*  If (for whatever reason) these were not performed when CORE
//*  was run, then uncomment these commands.
//*
//*  SET RESOURCE(APL)
//*  RECKEY IZUDFLT ADD(uid(UID string for z/OSMF sec admins) -
//*  SERVICE(READ) ALLOW)
//*
//*  SET RESOURCE(EJB)
//*  RECKEY IZUDFLT ADD(-.izuUsers uid(UID string for z/OSMF sec admins) -
//*  SERVICE(READ) ALLOW)
//*
//*  SET RESOURCE(ZMF)
//*  RECKEY IZUDFLT ADD(ZOSMF.- uid(UID string for z/OSMF sec admins) -
//*  SERVICE(READ) ALLOW)
//*
//*  F ACF2,REBUILD(APL)
//*  F ACF2,REBUILD(EJB)
//*  F ACF2,REBUILD(ZMF)
//*
//* 

 

//INCLOG JOB your standard job card information
//*
//* INCLOG     Commands for configuring Incident Log plug-in
//*
//*-------------------------------------------------------------------
//* DESCRIPTION:
//* ACF command equivelents for RACF commands from:
//*
//* Figure 10. Sample RACF commands for configuring the Incident Log
//*  plug-in (Part 1 of 3)
//*
//*  NOTE:  the RACF statements are commented for reference, and
//*         are noted if there no ACF2 equivalent commands.
//*
//*-------------------------------------------------------------------
//*-------------------------------------------------------------------
//*  RACF:  "Incident Log" Setup
//*
//*  Setup for CIM Providers to use CEA for Incident Log
//*  SETROPTS GENERIC(SERVAUTH)
//*
//*  There is no ACF2 equivalent for above command.
//*  The ACF2 default type code for the SERVAUTH resource class is SER.
//*
//*
//*  Define the CEA resource profiles required to perform/retrieve
//*  properties for JES.
//*  RDEFINE SERVAUTH CEA.CEAGETPS UACC(NONE)
//*  RDEFINE SERVAUTH CEA.CEADOCMD UACC(NONE)
//*
//*  These (above) RDEFINE statements have no ACF2 equivalents
//*
//*
//*  Grant the z/OSMF groups, authority to the following and to grant
//*  access to perform JES operations and obtain job properties.
//*
//*  PERMIT CEA.CEAGETPS CLASS(SERVAUTH) ID(IZUADMIN) ACCESS(UPDATE)
//*  PERMIT CEA.CEAGETPS CLASS(SERVAUTH) ID(IZUUSER) ACCESS(UPDATE)
//*  PERMIT CEA.CEADOCMD CLASS(SERVAUTH) ID(IZUADMIN) ACCESS(UPDATE)
//*  PERMIT CEA.CEADOCMD CLASS(SERVAUTH) ID(IZUUSER) ACCESS(UPDATE)
//*
//*  Note:  the ACF2 default type code for the SERVAUTH is SER
//*
//*
//*  Permit z/OSMF groups to Incident Log
//*  RDEFINE SERVAUTH CEA.CEAPDWB* UACC(NONE)
//*
//*  The (above) RDEFINE statement has no ACF2 equivalents
//*
//*
//*  PERMIT CEA.CEAPDWB* CLASS(SERVAUTH) ID(IZUADMIN) ACCESS(UPDATE)
//*  PERMIT CEA.CEAPDWB* CLASS(SERVAUTH) ID(IZUUSER) ACCESS(UPDATE)
//*
//*
//*  RDEFINE SERVAUTH CEA.CEADOCONSOLECMD UACC(NONE)
//*  The (above) RDEFINE statement has no ACF2 equivalents
//*
//*
//*  PERMIT CEA.CEADOCONSOLECMD CLASS(SERVAUTH) ID(IZUADMIN) ACCESS(UPDATE)
//*  PERMIT CEA.CEADOCONSOLECMD CLASS(SERVAUTH) ID(IZUUSER) ACCESS(UPDATE)
//*
//*
//*  If the SERVAUTH class already active, issue:
//*  SETROPTS RACLIST(SERVAUTH) REFRESH
//*  The ACF2 equivalent is REBUILD if type SER is resident.
//*
//*
//STEP010  EXEC PGM=ACFBATCH
//SYSPRINT DD  SYSOUT=*
//SYSIN    DD  *
SET RESOURCE(SER)
(RECKEY CEA ADD(CEAGETPS uid(UID string for z/osmf sec admins) -
SERVICE(READ,UPDATE) ALLOW)
RECKEY CEA ADD(CEAGETPS uid(UID string for IZUSVR) -
SERVICE(READ,UPDATE) ALLOW)
RECKEY CEA ADD(CEAGETPS uid(UID string for z/OSMF users) -
SERVICE(READ,UPDATE) ALLOW)
RECKEY CEA ADD(CEADOCMD uid(UID string for z/osmf sec admins) -
SERVICE(READ,UPDATE) ALLOW)
RECKEY CEA ADD(CEADOCMD uid(UID string for IZUSVR) -
SERVICE(READ,UPDATE) ALLOW)
RECKEY CEA ADD(CEADOCMD uid(UID string for z/OSMF users) -
SERVICE(READ,UPDATE) ALLOW)
RECKEY CEA ADD(CEAPDWB* uid(UID string for z/osmf sec admins) -
SERVICE(READ,UPDATE) ALLOW)
RECKEY CEA ADD(CEAPDWB* uid(UID string for IZUSVR) -
SERVICE(READ,UPDATE) ALLOW)
RECKEY CEA ADD(CEAPDWB* uid(UID string for z/OSMF users) -
SERVICE(READ,UPDATE) ALLOW)
RECKEY CEA ADD(CEADOCONSOLECMD uid(UID string for z/osmf sec admins) -
SERVICE(READ,UPDATE) ALLOW)
RECKEY CEA ADD(CEADOCONSOLECMD uid(UID string for IZUSVR) -
SERVICE(READ,UPDATE) ALLOW)
RECKEY CEA ADD(CEADOCONSOLECMD uid(UID string for z/OSMF users) -
SERVICE(READ,UPDATE) ALLOW)

F ACF2,REBUILD(SER)
//*
//*
//*-------------------------------------------------------------------
//* Figure 11. Sample RACF commands for configuring the Incident Log
//* plug-in (Part 2 of 3)
//*
//*-------------------------------------------------------------------
//* If your installation sets up PROTECT-ALL (RACF exit to protect
//* all datasets) you will need to setup a CEA.* RACF profile and
//* permit user identity. The HLQ CEA is the CEA HLQ provided during
//* the configuration prompts.
//*
//*  ACF2 protects all datasets (and resources) by default.
//*
//*
//*  PERMIT 'CEA.*' ID(IZUADMIN) ACCESS(ALTER)
//*  PERMIT 'CEA.*' ID(IZUUSER) ACCESS(ALTER)
//*
//*  SETROPTS GENERIC(DATASET) REFRESH
//*  The (above) SETROPTS command has no ACF2 equivalent
//*
//*
//STEP020  EXEC PGM=ACFBATCH
//SYSPRINT DD  SYSOUT=*
//SYSIN    DD  *
SET RULE
RECKEY CEA ADD(- uid(UID string for z/osmf sec admins) Read(A) -
Write(a) Alloc(a))
RECKEY CEA ADD(- uid(UID string for IZUSVR) Read(A) -
Write(a) Alloc(a))
RECKEY CEA ADD(- uid(UID string for z/OSMF users) Read(A) Write(a) -
Alloc(a))
//*
//*-----------------------------------------------------------------
//*  Additional considerations
//*  -------------------------
//*  If your installation has user catalog setup instead of using the
//*  master catalog, you may need to define CEA alias to the user
//*  catalog.
//*  DEFINE ALIAS(NAME(CEA) RELATE('your_catalog_name'))
//*
//*  If your installation has master catalog setup you may need to
//*  permit the user to the master catalog dataset class.
//*
//*  PERMIT 'your_master_catalog' CLASS(DATASET)
//*   ID(your_cim_admin_name) ACCESS(UPDATE)
//*  SETROPTS GENERIC(DATASET) REFRESH
//*
//*  If your installation is using SYSLOG for the Operations Log, you
//*  may need to may define and permit the CEA user id to JESSPOOL
//*  class below.
//*
//*  REDEFINE JESSPOOL 'your_system_name'.+MASTER+.SYSLOG.*.*
//*  UACC(NONE)
//*
//*  If your installation protects MVS commands with RACF class
//*  OPERCMDS you need to give the CIM Admin identity permission.
//*  This is required for the incident log verify step.
//*
//*  This template does not have RDEFINES for these resources.
//*  If your installation doesn't define these, you will need to
//*  either define them first or change the PERMIT to a higher level
//*  qualifier.
//*
//*
//*  ACF2 considerations:
//*
//*  If you wish to use the optional master catalog validation with
//*  ACF2 you will need to enable this with a SAFDEF record and rules.
//*  This process is documented in the ACF2 Administrator Guide in
//*  Chapter 17 (Implementing DFSMS Support) under "Securing Catalogs."
//*
//*
//*  If you wish to implement these optional validations in ACF2, you
//*  will need to enable the SAFDEF records for JESSPOOL and/or
//*  OPERCMDS.  This is documented in the ACF2 Adminsitrator Guide,
//*  Chapter 21 (JES2 Security), under "Security Classes" and then
//*  JESSPOOL and/or OPERCMDS.
//*
//*
//*  PERMIT 'your_system_name'.+MASTER+.SYSLOG.*.* CLASS(JESSPOOL)
//*  ID('your_cea_user_id') ACC(READ)
//*  SETR RACLIST(JESSPOOL) REFRESH
//*
//*
//*  PERMIT MVS.DISPLAY.** CLASS(OPERCMDS)
//*  ID("your_cim_admin_name") ACCESS(READ)
//*  PERMIT MVS.DUMP CLASS(OPERCMDS)
//*  ID("your_cim_admin_name") ACCESS(CONTROL)
//*  PERMIT MVS.MODIFY.JOB.CEA CLASS(OPERCMDS)
//*  ID("your_cim_admin_name") ACCESS(UPDATE)
//*  SETROPTS RACLIST(OPERCMDS) REFRESH
//*
//*  Profile Definitions for "Incident Log"
//*  RDEFINE ZMFAPLA IZUDFLT.ZOSMF.INCIDENT_LOG.** UACC(NONE)
//*  RDEFINE not supported for ZMFAPLA class
//*
//*-------------------------------------------------------------------
//*  Begin "zOSMF User Role" Setup
//*
//*  PERMIT IZUDFLT CLASS(APPL) ID(IZUUSER) ACCESS(READ)
//*  PERMIT IZUDFLT.*.izuUsers CLASS(EJBROLE) ID(IZUUSER) ACCESS(READ)
//*  PERMIT IZUDFLT.ZOSMF.** CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
//*
//*  Note that the above 3 permits were performed in CORE.
//*
//*
//*  Permit definitions for "Incident Log"
//*  PERMIT IZUDFLT.ZOSMF.INCIDENT_LOG.** CLASS(ZMFAPLA) ID(IZUUSER)
//*  ACCESS(READ)
//*
//*
//STEP030  EXEC PGM=ACFBATCH
//SYSPRINT DD  SYSOUT=*
//SYSIN    DD  *
SET RESOURCE(ZMF)
RECKEY IZUDFLT ADD(ZOSMF.INCIDENT_LOG.- -
uid(UID string for z/OSMF users) SERVICE(READ) ALLOW)

F ACF2,REBUILD(ZMF)
//*
//*
//*  NOTE:  these comments commands were performed in CORE.
//*  If (for whatever reason) these were not performed when CORE
//*  was run, then uncomment these commands.
//*
//*  SET RESOURCE(APL)
//*  RECKEY IZUDFLT ADD(uid(UID string for z/OSMF users) -
//*  SERVICE(READ) ALLOW)
//*
//*  SET RESOURCE(EJB)
//*  RECKEY IZUDFLT ADD(-.izuUsers uid(UID string for z/OSMF users) -
//*  SERVICE(READ) ALLOW)
//*
//*  SET RESOURCE(ZMF)
//*  RECKEY IZUDFLT ADD(ZOSMF.- uid(UID string for z/OSMF users) -
//*  SERVICE(READ) ALLOW)
//*
//*  F ACF2,REBUILD(APL)
//*  F ACF2,REBUILD(EJB)
//*  F ACF2,REBUILD(ZMF)
//*
//*
//*-------------------------------------------------------------------
//* Figure 12. Sample RACF commands for configuring the Incident Log
//* plug-in (Part 3 of 3)
//*
//*-------------------------------------------------------------------
//*  RACF:  "zOSMF Administrator Role" Setup
//*
//*  PERMIT IZUDFLT CLASS(APPL) ID(IZUADMIN) ACCESS(READ)
//*  PERMIT IZUDFLT.*.izuUsers CLASS(EJBROLE) ID(IZUADMIN) ACCESS(READ)
//*  PERMIT IZUDFLT.ZOSMF.** CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
//*
//*  Note that the above 3 permits were performed in CORE.
//*
//*
//*  Permit definitions for "Incident Log"
//*  PERMIT IZUDFLT.ZOSMF.INCIDENT_LOG.** CLASS(ZMFAPLA) ID(IZUADMIN)
//*  ACCESS(READ)
//*
//*
//*  Need to REFRESH these classes for Roles
//*
//*  SETROPTS RACLIST(APPL) REFRESH
//*  SETROPTS RACLIST(EJBROLE) REFRESH
//*  SETROPTS RACLIST(ZMFAPLA) REFRESH
//*  SETROPTS RACLIST(SERVER) REFRESH
//*  SETROPTS RACLIST(STARTED) REFRESH
//*  SETROPTS RACLIST(FACILITY) REFRESH
//*
//*  SETROPTS RACLIST(FACILITY) GENERIC(FACILITY)
//*  this SETROPTS command has no ACF2 equivalent
//*
//*
//STEP040  EXEC PGM=ACFBATCH
//SYSPRINT DD  SYSOUT=*
//SYSIN    DD  *
SET RESOURCE(ZMF)
RECKEY IZUDFLT ADD(ZOSMF.INCIDENT_LOG.-  -
uid(UID string for z/osmf sec admins) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.INCIDENT_LOG.-  -
uid(UID string for IZUSVR) SERVICE(READ) ALLOW)

F ACF2,REBUILD(ZMF)
//*
//*
//*  NOTE:  these commented commands were performed in CORE.
//*  If (for whatever reason) these were not performed when CORE
//*  was run, then uncomment these commands.
//*
//*  SET RESOURCE(APL)
//*  RECKEY IZUDFLT ADD(uid(UID string for z/osmf sec admins) -
//*  SERVICE(READ) ALLOW)
//*
//*  SET RESOURCE(EJB)
//*  RECKEY IZUDFLT ADD(-.izuUsers uid(UID string for z/osmf sec admins) -
//*  SERVICE(READ) ALLOW)
//*
//*  SET RESOURCE(ZMF)
//*  RECKEY IZUDFLT ADD(ZOSMF.- uid(UID string for z/osmf sec admins) -
//*  SERVICE(READ) ALLOW)
//*
//*  F ACF2,REBUILD(APL)
//*  F ACF2,REBUILD(EJB)
//*  F ACF2,REBUILD(ZMF)
//*
//*
//*-------------------------------------------------------------------
//* Begin "zOS Security Administrator Role" Setup
//*
//* No security setup procedure is required.
//*
//* End "zOS Security Administrator Role" Setup
//*-------------------------------------------------------------------
//*
//*  During the z/OSMF configuration process, your installation
//*  selected one or more CIM dependent plug-in(s). As a result,
//*  your security administrator must ensure that the z/OSMF
//*  Administrator has the proper access to CIM resources. It is
//*  assumed that the CIM security job (CFZSEC), or equivalent, was
//*  run as part of the initial configuration for CIM.
//*
//*  Connect the started task USERID to the CIM USER group
//*  CONNECT (IZUSVR) GROUP(CFZUSRGP)
//*
//*  the (above) CONNECT GROUP ommand has no ACF2 equivalent
//*
//*

 

//ISPF  JOB your standard job card information
//*
//* ISPF       Commands for configuring ISPF plug-ins
//*
//*-------------------------------------------------------------------
//* DESCRIPTION:
//* ACF command equivelents for RACF commands from:
//*
//* Figure 13. Sample RACF commands for configuring the ISPF plug-ins
//*  (Part 1 of 2)
//*
//*  NOTE:  the RACF statements are commented for reference, and
//*         are noted if there no ACF2 equivalent commands.
//*
//*-------------------------------------------------------------------
//*  RACF: "ISPF" Setup
//*
//*  Assumption: SERVAUTH class is active
//*  SETROPTS GENERIC(SERVAUTH)
//*
//*  The default ACF2 type code for SERVAUTH is SER.
//*
//*
//*  Define the CEA resource profile required for ISPF
//*  RDEFINE SERVAUTH CEA.CEATSO.* UACC(NONE)
//*
//*  The above RDEFINE statement has no ACF2 equivalent
//*
//*
//*  Permit the Administrators group to this profile
//*  PERMIT CEA.CEATSO.* CLASS(SERVAUTH) ID(IZUADMIN) ACCESS(READ)
//*
//*  Permit the Users group to this profile
//*  PERMIT CEA.CEATSO.* CLASS(SERVAUTH) ID(IZUUSER) ACCESS(READ)
//*
//*  Permit the WAS servant to this profile
//*  PERMIT CEA.CEATSO.* CLASS(SERVAUTH) ID(IZUSVR) ACCESS(READ)
//*
//*  Make changes effective
//*  SETROPTS RACLIST(SERVAUTH) REFRESH
//*
//*
//*  Profile Definitions for "ISPF"
//*  RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ISPF.** UACC(NONE)
//*
//*  The above RDEFINE statement has no ACF2 equivalent.
//*
//*
//STEP010  EXEC PGM=ACFBATCH
//SYSPRINT DD  SYSOUT=*
//SYSIN    DD  *
SET RESOURCE(SER)
RECKEY CEA ADD(CEATSO.- uid(UID string for z/OSMF sec admins) -
SERVICE(READ) ALLOW)
RECKEY CEA ADD(CEATSO.- uid(UID string for z/OSMF users) -
SERVICE(READ) ALLOW)
RECKEY CEA ADD(CEATSO.- uid(UID string for IZUSVR) SERVICE(READ) ALLOW)

F ACF2,REFRESH(SER)
//*
//*
//*-------------------------------------------------------------------
//* Figure 14. Sample RACF commands for configuring the ISPF plug-in
//* (Part 2 of 2)
//*
//*-------------------------------------------------------------------
//*  RACF:  "zOSMF User Role" Setup
//*
//*  PERMIT IZUDFLT CLASS(APPL) ID(IZUUSER) ACCESS(READ)
//*  PERMIT IZUDFLT.*.izuUsers CLASS(EJBROLE) ID(IZUUSER) ACCESS(READ)
//*  PERMIT IZUDFLT.ZOSMF.** CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
//*
//*  Permit "zOSMF Administrator Role"
//*
//*  PERMIT IZUDFLT CLASS(APPL) ID(IZUADMIN) ACCESS(READ)
//*  PERMIT IZUDFLT.*.izuUsers CLASS(EJBROLE) ID(IZUADMIN) ACCESS(READ)
//*  PERMIT IZUDFLT.ZOSMF.** CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
//*
//*  Note that the above 6 permits were performed in CORE.
//*
//*
//*  Permit definitions for "ISPF"
//*  PERMIT IZUDFLT.ZOSMF.ISPF.** CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
//*  PERMIT IZUDFLT.ZOSMF.ISPF.** CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
//*
//*
//*  Need to REFRESH these classes for Roles
//*  SETROPTS RACLIST(APPL) REFRESH
//*  SETROPTS RACLIST(EJBROLE) REFRESH
//*  SETROPTS RACLIST(ZMFAPLA) REFRESH
//*
//*
//STEP020  EXEC PGM=ACFBATCH
//SYSPRINT DD  SYSOUT=*
//SYSIN    DD  *
SET RESOURCE(ZMF)
RECKEY IZUDFLT ADD(ZOSMF.ISPF.- uid(UID string for z/OSMF users) -
SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.ISPF.- uid(UID string for z/OSMF sec admins) -
SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.ISPF.- uid(UID string for IZUSVR) -
SERVICE(READ) ALLOW)

F ACF2,REBUILD(ZMF)
//*
//*
//*  NOTE:  these comments commands were performed in CORE.
//*  If (for whatever reason) these were not performed when CORE
//*  was run, then uncomment these commands.
//*
//*  SET RESOURCE(APL)
//*
//*  RECKEY IZUDFLT ADD(uid(UID string for z/OSMF users) -
//*  SERVICE(READ) ALLOW)
//*
//*  RECKEY IZUDFLT ADD(uid(UID string for z/OSMF sec admins) -
//*  SERVICE(READ) ALLOW)
//*
//*
//*  SET RESOURCE(EJB)
//*
//*  RECKEY IZUDFLT ADD(-.izuUsers uid(UID string for z/OSMF users) -
//*  SERVICE(READ) ALLOW)
//*
//*  RECKEY IZUDFLT ADD(-.izuUsers uid(UID string for z/OSMF sec admins) -
//*  SERVICE(READ) ALLOW)
//*
//*
//*  SET RESOURCE(ZMF)
//*
//*  RECKEY IZUDFLT ADD(ZOSMF.- uid(UID string for z/OSMF users) -
//*  SERVICE(READ) ALLOW)
//*
//*  RECKEY IZUDFLT ADD(ZOSMF.- uid(UID string for z/OSMF sec admins) -
//*  SERVICE(READ) ALLOW)
//*
//*
//*  F ACF2,REBUILD(APL)
//*  F ACF2,REBUILD(EJB)
//*  F ACF2,REBUILD(ZMF)
//*
//*

 

//RSRCMON JOB your standard job card information
//*
//* RSRCMON    Commands for configuring Resource Monitoring plug-in
//*
//*-------------------------------------------------------------------
//* DESCRIPTION:
//* ACF command equivelents for RACF commands from:
//*
//* Figure 15. Sample RACF commands for configuring the Resource
//*  monitoring plug-in (Part 1 of 2)
//*
//*  NOTE:  the RACF statements are commented for reference, and
//*         are noted if there no ACF2 equivalent commands.
//*
//*-------------------------------------------------------------------
//*-------------------------------------------------------------------
//*  RACF:  "Resource Monitoring" Setup
//*
//*  Profile Definitions for "Resource Monitoring"
//*  RDEFINE ZMFAPLA IZUDFLT.ZOSMF.RESOURCE_MONITORING.** UACC(NONE)
//*  The above RDEFINE does not have an ACF2 equivalent
//*
//*  Begin "zOSMF User Role" Setup
//*  PERMIT IZUDFLT CLASS(APPL) ID(IZUUSER) ACCESS(READ)
//*  PERMIT IZUDFLT.*.izuUsers CLASS(EJBROLE) ID(IZUUSER) ACCESS(READ)
//*  PERMIT IZUDFLT.ZOSMF.** CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
//*
//*  Note that the above 3 permits were performed in CORE.
//*
//*
//*  Permit definitions for "Resource Monitoring"
//*  PERMIT IZUDFLT.ZOSMF.RESOURCE_MONITORING.** CLASS(ZMFAPLA)
//*  ID(IZUUSER) ACCESS(READ)
//*
//*
//STEP010  EXEC PGM=ACFBATCH
//SYSPRINT DD  SYSOUT=*
//SYSIN    DD  *
SET RESOURCE(ZMF)
RECKEY IZUDFLT ADD(ZOSMF.RESOURCE_MONITORING.- -
uid(UID string for z/OSMF users) SERVICE(READ) ALLOW)

F ACF2,REBUILD(ZMF)
//*
//*
//*  NOTE:  these comments commands were performed in CORE.
//*  If (for whatever reason) these were not performed when CORE
//*  was run, then uncomment these commands.
//*
//*  SET RESOURCE(APL)
//*  RECKEY IZUDFLT ADD(uid(UID string for z/OSMF users) -
//*  SERVICE(READ) ALLOW)
//*
//*  SET RESOURCE(EJB)
//*  RECKEY IZUDFLT ADD(-.izuUsers uid(UID string for z/OSMF users) -
//*  SERVICE(READ) ALLOW)
//*
//*  SET RESOURCE(ZMF)
//*  RECKEY IZUDFLT ADD(ZOSMF.- uid(UID string for z/OSMF users) -
//*  SERVICE(READ) ALLOW)
//*
//*  F ACF2,REBUILD(APL)
//*  F ACF2,REBUILD(EJB)
//*  F ACF2,REBUILD(ZMF)
//*
//*
//*-------------------------------------------------------------------
//* Figure 16. Sample RACF commands for configuring the Resource
//* Monitoring plug-in (Part 2 of 2)
//*
//*  RACF:  "zOSMF Administrator Role" Setup
//*  PERMIT IZUDFLT CLASS(APPL) ID(IZUADMIN) ACCESS(READ)
//*  PERMIT IZUDFLT.*.izuUsers  CLASS(EJBROLE) ID(IZUADMIN) ACCESS(READ)
//*  PERMIT IZUDFLT.ZOSMF.** CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
//*
//*  Note that the above 3 permits were performed in CORE.
//*
//*
//*  Permit definitions for "Resource Monitoring"
//*  PERMIT IZUDFLT.ZOSMF.RESOURCE_MONITORING.** CLASS(ZMFAPLA)
//*  ID(IZUADMIN) ACCESS(READ)
//*
//* Need to REFRESH these classes for Roles
//*  SETROPTS RACLIST(APPL) REFRESH
//*  SETROPTS RACLIST(EJBROLE) REFRESH
//*  SETROPTS RACLIST(ZMFAPLA) REFRESH
//*  SETROPTS RACLIST(SERVER) REFRESH
//*  SETROPTS RACLIST(STARTED) REFRESH
//*  SETROPTS RACLIST(FACILITY) REFRESH
//*
//*  SETROPTS RACLIST(FACILITY) GENERIC(FACILITY)
//*  The above SETROPTS command has no ACF2 equivalent
//*
//*
//STEP020  EXEC PGM=ACFBATCH
//SYSPRINT DD  SYSOUT=*
//SYSIN    DD  *
SET RESOURCE(ZMF)
RECKEY IZUDFLT ADD(ZOSMF.RESOURCE_MONITORING.- -
uid(UID string for z/OSMF sec admins) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.RESOURCE_MONITORING.- -
uid(UID string for IZUSVR) SERVICE(READ) ALLOW)

F ACF2,REBUILD(ZMF)
//*
//*
//*  NOTE:  these commented commands were performed in CORE.
//*  If (for whatever reason) these were not performed when CORE
//*  was run, then uncomment these commands.
//*
//*  SET RESOURCE(APL)
//*  RECKEY IZUDFLT ADD(uid(UID string for z/OSMF sec admins) -
//*  SERVICE(READ) ALLOW)
//*
//*  SET RESOURCE(EJB)
//*  RECKEY IZUDFLT ADD(-.izuUsers uid(UID string for z/OSMF sec admins) -
//*  SERVICE(READ) ALLOW)
//*
//*  SET RESOURCE(ZMF)
//*  RECKEY IZUDFLT ADD(ZOSMF.- uid(UID string for z/OSMF sec admins) -
//*  SERVICE(READ) ALLOW)
//*
//*  F ACF2,REBUILD(APL)
//*  F ACF2,REBUILD(EJB)
//*  F ACF2,REBUILD(ZMF)
//*
//*

 

//SFDEPLOY JOB your standard job card information
//*
//* SFDEPLOY   Commands for configuring Software Deployment plug-in
//*
//*-------------------------------------------------------------------
//* DESCRIPTION:
//* ACF command equivelents for RACF commands from:
//*
//* Figure 17. Sample RACF commands for configuring the Software
//*   Deployment plug-in (Part 1 of 2)
//*
//*  NOTE:  the RACF statements are commented for reference, and
//*         are noted if there no ACF2 equivalent commands.
//*
//*-------------------------------------------------------------------
//*  RACF:  "Software Deployment" Setup
//*
//*  Profile Definitions for "Software Deployment"
//*  RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SOFTWARE_DEPLOYMENT.** UACC(NONE)
//*  RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SOFTWARE_DEPLOYMENT.DATA.** UACC(NONE)
//*  RDEFINE ZMFAPLA
//*  IZUDFLT.ZOSMF.SOFTWARE_DEPLOYMENT.SOFTWARE_MANAGEMENT.PRODUCT_INFO_FILE.*
//*  UACC(NONE)
//*  The above RDEFINE statements have no ACF2 equivalents
//*
//*  Begin "zOSMF User Role" Setup
//*  PERMIT IZUDFLT CLASS(APPL) ID(IZUUSER) ACCESS(READ)
//*  PERMIT IZUDFLT.*.izuUsers CLASS(EJBROLE) ID(IZUUSER) ACCESS(READ)
//*  PERMIT IZUDFLT.ZOSMF.** CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
//*
//*  Note that the above 3 permits were performed in CORE.
//*
//*
//*  NOTE:  these comments commands were performed in CORE.
//*  If (for whatever reason) these were not performed when CORE
//*  was run, then uncomment this jcl and commands.
//*
//*  //STEP010  EXEC PGM=ACFBATCH
//*  //SYSPRINT DD  SYSOUT=*
//*  //SYSIN    DD  *
//*
//*  SET RESOURCE(APL)
//*  RECKEY IZUDFLT ADD(uid(UID string for z/OSMF users) -
//*  SERVICE(READ) ALLOW)
//*
//*  SET RESOURCE(EJB)
//*  RECKEY IZUDFLT ADD(-.izuUsers uid(UID string for z/OSMF users) -
//*  SERVICE(READ) ALLOW)
//*
//*  SET RESOURCE(ZMF)
//*  RECKEY IZUDFLT ADD(ZOSMF.- uid(UID string for z/OSMF users) -
//*  SERVICE(READ) ALLOW)
//*
//*  F ACF2,REBUILD(APL)
//*  F ACF2,REBUILD(EJB)
//*  F ACF2,REBUILD(ZMF)
//*
//*
//*-------------------------------------------------------------------
//* Figure 18. Sample RACF commands for configuring the Software
//* Deployment plug-in (Part 2 of 2)
//*
//*  Permit definitions for "Software Deployment"
//*  PERMIT IZUDFLT.ZOSMF.SOFTWARE_DEPLOYMENT.** CLASS(ZMFAPLA) ID(IZUUSER)
//*  ACCESS(READ)
//*  PERMIT IZUDFLT.ZOSMF.SOFTWARE_DEPLOYMENT.DATA.** CLASS(ZMFAPLA)
//*  ID(IZUUSER) ACCESS(CONTROL)
//*
//*
//*  Begin "zOSMF Administrator Role" Setup
//*  PERMIT IZUDFLT CLASS(APPL) ID(IZUADMIN) ACCESS(READ)"
//*  PERMIT IZUDFLT.*.izuUsers CLASS(EJBROLE) ID(IZUADMIN) ACCESS(READ)
//*  PERMIT IZUDFLT.ZOSMF.** CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
//*
//*  Note that the above 3 permits were performed in CORE.
//*
//*
//*  Permit definitions for "Software Deployment"
//*  PERMIT IZUDFLT.ZOSMF.SOFTWARE_DEPLOYMENT.** CLASS(ZMFAPLA)
//*  ID(IZUADMIN) ACCESS(READ)
//*  PERMIT IZUDFLT.ZOSMF.SOFTWARE_DEPLOYMENT.DATA.** CLASS(ZMFAPLA)
//*  ID(IZUADMIN) ACCESS(CONTROL)
//*  PERMIT
//*  IZUDFLT.ZOSMF.SOFTWARE_DEPLOYMENT.SOFTWARE_MANAGEMENT.PRODUCT_INFO_FILE.*
//*  CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
//*
//*
//*  Need to REFRESH these classes for Roles
//*  SETROPTS RACLIST(APPL) REFRESH
//*  SETROPTS RACLIST(EJBROLE) REFRESH
//*  SETROPTS RACLIST(ZMFAPLA) REFRESH
//*
//*
//STEP020  EXEC PGM=ACFBATCH
//SYSPRINT DD  SYSOUT=*
//SYSIN    DD  *
SET RESOURCE(ZMF)
RECKEY IZUDFLT ADD(ZOSMF.SOFTWARE_DEPLOYMENT.-  -
uid(UID string for z/OSMF users) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.SOFTWARE_DEPLOYMENT.-  -
uid(UID string for z/OSMF sec admins) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.SOFTWARE_DEPLOYMENT.-  -
uid(UID string for IZUSVR) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.SOFTWARE_DEPLOYMENT.DATA.-  -
uid(UID string for z/OSMF users) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.SOFTWARE_DEPLOYMENT.DATA.-  -
uid(UID string for z/OSMF sec admins) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.SOFTWARE_DEPLOYMENT.DATA.-  -
uid(UID string for IZUSVR) SERVICE(READ) ALLOW)
RECKEY IZUDFLT -
ADD(ZOSMF.SOFTWARE_DEPLOYMENT.SOFTWARE_MANAGEMENT.PRODUCT_INFO_FILE.* -
uid(UID string for z/OSMF sec admins) SERVICE(READ) ALLOW)
RECKEY IZUDFLT -
ADD(ZOSMF.SOFTWARE_DEPLOYMENT.SOFTWARE_MANAGEMENT.PRODUCT_INFO_FILE.* -
uid(UID string for IZUSVR) SERVICE(READ) ALLOW)

F ACF2,REBUILD(ZMF)
//*
//*
//*  NOTE:  these commented commands were performed in CORE.
//*  If (for whatever reason) these were not performed when CORE
//*  was run, then uncomment these commands.
//*
//*  SET RESOURCE(APL)
//*  RECKEY IZUDFLT ADD(uid(UID string for z/OSMF sec admins) -
//*  SERVICE(READ) ALLOW)
//*
//*  SET RESOURCE(EJB)
//*  RECKEY IZUDFLT ADD(-.izuUsers uid(UID string for z/OSMF sec admins) -
//*  SERVICE(READ) ALLOW)
//*
//*  SET RESOURCE(ZMF)
//*  RECKEY IZUDFLT ADD(ZOSMF.- uid(UID string for z/OSMF sec admins) -
//*  SERVICE(READ) ALLOW)
//*
//*  F ACF2,REBUILD(APL)
//*  F ACF2,REBUILD(EJB)
//*  F ACF2,REBUILD(ZMF)
//*
//*

 

//WRKLMGMT JOB your standard job card information
//*
//*  WRKLMGMT   Commands for configuring Workload Management plug-in
//*
//*-------------------------------------------------------------------
//* DESCRIPTION:
//* ACF command equivelents for RACF commands from:
//*
//* Figure 19. Sample RACF commands for configuring the Workload
//*   Management plug-in (Part 1 of 3)
//*
//*  NOTE:  the RACF statements are commented for reference, and
//*         are noted if there no ACF2 equivalent commands.
//*
//*-------------------------------------------------------------------
//*  RACF:  "Workload Management" Setup
//*
//*  Define Workload Management facility
//*
//*  The following commented command is to be issued only if the
//*  profile does not exist
//*  It normally would have been created during z/OS setup
//*  RDEFINE FACILITY MVSADMIN.WLM.POLICY UACC(NONE)
//*  The above RDEFINE has no ACF2 equivalent
//*
//*  Permit the Workload Management group
//*  PERMIT MVSADMIN.WLM.POLICY CLASS(FACILITY) ID(WLMGRP) ACCESS(UPDATE)
//*
//*  Permit the started task userid USERID
//*  PERMIT MVSADMIN.WLM.POLICY CLASS(FACILITY) ID(IZUSVR) ACCESS(READ)
//*
//*  Make changes effective
//*  SETROPTS RACLIST(FACILITY) REFRESH"
//*
//*
//*  Profile Definitions for "Workload Management"
//*  RDEFINE ZMFAPLA
//*  IZUDFLT.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.VIEW
//*    UACC(NONE)
//*  The above RDEFINE has no ACF2 equivalent
//*
//*
//STEP010  EXEC PGM=ACFBATCH
//SYSPRINT DD  SYSOUT=*
//SYSIN    DD  *
SET RESOURCE(FAC)
RECKEY MVSADMIN ADD(WLM.POLICY uid(UID string for WLMGRP) -
SERVICE(READ,UPDATE) ALLOW)
RECKEY MVSADMIN ADD(WLM.POLICY uid(UID string for IZUSVR) -
SERVICE(READ) ALLOW)

F ACF2,REBUILD(FAC)
//*
//*-------------------------------------------------------------------
//* Figure 20. Sample RACF commands for configuring the Workload
//* Management plug-in (Part 2 of 3)
//*
//*  RDEFINE ZMFAPLA
//*  IZUDFLT.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.MODIFY
//*  UACC(NONE)
//*  RDEFINE ZMFAPLA
//*  IZUDFLT.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.INSTALL
//*  UACC(NONE)
//*
//*  The above RDEFINE statements have no ACF2 equivalent
//*
//*
//*  Begin "zOSMF User Role" Setup
//*  PERMIT IZUDFLT CLASS(APPL) ID(IZUUSER) ACCESS(READ)
//*  PERMIT IZUDFLT.*.izuUsers CLASS(EJBROLE) ID(IZUUSER) ACCESS(READ)
//*  PERMIT IZUDFLT.ZOSMF.** CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
//*
//*  Begin "zOSMF Administrator Role" Setup
//*  PERMIT IZUDFLT CLASS(APPL) ID(IZUADMIN) ACCESS(READ)
//*  PERMIT IZUDFLT.*.izuUsers CLASS(EJBROLE) ID(IZUADMIN) ACCESS(READ)
//*  PERMIT IZUDFLT.ZOSMF.** CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
//*
//*  Note that the above 6 permits were performed in CORE.
//*
//*
//*  Permit definitions for "Workload Management"
//*  PERMIT
//*  IZUDFLT.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.VIEW
//*  CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
//*
//*
//*  Permit definitions for "Workload Management"
//*  PERMIT
//*  IZUDFLT.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.VIEW
//*  CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
//*
//*  PERMIT
//*  IZUDFLT.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.MODIFY
//*  CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
//*
//*  PERMIT
//*  IZUDFLT.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.INSTALL
//*  CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
//*
//*
//*  Need to REFRESH these classes for Roles
//*  SETROPTS RACLIST(APPL) REFRESH
//*  SETROPTS RACLIST(EJBROLE) REFRESH
//*  SETROPTS RACLIST(ZMFAPLA) REFRESH
//*
//*
//STEP020  EXEC PGM=ACFBATCH
//SYSPRINT DD  SYSOUT=*
//SYSIN    DD  *
SET RESOURCE(ZMF)
RECKEY IZUDFLT -
ADD(ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.VIEW -
UID(UID string for z/OSMF users) SERVICE(READ) ALLOW)
RECKEY IZUDFLT -
ADD(ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.VIEW -
UID(UID string for z/OSMF sec admins) SERVICE(READ) ALLOW)
RECKEY IZUDFLT -
ADD(ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.VIEW -
UID(UID string for IZUSVR) SERVICE(READ) ALLOW)
RECKEY IZUDFLT -
ADD(ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.MODIFY -
UID(UID string for z/OSMF sec admins) SERVICE(READ) ALLOW)
RECKEY IZUDFLT -
ADD(ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.MODIFY -
UID(UID string for IZUSVR) SERVICE(READ) ALLOW)
RECKEY IZUDFLT -
ADD(ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.INSTALL -
UID(UID string for z/OSMF sec admins) SERVICE(READ) ALLOW)
RECKEY IZUDFLT - 
ADD(ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.INSTALL -
UID(UID string for IZUSVR) SERVICE(READ) ALLOW)

F ACF2,REBUILD(ZMF)
//*
//*
//*  NOTE:  these commented commands were performed in CORE.
//*  If (for whatever reason) these were not performed when CORE
//*  was run, then uncomment these commands.
//*
//*  SET RESOURCE(APL)
//*
//*  RECKEY IZUDFLT ADD(uid(UID string for z/OSMF users) -
//*  SERVICE(READ) ALLOW)
//*
//*  RECKEY IZUDFLT ADD(uid(UID string for z/OSMF sec admins) -
//*  SERVICE(READ) ALLOW)
//*
//*
//*  SET RESOURCE(EJB)
//*
//*  RECKEY IZUDFLT ADD(-.izuUsers uid(UID string for z/OSMF users) -
//*  SERVICE(READ) ALLOW)
//*
//*  RECKEY IZUDFLT ADD(-.izuUsers uid(UID string for z/OSMF sec admins) -
//*  SERVICE(READ) ALLOW)
//*
//*
//*  SET RESOURCE(ZMF)
//*
//*  RECKEY IZUDFLT ADD(ZOSMF.- uid(UID string for z/OSMF users) -
//*  SERVICE(READ) ALLOW)
//*
//*  RECKEY IZUDFLT ADD(ZOSMF.- uid(UID string for z/OSMF sec admins) -
//*  SERVICE(READ) ALLOW)
//*
//*
//*  F ACF2,REBUILD(APL)
//*  F ACF2,REBUILD(EJB)
//*  F ACF2,REBUILD(ZMF)
//*
//*
//*
//* Figure 21. Sample RACF commands for configuring the Workload
//* Management plug-in (Part 3 of 3)
//*-------------------------------------------------------------------
//*
//*  During the z/OSMF configuration process, your installation
//*  selected one or more CIM dependent plug-in(s). As a result, your
//*  security administrator must ensure that the z/OSMF Administrator
//*  has the proper access to CIM resources. It is assumed that the
//*  CIM security job (CFZSEC), or equivalent, was run as part of the
//*  initial configuration for CIM.
//*
//*  Connect the started task USERID to the CIM USER group
//*  CONNECT (IZUSVR) GROUP(CFZUSRGP)
//*  The above CONNECT statement has no ACF2 equivalent
//*
//*

 

Powered by Wolken Software