ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Sample JCL to remove ACF2 security permits for Zowe

book

Article ID: 186685

calendar_today

Updated On:

Products

ACF2

Issue/Introduction

Sample ACF2 JCL to remove ACF2 security permits for Zowe.  

Resolution

Sample ZWENASEC JCL follows.

//ZWENASEC JOB
//*
//*********************************************************************
//*
//* Zowe Open Source Project
//* This JCL can be used to remove ACF2 security permits for Zowe
//*
//* CAUTION: This is neither a JCL procedure nor a complete job.
//* Before using this JCL, you will have to make the following
//* modifications:
//*
//* 1) Add job name and job parameters to the JOB statement, to
//*    meet your system requirements.
//*
//* 3) Change &ADMINGRP to match the desired
//*    group name for Zowe administrators.
//*
//* 3) Change &STCGROUP to match the desired
//*    group name for started tasks.
//*
//* 4) Change &ZOWEUSERto match the desired
//*    user ID for the ZOWE started task.
//*
//* 5) Change &XMEMUSER to match the desired
//*    user ID for the XMEM Cross Memory started task.
//*
//* 6) Change &AUXUSER to match the desired
//*    user ID for the XMEM Auxilary Cross Memory started task.
//*
//* 7) Change &ZOWESTC to match the desired
//*    Zowe started task name.
//*
//* 8) Change &XMEMSTC to match the desired
//*    XMEM Cross Memory started task name.
//*
//* 9) Change &AUXSTC to match the desired
//*     XMEM Auxilary Cross Memory started task name.
//*
//* 10) Change &HLQ to match the desired
//*     Zowe data set high level qualifier.
//*
//* 11) Change &SYSPROG to match the existing
//*     user ID or group used by z/OS system programmers.
//*
//* Note(s):
//*
//* 1. THE USER ID THAT RUNS THIS JOB MUST HAVE SUFFICIENT AUTHORITY
//*    TO ALTER SECURITY DEFINITONS
//*
//* 2. Remove users from the Zowe administrator group before removing
//*    the group itself.
//*
//* 3. This job WILL complete with return code 0.
//*    The results of each command must be verified after completion.
//*
//* 4. This job is based on a site using ROLE based rules.
//*    
//*********************************************************************
//*
//*********************************************************************
//*
//* EXECUTE COMMANDS FOR ACF2 SECURITY PRODUCT
//*
//RUN      EXEC PGM=IKJEFT01,REGION=0M
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *
*
*********************************************************************
*
* ACF2 ONLY, customize to meet your system requirements
*
* REMOVE ZOWE DATA SET PROTECTION ................................. */
* - The sample commands assume that EGN (Enhanced Generic Naming)   */
*   is active, which allows the usage of ** to represent any number */
*   of qualifiers in the DATASET class. Substitute *.** with * if   */
*   EGN is not active on your system.                               */
* remove general data set protection                                */
SET RULE
LIST &HLQ
DELETE &HLQ 
* remove HLQ stub                                                   */
SET X(ROL)
DELETE &HLQ
* REMOVE ZOWE SERVER PERMISIONS ................................... */
* remove permit to use XMEM Cross Memory server                     */
** PERMIT ZWES.IS CLASS(FACILITY) ID(<zwesvstc_user>) ACCESS(READ)
SET RESOURCE(FAC)
LIST LIKE(ZWES-)
RECKEY ZWES DEL(IS ROLE(IZUSVR) SERVICE(READ) ALLOW)
* remove permit to create a user's security environment             */
SET RESOURCE(FAC)
LIST LIKE(BPX-)
RECKEY BPX DEL( SERVER USER(&ZOWEUSER) SERVICE(UPDATE) ALLOW))
RECKEY BPX DEL( DAEMON USER(&ZOWEUSER) SERVICE(UPDATE) ALLOW))
* remove permit to set jobname                                      */
SET RESOURCE(FAC)
LIST LIKE(BPX-)
RECKEY BPX DEL( JOBNAME USER(&ZOWEUSER) SERVICE(READ) ALLOW))
* remove permit to write persistent data
* PERMIT SUPERUSER.FILESYS CLASS(UNIXPRIV) ACCESS(CONTROL) -                            */
SET RESOURCE(UNI)
LIST LIKE(SUPERUSER-)
RECKEY SUPERUSER DEL( FILESYS USER(&ZOWEUSER) SERVICE(CONTROL) ALLOW))
SET RESOURCE(CSF)
RECKEY profile-prefix DEL(profile-suffix uid(UID string for tcpip-stackname) SERVICE(READ) ALLOW)   
RECKEY profile-prefix DEL(profile-suffix uid(UID string for IZUSVR) SERVICE(READ) ALLOW)
* (repeat for userids IKED, NSSD, and Policy Agent)
F ACF2,REBUILD(CSF)
* REMOVE STARTED TASKS ............................................ */
* remove userid for ZOWE main server                                */
SET LID
LIST &ZOWEUSER
DELETE &ZOWEUSER
* remove userid for XMEM Cross Memory server                        */
SET LID
LIST &XMEMUSER
DELETE &XMEMUSER
* comment out if &AUXUSER matches &XMEMUSER (default), expect       */
*   warning messages otherwise                                      */
* remove userid for XMEM auxilary cross memory server               */
SET LID
LIST &AUXUSER
DELETE &AUXUSER
* comment out if &STCGROUP matches &ADMINGRP (default), expect      */
*   warning messages otherwise                                      */
* remove group for started tasks                                    */
SET X(ROL)
LIST &STCGROUP
DELETE &STCGROUP
SET CONTROL(GSO)
LIST LIKE(STC.Z-)
DELETE STC.ZWESVSTC
F ACF2,REFRESH(STC)
* REMOVE ADMINISTRATORS ........................................... */
* uncomment to remove user IDs from the &ADMINGRP group             */
* REMOVE (userid,userid,...) GROUP(&ADMINGRP.)                      */
* remove group for administrators                                   */
SET X(ROL)
DELETE &ADMINGRP
* ................................................................. */
/* 
//*