z/OSMF IZUGCSEC zOS Operator Consoles

Products

Top Secret Top Secret - LDAP

Issue/Introduction

Can you please translate the enclosed documents to CA-TSS?

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

//IZUGCSEC JOB MSGCLASS=C,MSGLEVEL=(1,1)

//STEP1 EXEC PGM=IKJEFT01,DYNAMNBR=99

//SYSPRINT DD SYSOUT=*

//SYSTSPRT DD SYSOUT=*

//SYSTSIN DD *

/*****************************************************************/

/* This sample JCL intends to help with security setup required */

/* per user of z/OSMF "zOS Operator Consoles" task. */

/* */

/* It consists of two parts: */

/* The first part is required only once per user. */

/* The second part is required for every console user wants to */

/* use in "zOS Operator Consoles" task. Since user might usually */

/* use one console to monitor one system in "zOS Operator */

/* Consoles" task, it's usual that the second part needs to be */

/* copied and pasted several times for several systems user wants*/

/* to work with in "zOS Operator Consoles" tasks. */

/* */

/* If user has ever executed this JCL before and wants to setup */

/* console for some added system now, user can comment the first */

/* part of configuration and only execute the second part of */

/* configuration for sepcific system. */

/*****************************************************************/

/* This is the first part of this JCL. */

/* */

/* This part of JCL is only required once per user. If it has */

/* already been performed for a specific user, it could be */

/* commented to allow user only perform the 2nd part of this JCL.*/

/* */

/* Please be noticed that there are some variables need to be */

/* substitued with the value you want to use in below commands. */

/* Those commands are commented by default. You need to replace */

/* those variables and uncomment corresponding commands. */

/*****************************************************************/

/* Allows the user to use TSO account which is setup in z/OSMF */

/* parmlib option COMMON_TSO ACCT? */

SETROPTS CLASSACT(ACCTNUM)

TSOACCT is in Top Secret.

TSS ADD(owingacid) TSOACC(xxxxxx)

ACCESSORID = *RDT* NAME = RESOURCE DEFINITIONS

RESOURCE CLASS = TSOACCT

RESOURCE CODE = X'087'

ATTRIBUTE = NOMASK,MAXOWN(08),MAXPERMIT(039),PRIVPGM

TSS0300I LIST FUNCTION SUCCESSFUL

/*****************************************************************/

/* 1. Please replace <account> with the value specified in zOSMF */

/* parmlib option "COMMON_TSO ACCT". */

/* 2. Please replace <userid> with the target user id. */

/* 3. Uncomment below commands. */

/*****************************************************************/

/*RDEFINE ACCTNUM <account> UACC(NONE) */

/*PERMIT <account> CLASS(ACCTNUM) ACCESS(read) ID(<userid>) */

SETROPTS RACLIST(ACCTNUM) REFRESH

TSS PER(userid) TSOACCT(xxxxxxxx)

/* Allows the user to use TSO proc which is setup in z/OSMF */

/* parmlib option COMMON_TSO PROC? */

SETROPTS CLASSACT(TSOPROC)

TSS ADD(owningacid) TSOPROC(logonprc)

/*****************************************************************/

/* 1. Please replace <proc> with the value specified in zOSMF */

/* parmlib option "COMMON_TSO PROC". */

/* 2. Please replace <userid> with the target user id. */

/* 3. Uncomment below commands. */

/*****************************************************************/

/*RDEFINE TSOPROC <proc> UACC(NONE) */

/*PERMIT <proc> CLASS(TSOPROC) ACCESS(read) ID(<userid>) */

SETROPTS RACLIST(TSOPROC) REFRESH

TSS PER(userid) TSOPROC(logonprc)

/* Allows the user to use CEA to create TSO address space. */

SETROPTS CLASSACT (SERVAUTH)

RDEFINE SERVAUTH CEA.CEATSO.TSOREQUEST UACC(NONE)

TSS ADD(owningacid) SERVAUTH(CEA.)

/*****************************************************************/

/* 1. Please replace <userid> with the target user id. */

/* 2. Uncomment below commands. */

/*****************************************************************/

/*PERMIT CEA.CEATSO.TSOREQUEST CLASS(SERVAUTH) ACCESS(read) +*/

/* ID(<userid>) */

SETROPTS RACLIST(SERVAUTH) REFRESH

TSS PER(userid) SERVAUTH(CEA.CEATSO.TSOREQUEST) ACC(READ)

/* Allows the user to create an EMCS console through TSO Console */

/* command. */

SETROPTS CLASSACT(TSOAUTH)

RDEFINE TSOAUTH console UACC(NONE)

cmd to grant Console authority

TSS ADD(owningacid) TSOAUTH(CONSOLE)

/*****************************************************************/

/* 1. Please replace <userid> with the target user id. */

/* 2. Uncomment below commands. */

/*****************************************************************/

/*PERMIT console CLASS(TSOAUTH) ACCESS(read) ID(<userid>) */

SETROPTS RACLIST(TSOAUTH) REFRESH

TSS PER(userid) TSOAUTH(CONSOLE)

The acid needs at least 1 TSO field (ie TSOLPROC) added to it for the

TSOAUTH(CONSOLE) permit to work.

/*****************************************************************/

/* END of the first part of this JCL. */

/*****************************************************************/

/******************************************************************/

/* This is the second part of this JCL. */

/* */

/* This part is required per EMSC console. Therefore, if user */

/* wants to complete setup for multiple consoles at a time, the */

/* below commands might be copied multiple times. */

/* */

/* Please be noticed that there are some variables in below */

/* commands need to be substitued with the value you want to use. */

/* Those commands are commented by default. You need to replace */

/* those variables and uncomment corresponding commands. Those */

/* variables are: */

/* 1. <consolename> which is the EMCS console name user is going */

/* to use. z/OS Operator Consoles task provides UI to allow */

/* user know the default EMCS console generated by z/OS */

/* Operator Consoles task. User could open the UI by selecting */

/* one or multiple systems on the landing page of z/OS Operator*/

/* Consoles task, then right click, select Complete Setup menu,*/

/* a dialog will be popped up and show you the default EMCS */

/* console name you could use. You can also use your own EMCS */

/* console name in this JCL. But you need to update it when you*/

/* Complete Setup in z/OS Operator Consoles task UI */

/* 2. <userid> which is the target user id. */

/* 3. <sysname> is the system name which is displayed in the */

/* landing page of z/OS Operator Consoles task. If user is setup */

/* local sysplex, user needs to replace "sysname" with "*all". */

/******************************************************************/

/* Allows the user to create EMCS console with the specified name */

SETROPTS CLASSACT(opercmds)

/******************************************************************/

/* Below commands can be added multiple times to authorize */

/* multiple EMCS consoles at a time. You just need to update the */

/* <consolename> and <userid> in each individual line. */

/* 1. Please replace <userid> with the target user id. */

/* 2. Please replace <consolename> with the EMCS console name to */

/* be used. */

/* 3. Uncomment below commands. */

/******************************************************************/

/*RDEFINE OPERCMDS mvs.mcsoper.<consolename> UACC(NONE) */

/*PERMIT mvs.mcsoper.<consolename> CLASS(OPERCMDS) ACCESS(read) +*/

/* ID(<userid>)

TSS ADD(owningacid) OPERCMDS(MVS.)

TSS PER(userid) OPERCMDS(MVS.MCSOPER.<consolename>) ACC(READ) */

/* Allows the created EMCS console to deliver a system specific */

/* view through <sysname>. */

/******************************************************************/

/* Below ADDUSER command can be added multiple times to setup */

/* multiple EMCS consoles at a time. You just need to update the */

/* <consolename> and <sysname> in each individual line. */

/* 1. Please replace <consolename> with the EMCS console name to */

/* be used. */

/* 2. Please replace <sysname> with the system name which is */

/* displayed in the landing page of z/OS Operator Consoles task. */

/* If you are setup local sysplex, you need to replace <sysname> */

/* with "*all". */

/******************************************************************/

/*ADDUSER <consolename> OPERPARM(AUTH(master) ROUTCODE(all) +*/

/* MSCOPE(<sysname>)) */

/* Allows user to route command to remote system with name */

/* <sysname>. */

/*RDEFINE OPERCMDS MVS.ROUTE.CMD.<sysname> UACC(NONE) */

/*PERMIT MVS.ROUTE.CMD.<sysname> CLASS(OPERCMDS) ACCESS(read) +*/

/* ID(<userid>) */

TSS PER(userid) OPERCMDS(MVS.ROUTE.CMD.<sysname>) ACC(READ)

/* Allows user to retrieve SYSLOG for specific system with name */

/* <sysname>. */

/*RDEFINE JESSPOOL <sysname>.+MASTER+.SYSLOG.*.* UACC(NONE) */

/*PERMIT <sysname>.+MASTER+.SYSLOG.*.* CLASS(JESSPOOL)+*/

/* ID(<userid>) ACCESS(READ)

TSS ADD(owningacid) JESSPOOL(nodename.)

TSS PER(userid) JESSPOOL(nodename.+MASTER+.SYSLOG.*.*) ACCESS(READ) */

/* Allows user to retrieve OPERLOG */

/*PERMIT SYSPLEX.OPERLOG CLASS(LOGSTRM)+*/

/* ID(<userid>) ACCESS(READ) */

SETROPTS RACLIST(LOGSTRM) REFRESH

SETROPTS RACLIST(JESSPOOL) REFRESH

SETROPTS RACLIST(opercmds) REFRESH

/******************************************************************/

/* END of the second part of this JCL. */

/******************************************************************/

/*