RACF to ACF2 command for zMSC
Article ID: 250962
Updated On:
Products
Issue/Introduction
What are the equivalent ACF2 commands for the z/OSMF SERVER default security setup for z/OS Management - Services Catalog (zMSC)? The sample RACF commands are in member IZUMSSEC.
Environment
Release : 16.0
Component : ACF2 for z/OS
Resolution
ACF2 converted commandsf for zMSC are in blue below:
/*----------------------------------------------------------------*/
/* Setup the zMSC User role. */
/* */
/* Connect users to the IZUUSER group to give them the user role. */
/* */
/* UNCOMMENT the line to CONNECT users to the IZUUSER group. */
/*----------------------------------------------------------------*/
/*'RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.MGMT_SERVICES.USER) UACC(NONE)'*/
/* No ACF2 equivalent required */
/*'PERMIT IZUDFLT.ZOSMF.MGMT_SERVICES.USER CLASS(ZMFAPLA) */
/*ID(IZUUSER) ACCESS(READ)' */
SET R(ZMF)à ACF2 provides ZMF as the default type code for the ZMFAPLA class
RECKEY IZUDFLT ADD(ZOSMF.MGMT_SERVICES.USER UID(uid of IZUUSER) SERVICE(READ) ALLOW)
/*----------------------------------------------------------------*/
/* Setup the zMSC Administrator role. */
/* */
/* Connect users to the IZUADMIN group to give them the */
/* administrator role. */
/* */
/* UNCOMMENT the line to CONNECT administrators to the IZUADMIN */
/* group. */
/*----------------------------------------------------------------*/
/*'RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.MGMT_SERVICES.ADMIN) UACC(NONE)'*/
/*'PERMIT IZUDFLT.ZOSMF.MGMT_SERVICES.ADMIN */
/* CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)' */
SET R(ZMF)
RECKEY IZUDFLT ADD(ZOSMF.MGMT_SERVICES.ADMIN UID(uid of z/OSMF sec admins) SERVICE(READ) ALLOW)
/*----------------------------------------------------------------*/
/* Setup the zMSC Publish Approver role. (OPTIONAL) */
/* */
/* This is only required when enabling publish approvals in the */
/* zMSC Global Settings. */
/* */
/* Connect users to the IZUMSPAP group to give them the publish */
/* approver role so they can be added as a publish approver in */
/* Global Settings. */
/* */
/* UNCOMMENT the line to CONNECT users to the IZMSPAP group when */
/* enabling publish approvals in Global Settings. */
/*----------------------------------------------------------------*/
/*'ADDGROUP IZUMSPAP' */
/*'RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.MGMT_SERVICES.PUBLISH.APPROVER) */
/* UACC(NONE)' */
/*'PERMIT IZUDFLT.ZOSMF.MGMT_SERVICES.PUBLISH.APPROVER */
/* CLASS(ZMFAPLA) ID(IZUMSPAP) ACCESS(READ)' */
SET R(ZMF)
RECKEY IZUDFLT ADD(ZOSMF.MGMT_SERVICES.PUBLISH.APPROVER UID(uid of publish approvers) SERVICE(READ) ALLOW)
/*----------------------------------------------------------------*/
/* Setup the zMSC RunAsUser Approver role. */
/* */
/* Connect users to the IZUMSRAP group to give them the RunAsUser */
/* approver role. */
/* */
/* UNCOMMENT and edit the CONNECT statement to give user IDs the */
/* RunAsUser approver role. */
/*----------------------------------------------------------------*/
/*'ADDGROUP IZUMSRAP' */
/*'RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.MGMT_SERVICES.RUNASUSER.APPROVER)*/
/* UACC(NONE)' */
/*'PERMIT IZUDFLT.ZOSMF.MGMT_SERVICES.RUNASUSER.APPROVER */
/* CLASS(ZMFAPLA) ID(IZUMSRAP) ACCESS(READ)' */
SET R(ZMF)
RECKEY IZUDFLT ADD(ZOSMF.MGMT_SERVICES.RUNASUSER.APPROVER UID(uid of runasuser approvers) SERVICE(READ) ALLOW)
/*----------------------------------------------------------------*/
/* Setup the zMSC RunAsUser role. */
/* */
/* Connect users to the IZUMSRAU group to give them the RunAsUser */
/* role. */
/* */
/* AUDIT(SUCCESS(READ)) is specified to provide a record of when */
/* a zMSC service was created with a workflow definition that has */
/* steps that will run with a RunAsUser ID and when a submitted */
/* service runs that step. The auditing will not include details */
/* such as what service was used to for the submission or which */
/* workflow step was being run. */
/* */
/* UNCOMMENT and edit the CONNECT statement to give user IDs the */
/* RunAsUser role. */
/*----------------------------------------------------------------*/
/*'ADDGROUP IZUMSRAU' */
/*'RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.MGMT_SERVICES.RUNASUSER) */
/* UACC(NONE) AUDIT(SUCCESS(READ))' */
/*'PERMIT IZUDFLT.ZOSMF.MGMT_SERVICES.RUNASUSER */
/* CLASS(ZMFAPLA) ID(IZUMSRAU) ACCESS(READ)' */
SET R(ZMF)
RECKEY IZUDFLT ADD(ZOSMF.MGMT_SERVICES.RUNASUSER UID(uid of runasusers) SERVICE(READ) ALLOW)
/*----------------------------------------------------------------*/
/* Setup access to z/OSMF and the zMSC desktop app for the new */
/* groups being used for the zMSC roles. */
/*----------------------------------------------------------------*/
/* 'RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.MGMT_SERVICES.MGMT_SERVICES) */
/* UACC(NONE)' */
/*'PERMIT IZUDFLT.ZOSMF.MGMT_SERVICES.MGMT_SERVICES */
/* CLASS(ZMFAPLA) ID(IZUADMIN IZUUSER IZUMSPAP IZUMSRAP) */
/* ACCESS(READ)' */
/*'PERMIT IZUDFLT.ZOSMF CLASS(ZMFAPLA) ID(IZUMSPAP IZUMSRAP IZUMSRAU)*/
/* ACCESS(READ)' */
SET R(ZMF)
RECKEY IZUDFLT ADD(ZOSMF.MGMT_SERVICES.MGMT_SERVICES UID(uid of s/OSMF sec admins) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.MGMT_SERVICES.MGMT_SERVICES UID(uid of IZUUSER) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.MGMT_SERVICES.MGMT_SERVICES UID(uid of publish approvers) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.MGMT_SERVICES.MGMT_SERVICES UID(uid of runasuser approvers) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF UID(uid of publish approvers) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF UID(uid of runasuser approvers) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF UID(uid of runasusers) SERVICE(READ) ALLOW)
/*----------------------------------------------------------------*/
/* The following PERMIT and SETROPTS commands must be uncommented */
/* if the APPL class profile IZUDFLT is defined. */
/*----------------------------------------------------------------*/
/* 'PERMIT IZUDFLT CLASS(APPL) ID(IZUMSPAP IZUMSRAP IZUMSRAU) */
/* ACCESS(READ)' */
/* 'SETROPTS RACLIST(APPL) REFRESH' */
SET R(APL)àVerify type code for class APPL
RECKEY IZUDFLT ADD( UID(uid of publish approvers) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD( UID(uid of runasuser approvers) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD( UID(uid of runasusers) SERVICE(READ) ALLOW)
/*----------------------------------------------------------------*/
/* This is only required if the IZUDFLT.*.izuUsers EJBROLE */
/* profile has not be defined as part of the z/OSMF Nucleus */
/* security configuration. */
/* */
/* UNCOMMENT the following block if the discrete EJBROLE */
/* profiles are being used. */
/* */
/* Setup the EJBROLE profile required by the Libery server. */
/* The EJBROLE definitions are case-sensitive in RACF. Ensure */
/* that the case for these commands is preserved. */
/* Assumption: EJBROLE is defined, activated, and RACLISTed. */
/*----------------------------------------------------------------*/
/* 'RDEFINE EJBROLE', */
/* '(IZUDFLT.IzuManagementFacilityManagementServicesCatalog.izuUsers)',*/
/* 'UACC(NONE)' */
/* 'PERMIT', */
/* 'IZUDFLT.IzuManagementFacilityManagementServicesCatalog.izuUsers', */
/* 'ID(IZUADMIN IZUUSER IZUMSRAP IZUMSRAU)', */
/* 'CLASS(EJBROLE) ACCESS(READ)' */
SET R(EJB)àVerify type code for class EJBROLE
RECKEY IZUDFLT ADD(IzuManagementFacilityManagementServicesCatalog.izuUsers UID(uid of z/OSMF sec admins) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(IzuManagementFacilityManagementServicesCatalog.izuUsers UID(uid of IZUUSER) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(IzuManagementFacilityManagementServicesCatalog.izuUsers UID(uid of runasuser approvers) SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(IzuManagementFacilityManagementServicesCatalog.izuUsers UID(uid of runasusers) SERVICE(READ) ALLOW)
/*--- When uncommenting the EJBROLE block, if publish approvers */
/*--- will be enabled in Global Settings, then uncomment this */
/*--- command too. */
/* 'PERMIT', */
/* 'IZUDFLT.IzuManagementFacilityManagementServicesCatalog.izuUsers', */
/* 'CLASS(EJBROLE) ACCESS(READ) ID(IZUMSPAP)' */
/* 'SETROPTS RACLIST(EJBROLE) REFRESH' */
/* 'SETROPTS RACLIST(ZMFAPLA) REFRESH' */
SET R(EJB)àVerify type code for class EJBROLE
RECKEY IZUDFLT ADD(IzuManagementFacilityManagementServicesCatalog.izuUsers UID(uid of publish approvers) SERVICE(READ) ALLOW)
F ACF2,REBUILD(EJB)àtype code for class EJBROLE
F ACF2,REBUILD(ZMF)àtype code for class ZMFAPLA
F ACF2,REBUILD(APL)àtype code for class APPL
Feedback
