Sample JCL to remove ACF2 security permits for Zowe
Article ID: 186685
Updated On:
Products
ACF2
Issue/Introduction
Sample ACF2 JCL to remove ACF2 security permits for Zowe.
Resolution
Sample ZWENASEC JCL follows.
//ZWENASEC JOB
//*
//*********************************************************************
//*
//* Zowe Open Source Project
//* This JCL can be used to remove ACF2 security permits for Zowe
//*
//* CAUTION: This is neither a JCL procedure nor a complete job.
//* Before using this JCL, you will have to make the following
//* modifications:
//*
//* 1) Add job name and job parameters to the JOB statement, to
//* meet your system requirements.
//*
//* 3) Change &ADMINGRP to match the desired
//* group name for Zowe administrators.
//*
//* 3) Change &STCGROUP to match the desired
//* group name for started tasks.
//*
//* 4) Change &ZOWEUSERto match the desired
//* user ID for the ZOWE started task.
//*
//* 5) Change &XMEMUSER to match the desired
//* user ID for the XMEM Cross Memory started task.
//*
//* 6) Change &AUXUSER to match the desired
//* user ID for the XMEM Auxilary Cross Memory started task.
//*
//* 7) Change &ZOWESTC to match the desired
//* Zowe started task name.
//*
//* 8) Change &XMEMSTC to match the desired
//* XMEM Cross Memory started task name.
//*
//* 9) Change &AUXSTC to match the desired
//* XMEM Auxilary Cross Memory started task name.
//*
//* 10) Change &HLQ to match the desired
//* Zowe data set high level qualifier.
//*
//* 11) Change &SYSPROG to match the existing
//* user ID or group used by z/OS system programmers.
//*
//* Note(s):
//*
//* 1. THE USER ID THAT RUNS THIS JOB MUST HAVE SUFFICIENT AUTHORITY
//* TO ALTER SECURITY DEFINITONS
//*
//* 2. Remove users from the Zowe administrator group before removing
//* the group itself.
//*
//* 3. This job WILL complete with return code 0.
//* The results of each command must be verified after completion.
//*
//* 4. This job is based on a site using ROLE based rules.
//*
//*********************************************************************
//*
//*********************************************************************
//*
//* EXECUTE COMMANDS FOR ACF2 SECURITY PRODUCT
//*
//RUN EXEC PGM=IKJEFT01,REGION=0M
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
*
*********************************************************************
*
* ACF2 ONLY, customize to meet your system requirements
*
* REMOVE ZOWE DATA SET PROTECTION ................................. */
* - The sample commands assume that EGN (Enhanced Generic Naming) */
* is active, which allows the usage of ** to represent any number */
* of qualifiers in the DATASET class. Substitute *.** with * if */
* EGN is not active on your system. */
* remove general data set protection */
SET RULE
LIST &HLQ
DELETE &HLQ
* remove HLQ stub */
SET X(ROL)
DELETE &HLQ
* REMOVE ZOWE SERVER PERMISIONS ................................... */
* remove permit to use XMEM Cross Memory server */
** PERMIT ZWES.IS CLASS(FACILITY) ID(<zwesvstc_user>) ACCESS(READ)
SET RESOURCE(FAC)
LIST LIKE(ZWES-)
RECKEY ZWES DEL(IS ROLE(IZUSVR) SERVICE(READ) ALLOW)
* remove permit to create a user's security environment */
SET RESOURCE(FAC)
LIST LIKE(BPX-)
RECKEY BPX DEL( SERVER USER(&ZOWEUSER) SERVICE(UPDATE) ALLOW))
RECKEY BPX DEL( DAEMON USER(&ZOWEUSER) SERVICE(UPDATE) ALLOW))
* remove permit to set jobname */
SET RESOURCE(FAC)
LIST LIKE(BPX-)
RECKEY BPX DEL( JOBNAME USER(&ZOWEUSER) SERVICE(READ) ALLOW))
* remove permit to write persistent data
* PERMIT SUPERUSER.FILESYS CLASS(UNIXPRIV) ACCESS(CONTROL) - */
SET RESOURCE(UNI)
LIST LIKE(SUPERUSER-)
RECKEY SUPERUSER DEL( FILESYS USER(&ZOWEUSER) SERVICE(CONTROL) ALLOW))
SET RESOURCE(CSF)
RECKEY profile-prefix DEL(profile-suffix uid(UID string for tcpip-stackname) SERVICE(READ) ALLOW)
RECKEY profile-prefix DEL(profile-suffix uid(UID string for IZUSVR) SERVICE(READ) ALLOW)
* (repeat for userids IKED, NSSD, and Policy Agent)
F ACF2,REBUILD(CSF)
* REMOVE STARTED TASKS ............................................ */
* remove userid for ZOWE main server */
SET LID
LIST &ZOWEUSER
DELETE &ZOWEUSER
* remove userid for XMEM Cross Memory server */
SET LID
LIST &XMEMUSER
DELETE &XMEMUSER
* comment out if &AUXUSER matches &XMEMUSER (default), expect */
* warning messages otherwise */
* remove userid for XMEM auxilary cross memory server */
SET LID
LIST &AUXUSER
DELETE &AUXUSER
* comment out if &STCGROUP matches &ADMINGRP (default), expect */
* warning messages otherwise */
* remove group for started tasks */
SET X(ROL)
LIST &STCGROUP
DELETE &STCGROUP
SET CONTROL(GSO)
LIST LIKE(STC.Z-)
DELETE STC.ZWESVSTC
F ACF2,REFRESH(STC)
* REMOVE ADMINISTRATORS ........................................... */
* uncomment to remove user IDs from the &ADMINGRP group */
* REMOVE (userid,userid,...) GROUP(&ADMINGRP.) */
* remove group for administrators */
SET X(ROL)
DELETE &ADMINGRP
* ................................................................. */
/*
//*
//ZWENASEC JOB
//*
//*********************************************************************
//*
//* Zowe Open Source Project
//* This JCL can be used to remove ACF2 security permits for Zowe
//*
//* CAUTION: This is neither a JCL procedure nor a complete job.
//* Before using this JCL, you will have to make the following
//* modifications:
//*
//* 1) Add job name and job parameters to the JOB statement, to
//* meet your system requirements.
//*
//* 3) Change &ADMINGRP to match the desired
//* group name for Zowe administrators.
//*
//* 3) Change &STCGROUP to match the desired
//* group name for started tasks.
//*
//* 4) Change &ZOWEUSERto match the desired
//* user ID for the ZOWE started task.
//*
//* 5) Change &XMEMUSER to match the desired
//* user ID for the XMEM Cross Memory started task.
//*
//* 6) Change &AUXUSER to match the desired
//* user ID for the XMEM Auxilary Cross Memory started task.
//*
//* 7) Change &ZOWESTC to match the desired
//* Zowe started task name.
//*
//* 8) Change &XMEMSTC to match the desired
//* XMEM Cross Memory started task name.
//*
//* 9) Change &AUXSTC to match the desired
//* XMEM Auxilary Cross Memory started task name.
//*
//* 10) Change &HLQ to match the desired
//* Zowe data set high level qualifier.
//*
//* 11) Change &SYSPROG to match the existing
//* user ID or group used by z/OS system programmers.
//*
//* Note(s):
//*
//* 1. THE USER ID THAT RUNS THIS JOB MUST HAVE SUFFICIENT AUTHORITY
//* TO ALTER SECURITY DEFINITONS
//*
//* 2. Remove users from the Zowe administrator group before removing
//* the group itself.
//*
//* 3. This job WILL complete with return code 0.
//* The results of each command must be verified after completion.
//*
//* 4. This job is based on a site using ROLE based rules.
//*
//*********************************************************************
//*
//*********************************************************************
//*
//* EXECUTE COMMANDS FOR ACF2 SECURITY PRODUCT
//*
//RUN EXEC PGM=IKJEFT01,REGION=0M
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
*
*********************************************************************
*
* ACF2 ONLY, customize to meet your system requirements
*
* REMOVE ZOWE DATA SET PROTECTION ................................. */
* - The sample commands assume that EGN (Enhanced Generic Naming) */
* is active, which allows the usage of ** to represent any number */
* of qualifiers in the DATASET class. Substitute *.** with * if */
* EGN is not active on your system. */
* remove general data set protection */
SET RULE
LIST &HLQ
DELETE &HLQ
* remove HLQ stub */
SET X(ROL)
DELETE &HLQ
* REMOVE ZOWE SERVER PERMISIONS ................................... */
* remove permit to use XMEM Cross Memory server */
** PERMIT ZWES.IS CLASS(FACILITY) ID(<zwesvstc_user>) ACCESS(READ)
SET RESOURCE(FAC)
LIST LIKE(ZWES-)
RECKEY ZWES DEL(IS ROLE(IZUSVR) SERVICE(READ) ALLOW)
* remove permit to create a user's security environment */
SET RESOURCE(FAC)
LIST LIKE(BPX-)
RECKEY BPX DEL( SERVER USER(&ZOWEUSER) SERVICE(UPDATE) ALLOW))
RECKEY BPX DEL( DAEMON USER(&ZOWEUSER) SERVICE(UPDATE) ALLOW))
* remove permit to set jobname */
SET RESOURCE(FAC)
LIST LIKE(BPX-)
RECKEY BPX DEL( JOBNAME USER(&ZOWEUSER) SERVICE(READ) ALLOW))
* remove permit to write persistent data
* PERMIT SUPERUSER.FILESYS CLASS(UNIXPRIV) ACCESS(CONTROL) - */
SET RESOURCE(UNI)
LIST LIKE(SUPERUSER-)
RECKEY SUPERUSER DEL( FILESYS USER(&ZOWEUSER) SERVICE(CONTROL) ALLOW))
SET RESOURCE(CSF)
RECKEY profile-prefix DEL(profile-suffix uid(UID string for tcpip-stackname) SERVICE(READ) ALLOW)
RECKEY profile-prefix DEL(profile-suffix uid(UID string for IZUSVR) SERVICE(READ) ALLOW)
* (repeat for userids IKED, NSSD, and Policy Agent)
F ACF2,REBUILD(CSF)
* REMOVE STARTED TASKS ............................................ */
* remove userid for ZOWE main server */
SET LID
LIST &ZOWEUSER
DELETE &ZOWEUSER
* remove userid for XMEM Cross Memory server */
SET LID
LIST &XMEMUSER
DELETE &XMEMUSER
* comment out if &AUXUSER matches &XMEMUSER (default), expect */
* warning messages otherwise */
* remove userid for XMEM auxilary cross memory server */
SET LID
LIST &AUXUSER
DELETE &AUXUSER
* comment out if &STCGROUP matches &ADMINGRP (default), expect */
* warning messages otherwise */
* remove group for started tasks */
SET X(ROL)
LIST &STCGROUP
DELETE &STCGROUP
SET CONTROL(GSO)
LIST LIKE(STC.Z-)
DELETE STC.ZWESVSTC
F ACF2,REFRESH(STC)
* REMOVE ADMINISTRATORS ........................................... */
* uncomment to remove user IDs from the &ADMINGRP group */
* REMOVE (userid,userid,...) GROUP(&ADMINGRP.) */
* remove group for administrators */
SET X(ROL)
DELETE &ADMINGRP
* ................................................................. */
/*
//*
Feedback
Yes
No
Powered by
