Top Secret RACF Convert for InfoPrint Server for z/OS.
Article ID: 191258
Updated On:
Products
Issue/Introduction
Environment
Release : 16.0
Component : CA Top Secret for z/OS
Resolution
PROC 0
CONTROL ASIS
/********************************************************************/
/* LICENSED MATERIALS - PROPERTY OF IBM. */
/* */
/* 5650-ZOS */
/* */
/* COPYRIGHT IBM CORP. 2001, 2007, 2015 ALL RIGHTS RESERVED */
/* */
/* US GOVERNMENT USERS RESTRICTED RIGHTS - USE, */
/* DUPLICATION OR DISCLOSURE RESTRICTED BY GSA ADP */
/* SCHEDULE CONTRACT WITH IBM CORP. */
/* */
/********************************************************************/
/* */
/* This is a sample TSO CLIST which provides all the RACF commands */
/* needed for the setup of Infoprint Server. */
/* */
/* Refer to the Infoprint Server Customization book for more */
/* detailed information. You may also need to refer to: */
/* */
/* - z/OS Security Server (RACF) Security Administrator's Guide */
/* - z/OS Security Server (RACF) System Programmer's Guide */
/* - z/OS Security Server (RACF) Command Language Reference */
/* */
/* This CLIST is structured into separate sections, each with a */
/* set of block comments describing the RACF function that will */
/* be set up and what needs to be changed by the customer. */
/* */
/* NOTE: When dynamic configuration is enabled, authorized users */
/* can change the system configuration attributes in the Printer */
/* Inventory. To restrict who can change system configuration */
/* attributes you can define an optional AOP.CONFIGURATION profile */
/* in the PRINTSRV class and an optional group for configuration */
/* managers (AOPCONF group). If you do not define this profile, */
/* AOP.CONFIGURATION, then users who have UPDATE access to the */
/* AOP.ADMINISTRATOR profile can change configuration attributes. */
/* */
/* ENSURE YOU EXECUTE THIS CLIST FROM A RACF SPECIAL USER ID! */
/* ========================================================== */
/* */
/* CAUTION: This is neither a JCL procedure nor a complete CLIST. */
/* All of the commands have been commented out to prevent */
/* accidental execution. Customers must uncomment the necessary */
/* lines before running this CLIST to perform the respective */
/* commands. In addition, site dependent customization might */
/* need to be performed to this CLIST before execution. */
/* */
/* NOTE: Each section is intended to work independently of other */
/* sections. Therefore it is possible that some of these commands */
/* will return a non-zero return code since the specific RACF */
/* function may already be set up. */
/* */
/********************************************************************/
/********************************************************************/
/* Block 1 - Define a group for Infoprint Server administrators, */
/* a group for Infoprint Server operators, and possibly */
/* a group for Infoprint Server configuration managers. */
/* */
/* AOPADMIN & AOPOPER need GIDs because they are UNIX groups too. */
/* */
/* Customizable entries: */
/* ===================== */
/* a) AOPADMIN - the name of the RACF group to be defined for */
/* Infoprint Server administrators. */
/* b) yy - a unique GID number (1 - 2147483647) to be assigned */
/* to the AOPADMIN group. */
/* c) AOPOPER - the name of the RACF group to be defined for */
/* operators who will start/stop Infoprint Server. */
/* d) zz - a unique GID number (1 - 2147483647) to be assigned */
/* to the AOPOPER group. */
/* e) AOPCONF - the name of the optional RACF group to be defined */
/* for Infoprint Server configuration managers if dynamic */
/* configuration is enabled. */
/* */
/********************************************************************/
/* ADDGROUP (AOPADMIN) OMVS(GID(yy)) */
/* ADDGROUP (AOPOPER) OMVS(GID(zz)) */
/* ADDGROUP (AOPCONF) */
TSS CRE(AOPADMIN) TYPE(GROUP) NAME( ‘ADM PRINT SERVER ‘) DEPT(dept)
TSS ADD(AOPADMIN) GID(X)
TSS CRE(AOPER) TYPE(GROUP) NAME( ‘OPER PRINT SERVER’ ) DEPT(dept)
TSS ADD(AOPER) GID(X)
TSS CRE(AOPCONF) TYPE(GROUP) NAME( ‘CONF PRINT SERVER’ ) DEPT(dept)
TSS ADD(AOPCONF) GID(X)
/********************************************************************/
/* Block 2 - Define resource profile(s) in PRINTSRV class */
/* */
/* Activate the PRINTSRV class. */
/* Define a profile named AOP.ADMINISTRATOR in the PRINTSRV class. */
/* If dynamic configuration is enabled, optionally define another */
/* profile named AOP.CONFIGURATION in the PRINTSRV class. */
/* */
/********************************************************************/
/* RDEFINE PRINTSRV (AOP.ADMINISTRATOR) UACC(NONE) */
/* RDEFINE PRINTSRV (AOP.CONFIGURATION) UACC(NONE) */
/* SETROPTS CLASSACT(PRINTSRV) RACLIST(PRINTSRV) */
/* SETROPTS RACLIST(PRINTSRV) REFRESH */
*PRINTSRV is not a predefined resource class in TSS so add to RDT:
TSS ADD(RDT) RESCLASS(PRINTSRV) ATTR(LONG,MASK)
ACLST(NONE=0000,CONTROL=6400,UPDATE=6000,READ=4000,ALL=FFFF)
TSS ADD(dept) PRINTSRV(AOP.)
* Give administrator group access AOP.ADMINISTRATOR
TSS CRE(AOPADMIN) TYPE(USER) NAME(‘AOPADMIN’) DEPT(dept_name) FAC(xx) PASS(XXX) GROUP(AOPADMIN)
TSS ADD(AOPADMIN) UID(XX) HOME(/u/iiii) OMVSPGM(/bin/sh) DFLTGRP(AOPADMIN)
TSS PERMIT(AOPADMIN) PRINTSRV(AOP.ADMINISTRATOR)
ACCESS(UPDATE)
/********************************************************************/
/* Block 3 - Optionally give appropriate groups access to these */
/* resource profiles. */
/* */
/* Give the Infoprint Server administrator group access to the */
/* AOP.ADMINISTRATOR resource profile in the PRINTSRV class. */
/* This will allow print administrators to view or update the */
/* Printer Inventory using the ISPF panels or the Printer */
/* Inventory Definition Utility (PIDU) program. */
/* */
/* If you created an AOPCONF group, give it access to the resource */
/* profile AOP.CONFIGURATION in the PRINTSRV class. This will allow */
/* configuration managers to view / update the system configuration */
/* attributes in the Printer Inventory using ISPF panels, or the */
/* Printer Inventory Definition Utility (PIDU) program. */
/* */
/* NOTE: You can permit each user separately instead of */
/* permitting these groups. */
/* */
/* Customizable entries: */
/* ===================== */
/* a) Change ID(AOPADMIN) to specify the group name that you */
/* defined for Infoprint Server administrators in Block 1 */
/* above, or specify the individual user ID(s) that you want to */
/* have administrator access. */
/* b) Change ID(AOPCONF) to specify the group name you defined for */
/* Infoprint Server configuration managers in Block 1 above, */
/* or specify the individual user ID(s) that you want to have */
/* configuration management access. */
/* c) In general, ACCESS(UPDATE) will allow users to add, change */
/* and delete entries in the Printer Inventory and ACCESS(READ) */
/* will allow users to view but not change those entries. */
/* See z/OS Infoprint Server Customization for a more complete */
/* description of how different entries are protected by these */
/* two profiles. */
/* */
/********************************************************************/
/* PERMIT AOP.ADMINISTRATOR CLASS(PRINTSRV) ACCESS(UPDATE) + */
/* ID(AOPADMIN) */
/* PERMIT AOP.CONFIGURATION CLASS(PRINTSRV) ACCESS(UPDATE) + */
/* ID(AOPCONF) */
/* SETROPTS RACLIST(PRINTSRV) REFRESH */
/********************************************************************/
/* Block 4 - Define Infoprint Server administrator, operator and */
/* configuration manager user IDs as UNIX users. */
/* */
/* The user IDs for Infoprint Server administrators, operators and */
/* configuration managers must have an OMVS segment with their user */
/* identifier (UID) and be connected to a default group that has a */
/* group identifier (GID). */
/* */
/* Customizable entries: */
/* ===================== */
/* a) ADDUSER - change to ALTUSER if the user ID already exists */
/* in the database. */
/* b) iiiiiiii - refers to the user ID. */
/* c) uu - refers to a unique UID number (1 - 2147483647). */
/* d) /u/iiiiiiii - the HOME directory may be changed to comply */
/* with your local standards. */
/* e) gggggggg - refers to the default group name. This could be */
/* AOPADMIN, AOPOPER, or any other previously defined group */
/* that has an OMVS GID. */
/* */
/********************************************************************/
/* ADDUSER (iiiiiiii) OMVS(UID(uu) HOME('/u/iiiiiiii') + */
/* PROGRAM('/bin/sh')) DFLTGRP(gggggggg) */
TSS CRE(AOPADMIN) TYPE(USER) NAME(‘AOPADMIN’) DEPT(dept_name) FAC(xx) PASS(XXX) GROUP(AOPADMIN)
TSS ADD(AOPADMIN) UID(XX) HOME(/u/iiii) OMVSPGM(/bin/sh) DFLTGRP(AOPADMIN)
TSS CRE(AOPOPER) TYPE(USER) NAME(‘OPER’) DEPT(dept_name) FAC(xx) PASS(XXX)
GROUP(AOPER)
TSS ADD(AOPOPER) UID(XX) HOME(/u/iiii) OMVSPGM(/bin/sh) DFLTGRP(AOPER)
/********************************************************************/
/* Block 5 - Connect Administrators to AOPADMIN group, Operators */
/* to AOPOPER group, and Configuration Managers to */
/* AOPCONF group (and AOPADMIN group iff they will be */
/* using the pidu command). */
/* */
/* NOTE: You can permit user IDs separately instead of connecting */
/* them to these groups. */
/* */
/* NOTE: If dynamic configuration is enabled, a user ID using pidu */
/* to import the entire Printer Inventory from backup will need to */
/* be connected to both AOPADMIN and AOPCONF. */
/* */
/* Customizable entries: */
/* ===================== */
/* a) AOPADMIN - the group name for Infoprint Server */
/* administrators that you defined in Block 1 above. */
/* b) AOPOPER - the group name for Infoprint Server operators */
/* that you defined in Block 1 above. */
/* c) AOPCONF - the group name for Infoprint Server configuration */
/* managers that you defined in Block 1 above. */
/* d) aaaaaaaa - the user ID for an administrator. */
/* oooooooo - the user ID for an operator. */
/* cccccccc - the user ID for a configuration manager. */
/* */
/********************************************************************/
/* CONNECT (aaaaaaaa) GROUP(AOPADMIN) */
/* CONNECT (oooooooo) GROUP(AOPOPER) */
/* CONNECT (cccccccc) GROUP(AOPCONF) */
/********************************************************************/
/* Block 6 - Define a user ID that is associated with the JCL */
/* procedures that you run as started tasks from the */
/* z/OS console. */
/* */
/* The user ID associated these procedures must be defined with an */
/* OMVS segment with a user identifier (UID) and be connected to a */
/* default group that has group identifier (GID). */
/* */
/* This sample defines user AOPSTC as a member of group AOPOPER and */
/* with a HOME directory of /tmp. */
/* */
/* Customizable entries: */
/* ===================== */
/* a) ADDUSER - change to ALTUSER if the user ID already exists */
/* in the database. */
/* b) AOPSTC - the user ID to be associated with the started */
/* procedures. */
/* c) dd - an appropriate UID number (0 - 2147483647). */
/* d) /tmp - the HOME directory can be changed to comply with your */
/* local standards. */
/* e) AOPOPER - the operators group name defined in Block 1. */
/* f) NOPASSWORD - defines the AOPSTC user ID as a PROTECTED user */
/* ID. PROTECTED user IDs cannot be used to log on to the z/OS */
/* system, and they cannot be revoked because of incorrect */
/* password attempts. */
/* */
/********************************************************************/
/* ADDUSER AOPSTC OMVS(UID(dd) HOME('/tmp') + */
/* PROGRAM('/bin/sh')) DFLTGRP(AOPOPER) NOPASSWORD */
TSS CRE(AOPSTC) TYPE(USER) NAME(‘AOPSTC’) DEPT(dept_name) FAC(STC) PASS(XXX) GROUP(AOPOPER)
TSS ADD(AOPSTC) UID(XX) HOME(/u/iiii) OMVSPGM(/bin/sh) DFLTGRP(AOPOPER)
/********************************************************************/
/* Block 7 - Associate the user ID defined in block 6 with the */
/* console-started tasks. */
/* */
/* You must define these procedures to the RACF STARTED FACILITY. */
/* Customers who want to use the started procedure table ICHRIN03 */
/* instead should refer to the z/OS RACF Security Administrator's */
/* Guide. */
/* */
/* Customizable entries: */
/* ===================== */
/* a) AOPPROC - the name of the procedure being started. PROCLIB */
/* contains these samples of procedures you can customize: */
/* AOPSTART, AOPSTAR2, AOPDEMON, AOPSTOP, AOPSTOP2 and AOPSTAT. */
/* You can define one RDEFINE statement for each procedure. */
/* b) AOPSTC - the user ID associated with the procedure defined */
/* in Block 6. */
/* c) AOPOPER - the operators group name defined in Block 1. */
/* */
/********************************************************************/
/* SETROPTS GENERIC(STARTED) */
/* RDEFINE STARTED AOPPROC.* STDATA(USER(AOPSTC) + */
/* GROUP(AOPOPER)) */
/* SETROPTS CLASSACT(STARTED) RACLIST(STARTED) */
/* SETROPTS RACLIST(STARTED) REFRESH */
In Top Secret, the equivalent of the RDEFINE STARTED ... command is
TSS ADD(STC) PROCNAME(proc) ACID(AOPSTC).
(samples of procedures you can customize)
(AOPSTART, AOPSTAR2, AOPDEMON, AOPSTOP, AOPSTOP2 and AOPSTAT)
/********************************************************************/
/* Block 8 - Give users access to Infoprint Server ISPF data sets */
/* */
/* Give universal RACF access to the Infoprint Server ISPF data */
/* sets. This lets all users view the Infoprint Server ISPF panels.*/
/* */
/* The RACF ADDGROUP command below creates a group to own the */
/* data set resource profile, and the ADDSD command creates */
/* a generic data set resource profile that gives universal READ */
/* access to data sets that start with AOP.SAOP (AOP.SAOP*). */
/* */
/* Customizable entries: */
/* ===================== */
/* a) AOP in the ADDGROUP statement can be changed to any unique */
/* group name in the RACF database. If so changed, you must */
/* also change the owner name in the ADDSD statement. */
/* b) SYS1 in SUPGROUP(SYS1) can be changed to some other existing */
/* group name in the RACF database if necessary to comply with */
/* local standards. */
/* c) SYS1 in OWNER(SYS1) can be changed to some other existing */
/* user or group name in the RACF database if needed to comply */
/* with local standards. */
/* */
/********************************************************************/
/* ADDGROUP (AOP) SUPGROUP(SYS1) OWNER(SYS1) */
/* ADDSD 'AOP.*' GENERIC OWNER(AOP) UACC(READ) */
There is no SUPGROUP equivalent in Top Secret.
Feedback
