Release : 16.0
Component : CA Top Secret for z/OS
//IZUGCSEC JOB MSGCLASS=C,MSGLEVEL=(1,1)
//STEP1 EXEC PGM=IKJEFT01,DYNAMNBR=99
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
/*****************************************************************/
/* This sample JCL intends to help with security setup required */
/* per user of z/OSMF "zOS Operator Consoles" task. */
/* */
/* It consists of two parts: */
/* The first part is required only once per user. */
/* The second part is required for every console user wants to */
/* use in "zOS Operator Consoles" task. Since user might usually */
/* use one console to monitor one system in "zOS Operator */
/* Consoles" task, it's usual that the second part needs to be */
/* copied and pasted several times for several systems user wants*/
/* to work with in "zOS Operator Consoles" tasks. */
/* */
/* If user has ever executed this JCL before and wants to setup */
/* console for some added system now, user can comment the first */
/* part of configuration and only execute the second part of */
/* configuration for sepcific system. */
/*****************************************************************/
/*****************************************************************/
/* This is the first part of this JCL. */
/* */
/* This part of JCL is only required once per user. If it has */
/* already been performed for a specific user, it could be */
/* commented to allow user only perform the 2nd part of this JCL.*/
/* */
/* Please be noticed that there are some variables need to be */
/* substitued with the value you want to use in below commands. */
/* Those commands are commented by default. You need to replace */
/* those variables and uncomment corresponding commands. */
/*****************************************************************/
/* Allows the user to use TSO account which is setup in z/OSMF */
/* parmlib option COMMON_TSO ACCT? */
SETROPTS CLASSACT(ACCTNUM)
TSOACCT is in Top Secret.
TSS ADD(owingacid) TSOACC(xxxxxx)
ACCESSORID = *RDT* NAME = RESOURCE DEFINITIONS
RESOURCE CLASS = TSOACCT
RESOURCE CODE = X'087'
ATTRIBUTE = NOMASK,MAXOWN(08),MAXPERMIT(039),PRIVPGM
TSS0300I LIST FUNCTION SUCCESSFUL
/*****************************************************************/
/* 1. Please replace <account> with the value specified in zOSMF */
/* parmlib option "COMMON_TSO ACCT". */
/* 2. Please replace <userid> with the target user id. */
/* 3. Uncomment below commands. */
/*****************************************************************/
/*RDEFINE ACCTNUM <account> UACC(NONE) */
/*PERMIT <account> CLASS(ACCTNUM) ACCESS(read) ID(<userid>) */
SETROPTS RACLIST(ACCTNUM) REFRESH
TSS PER(userid) TSOACCT(xxxxxxxx)
/* Allows the user to use TSO proc which is setup in z/OSMF */
/* parmlib option COMMON_TSO PROC? */
SETROPTS CLASSACT(TSOPROC)
TSS ADD(owningacid) TSOPROC(logonprc)
/*****************************************************************/
/* 1. Please replace <proc> with the value specified in zOSMF */
/* parmlib option "COMMON_TSO PROC". */
/* 2. Please replace <userid> with the target user id. */
/* 3. Uncomment below commands. */
/*****************************************************************/
/*RDEFINE TSOPROC <proc> UACC(NONE) */
/*PERMIT <proc> CLASS(TSOPROC) ACCESS(read) ID(<userid>) */
SETROPTS RACLIST(TSOPROC) REFRESH
TSS PER(userid) TSOPROC(logonprc)
/* Allows the user to use CEA to create TSO address space. */
SETROPTS CLASSACT (SERVAUTH)
RDEFINE SERVAUTH CEA.CEATSO.TSOREQUEST UACC(NONE)
TSS ADD(owningacid) SERVAUTH(CEA.)
/*****************************************************************/
/* 1. Please replace <userid> with the target user id. */
/* 2. Uncomment below commands. */
/*****************************************************************/
/*PERMIT CEA.CEATSO.TSOREQUEST CLASS(SERVAUTH) ACCESS(read) +*/
/* ID(<userid>) */
SETROPTS RACLIST(SERVAUTH) REFRESH
TSS PER(userid) SERVAUTH(CEA.CEATSO.TSOREQUEST) ACC(READ)
/* Allows the user to create an EMCS console through TSO Console */
/* command. */
SETROPTS CLASSACT(TSOAUTH)
RDEFINE TSOAUTH console UACC(NONE)
cmd to grant Console authority
TSS ADD(owningacid) TSOAUTH(CONSOLE)
/*****************************************************************/
/* 1. Please replace <userid> with the target user id. */
/* 2. Uncomment below commands. */
/*****************************************************************/
/*PERMIT console CLASS(TSOAUTH) ACCESS(read) ID(<userid>) */
SETROPTS RACLIST(TSOAUTH) REFRESH
TSS PER(userid) TSOAUTH(CONSOLE)
The acid needs at least 1 TSO field (ie TSOLPROC) added to it for the
TSOAUTH(CONSOLE) permit to work.
/*****************************************************************/
/* END of the first part of this JCL. */
/*****************************************************************/
/******************************************************************/
/* This is the second part of this JCL. */
/* */
/* This part is required per EMSC console. Therefore, if user */
/* wants to complete setup for multiple consoles at a time, the */
/* below commands might be copied multiple times. */
/* */
/* Please be noticed that there are some variables in below */
/* commands need to be substitued with the value you want to use. */
/* Those commands are commented by default. You need to replace */
/* those variables and uncomment corresponding commands. Those */
/* variables are: */
/* 1. <consolename> which is the EMCS console name user is going */
/* to use. z/OS Operator Consoles task provides UI to allow */
/* user know the default EMCS console generated by z/OS */
/* Operator Consoles task. User could open the UI by selecting */
/* one or multiple systems on the landing page of z/OS Operator*/
/* Consoles task, then right click, select Complete Setup menu,*/
/* a dialog will be popped up and show you the default EMCS */
/* console name you could use. You can also use your own EMCS */
/* console name in this JCL. But you need to update it when you*/
/* Complete Setup in z/OS Operator Consoles task UI */
/* 2. <userid> which is the target user id. */
/* 3. <sysname> is the system name which is displayed in the */
/* landing page of z/OS Operator Consoles task. If user is setup */
/* local sysplex, user needs to replace "sysname" with "*all". */
/******************************************************************/
/* Allows the user to create EMCS console with the specified name */
SETROPTS CLASSACT(opercmds)
/******************************************************************/
/* Below commands can be added multiple times to authorize */
/* multiple EMCS consoles at a time. You just need to update the */
/* <consolename> and <userid> in each individual line. */
/* 1. Please replace <userid> with the target user id. */
/* 2. Please replace <consolename> with the EMCS console name to */
/* be used. */
/* 3. Uncomment below commands. */
/******************************************************************/
/*RDEFINE OPERCMDS mvs.mcsoper.<consolename> UACC(NONE) */
/*PERMIT mvs.mcsoper.<consolename> CLASS(OPERCMDS) ACCESS(read) +*/
/* ID(<userid>)
TSS ADD(owningacid) OPERCMDS(MVS.)
TSS PER(userid) OPERCMDS(MVS.MCSOPER.<consolename>) ACC(READ) */
/* Allows the created EMCS console to deliver a system specific */
/* view through <sysname>. */
/******************************************************************/
/* Below ADDUSER command can be added multiple times to setup */
/* multiple EMCS consoles at a time. You just need to update the */
/* <consolename> and <sysname> in each individual line. */
/* 1. Please replace <consolename> with the EMCS console name to */
/* be used. */
/* 2. Please replace <sysname> with the system name which is */
/* displayed in the landing page of z/OS Operator Consoles task. */
/* If you are setup local sysplex, you need to replace <sysname> */
/* with "*all". */
/******************************************************************/
/*ADDUSER <consolename> OPERPARM(AUTH(master) ROUTCODE(all) +*/
/* MSCOPE(<sysname>)) */
/* Allows user to route command to remote system with name */
/* <sysname>. */
/*RDEFINE OPERCMDS MVS.ROUTE.CMD.<sysname> UACC(NONE) */
/*PERMIT MVS.ROUTE.CMD.<sysname> CLASS(OPERCMDS) ACCESS(read) +*/
/* ID(<userid>) */
TSS PER(userid) OPERCMDS(MVS.ROUTE.CMD.<sysname>) ACC(READ)
/* Allows user to retrieve SYSLOG for specific system with name */
/* <sysname>. */
/*RDEFINE JESSPOOL <sysname>.+MASTER+.SYSLOG.*.* UACC(NONE) */
/*PERMIT <sysname>.+MASTER+.SYSLOG.*.* CLASS(JESSPOOL)+*/
/* ID(<userid>) ACCESS(READ)
TSS ADD(owningacid) JESSPOOL(nodename.)
TSS PER(userid) JESSPOOL(nodename.+MASTER+.SYSLOG.*.*) ACCESS(READ) */
/* Allows user to retrieve OPERLOG */
/*PERMIT SYSPLEX.OPERLOG CLASS(LOGSTRM)+*/
/* ID(<userid>) ACCESS(READ) */
SETROPTS RACLIST(LOGSTRM) REFRESH
SETROPTS RACLIST(JESSPOOL) REFRESH
SETROPTS RACLIST(opercmds) REFRESH
/******************************************************************/
/* END of the second part of this JCL. */
/******************************************************************/
/*