search cancel

Top Secret equivalent commands for IBM Fault Analyzer 14.1

book

Article ID: 253464

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

The installation of IBM Fault Analyzer 14.1 produced a batch job containing RACF definitions needed for the proper running of the Fault Analyzer.

This article documents the translation of the RACF commands to Top Secret commands.

 

Environment

Top Secret 16.0

IBM Fault Analyzer 14.1

Cause

IBM Generated RACF Definitions – Fault Analyzer

//*    THIS JOB CREATES RACF DATASET PROFILES 
//* 
//*    DEFAULT USERID IBMUSER MUST BE CHANGED BEFORE THE JOB IS
//*    SUBMITTED.
//*
//* IMPORTANT:
//*    THE USERID THAT RUNS THIS JOB MUST HAVE SPECIAL AUTHORITY.
//*
//*    RACF PROFILES NEEDED TO SET UP z/OSMF ARE ADDED IN COMMENTS.
//*    IF YOU PLAN TO COPY RACF DATABASE USING OPTIONAL JOB HRF77C0C,
//*    YOU MAY UNCOMMENT z/OSMF PROFILES BEFORE RUNNING THE JOB.
//*    THIS WILL ENABLE YOU TO START z/OSMF SERVER FROM FIRST IPL. ALSO
//*    REVIEW OTHER INSTRUCTIONS UNDER z/OSMF SET UP SECTION OF IYO FOR
//*    INSTRUCTIONS TO SET UP z/OSMF BEFORE FIRST IPL.
//*
//RACFDRV  EXEC PGM=IKJEFT01
//SYSTSPRT DD  SYSOUT=*
//SYSTERM  DD  DUMMY
//SYSTSIN  DD  *,DLM='%%'
/* THE IRRDPI00 COMMAND BUILDS A 'DYNAMIC' TABLE FOR PARSING   */ 
/* SEGMENT-RELATED  KEYWORDS.    */
RDEFINE +
  FACILITY IRRDPI00 +
  UACC(NONE)
PE +
  IRRDPI00 +
  CLASS(FACILITY) +
  ID(IBMUSER) +
  ACC(READ)
SETROPTS +
  REFRESH +
  RACLIST(FACILITY)
SETROPTS  +
  GENERIC(DATASET STARTED) +
  GENCMD(DATASET STARTED) +
  CLASSACT(DIGTRING  +
           DIGTCERT  +
           DIGTCRIT  +
           FACILITY  +
           LOGSTRM   +
           UNIXPRIV  +
           STARTED)  +
  RACLIST(DIGTCERT  +
          DIGTCRIT  +
          DIGTRING  +
          FACILITY  +
          UNIXPRIV  +
          LOGSTRM   +
          STARTED)
/* THE RACDCERT COMMAND INSTALLS   AND MAINTAINS DIGITAL CERTIFICATES */
/* KEY RINGS AND DIGITAL CERTIFICATE  MAPPINGS IN RACF     */
RACDCERT +
  CERTAUTH +
  ALTER( +
  LABEL('Verisign Class 3 Primary CA')) +
  TRUST
RACDCERT +
  ADDRING(SecureFTPKeyRing) +
  ID(IBMUSER)
RACDCERT +
  CONNECT +
  (CERTAUTH +
  RING(SecureFTPKeyRing) +
  LABEL('Verisign Class 3 Primary CA') +
  USAGE(CERTAUTH)) +
  ID(IBMUSER)
SETROPTS  +
  RACLIST(DIGTCERT +
          DIGTCRIT +
          DIGTRING  +
          FACILITY  +
          LOGSTRM   +
          STARTED)  +
  REFRESH
%%
//*
//IRRDPI00 EXEC PGM=IKJEFT1B,REGION=1M,PARM='IRRDPI00 UPDATE'
//SYSTSPRT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//SYSUT1   DD DSN=SYS1.SAMPLIB(IRRDPSDS),DISP=SHR
//SYSTSIN  DD DUMMY
//*
//RACFPRF2 EXEC PGM=IKJEFT01
//SYSTSPRT DD  SYSOUT=*
//SYSTERM  DD  DUMMY
//SYSTSIN  DD  *,DLM='%%'
  PROF MSGID WTPMSG
/************ SETROPTS COMMAND SETS SYSTEM-WIDE RACF ************/
/************ OPTIONS RELATED TO RESOURCE PROTECTION ************/
SETROPTS +
   GENERIC(DATASET STARTED) +
   GENCMD(DATASET STARTED) +
   CLASSACT(FACILITY +
            LOGSTRM) +
   RACLIST(FACILITY)
/***********  BEGIN SETUP FOR ZFS FILE SYSTEMS  **********/
/** SPECIFIES Z/OS UNIX SYSTEM  SERVICES INFORMATION FOR THE **/
/** GROUP BEING DEFINED TO RACF  **/
ADDGROUP +
  DFSGRP  +
  SUPGROUP(SYS1) +
  OMVS(GID(3))
ADDGROUP +
  ZFSGRP  +
  SUPGROUP(SYS1) +
  OMVS(GID(4))
ADDUSER +
  DFS +
  DFLTGRP(DFSGRP) +
  AUTHORITY(CREATE) +
  OMVS(HOME(/opt/dfslocal/home/dfscntl) UID(0)) +
  UACC(NONE)
ADDUSER +
  ZFS +
  DFLTGRP(ZFSGRP) +
  AUTHORITY(CREATE) +
  OMVS(UID(0)      +
  HOME('/opt/dfslocal/home/dfscntl'))
RDEFINE +
  STARTED +
  DFS.* +
  STDATA(USER(DFS))
RDEFINE +
  STARTED +
  DFSCM.* +
  STDATA(USER(DFS))
RDEFINE +
  STARTED +
  ZFS.* +
  STDATA(USER(ZFS))
CONNECT  +
   ZFS   +
   GROUP(DFSGRP) +
   AUTH(CREATE)
/************** END SETUP FOR ZFS FILE SYSTEM ***************/
/*****************  PERMIT ACCESS TO BPX FACILITY  ******************/
PE +
   BPX.DAEMON +
   CLASS(FACILITY) +
   ID(SYS1) +
   ACC(READ)
PE +
   BPX.DAEMON +
   CLASS(FACILITY) +
   ID(IBMUSER) +
   ACCESS(READ)
/***************  DEFINE TTY, UUCPG AND UUCP GROUPS  ****************/
ADDGROUP +
  TTY  +
  OMVS(GID(2))
ADDGROUP +
  UUCPG +
  OMVS(GID(8765))
ADDUSER +
  UUCP +
  DFLTGRP(UUCPG) +
  OMVS(UID(396) +
  HOME('/usr/spool/uucppublic') +
  PROGRAM('/bin/sh'))
/********** SET UID(0), HOME DIRECTORY AND **********/
/********** PROGRAM DIRECTORY FOR IBMUSER  **********/
ALTUSER +
   IBMUSER +
   OMVS(UID(0) +
   HOME('/') +
   PROGRAM('/bin/sh'))
/****** BEGIN DEFINING DIFFERENT FACILITY CLASS, ******/
/************ PERMIT ACCESS TO IBMUSER  ***************/
RDEFINE +
    FACILITY BPX.FILEATTR.APF +
    UACC(NONE)
RDEFINE +
    FACILITY BPX.FILEATTR.PROGCTL +
    UACC(NONE)
RDEFINE +
    FACILITY BPX.FILEATTR.SHARELIB +
    UACC(NONE)
RDEFINE +
    UNIXPRIV +
    SUPERUSER.FILESYS.PFSCTL +
    UACC(NONE)
PE +
    BPX.FILEATTR.APF +
    CLASS(FACILITY) +
    ID(IBMUSER) +
    ACC(READ)
PE +
    BPX.FILEATTR.PROGCTL +
    CLASS(FACILITY) +
    ID(IBMUSER) +
    ACC(READ)
PE +
    BPX.FILEATTR.SHARELIB +
    CLASS(FACILITY) +
    ID(IBMUSER) +
    ACC(READ)
PE +
    SUPERUSER.FILESYS.PFSCTL +
    CLASS(UNIXPRIV) +
    ID(IBMUSER) +
    ACC(READ)
/******* END DEFINING DIFFERENT FACILITY CLASS, ********/
/*******************************************************/
/*********** BEGIN NEW SMP/E FACILITY CLASS  ***********/
RDEFINE +
    FACILITY +
    GIM.CMD.* +
    UACC(NONE)
PERMIT +
    GIM.CMD.* +
    CLASS(FACILITY) +
    ID(IBMUSER) +
    ACC(READ)
RDEFINE +
    FACILITY +
    GIM.PGM.* +
    UACC(NONE)
PERMIT +
    GIM.PGM.* +
    CLASS(FACILITY) +
    ID(IBMUSER) +
    ACC(READ)
/*********** END NEW SMP/E FACILITY CLASS  ***********/
/****************************************************************/
/**** BEGIN DEFINE, PERMIT DIFFERENT FACILITY FOR LOGSTREAMS ****/
RDEFINE +
  FACILITY +
  MVSADMIN.LOGR +
  UACC(NONE)
RDEFINE +
  LOGSTRM +
  SYSPLEX.OPERLOG +
  UACC(NONE)
  RDEFINE +
  LOGSTRM +
  SYSPLEX.LOGREC.ALLRECS +
  UACC(NONE)
PE +
  MVSADMIN.LOGR +
  CLASS(FACILITY) +
  ID(IBMUSER) +
  ACC(UPDATE)
PE +
  SYSPLEX.OPERLOG +
  CLASS(LOGSTRM) +
  ID(IBMUSER) +
  ACC(ALTER)
PE +
  SYSPLEX.LOGREC.ALLRECS +
  CLASS(LOGSTRM) +
  ID(IBMUSER) +
  ACC(ALTER)
/****  END DEFINE, PERMIT DIFFERENT FACILITY FOR LOGSTREAMS  ****/
/****************************************************************/
/*****  BEGIN DIGITAL CERTIFICATE DEFINITIONS AND PERMITS  *****/
/* FOR SAF GENCERT AND EXPORT REQUESTS WHERE THE APPLICATION HAS READ AND  */
/* UPDATE ACCESS, SUBSEQUENT ACCESS  CHECKS ARE PERFORMED AGAINST THE    */
/* IRR.DIGTCERT.FUNCTION FACILITY      */
/* RESOURCES.                          */
RDEFINE +
    FACILITY +
    IRR.DIGTCERT.ADD +
    UACC(NONE)
RDEFINE +
    FACILITY +
    IRR.DIGTCERT.ADDRING +
    UACC(NONE)
RDEFINE +
    FACILITY +
    IRR.DIGTCERT.ALTER +
    UACC(NONE)
RDEFINE +
    FACILITY +
    IRR.DIGTCERT.ALTMAP +
    UACC(NONE)
RDEFINE +
    FACILITY +
    IRR.DIGTCERT.CONNECT +
    UACC(NONE)
RDEFINE +
    FACILITY +
    IRR.DIGTCERT.DELETE +
    UACC(NONE)
RDEFINE +
    FACILITY +
    IRR.DIGTCERT.DELMAP +
    UACC(NONE)
RDEFINE +
    FACILITY +
    IRR.DIGTCERT.DELRING +
    UACC(NONE)
RDEFINE +
    FACILITY +
    IRR.DIGTCERT.EXPORT +
    UACC(NONE)
RDEFINE +
    FACILITY +
    IRR.DIGTCERT.EXPORTKEY +
    UACC(NONE)
RDEFINE +
    FACILITY +
    IRR.DIGTCERT.GENCERT +
    UACC(NONE)
RDEFINE +
    FACILITY +
    IRR.DIGTCERT.GENREQ +
    UACC(NONE)
RDEFINE +
    FACILITY +
    IRR.DIGTCERT.LIST +
    UACC(NONE)
RDEFINE +
    FACILITY +
    IRR.DIGTCERT.LISTMAP +
    UACC(NONE)
RDEFINE +
    FACILITY +
    IRR.DIGTCERT.LISTRING +
    UACC(NONE)
RDEFINE +
    FACILITY +
    IRR.DIGTCERT.MAP +
    UACC(NONE)
RDEFINE +
    FACILITY +
    IRR.DIGTCERT.REMOVE +
    UACC(NONE)
PE +
    IRR.DIGTCERT.ADD +
    CLASS(FACILITY) +
    ID(*) +
    ACC(READ)
PE +
    IRR.DIGTCERT.ADD +
    CLASS(FACILITY) +
    ID(IBMUSER) +
    ACC(CONTROL)
PE +
    IRR.DIGTCERT.ADDRING +
    CLASS(FACILITY) +
    ID(*) +
    ACC(READ)
PE +
    IRR.DIGTCERT.ADDRING +
    CLASS(FACILITY) +
    ID(IBMUSER) +
    ACC(UPDATE)
PE +
    IRR.DIGTCERT.ALTER +
    CLASS(FACILITY) +
    ID(*) +
    ACC(READ)
PE +
    IRR.DIGTCERT.ALTER +
    CLASS(FACILITY) +
    ID(IBMUSER) +
    ACC(CONTROL)
PE +
    IRR.DIGTCERT.ALTMAP +
    CLASS(FACILITY) +
    ID(*) +
    ACC(READ)
PE +
    IRR.DIGTCERT.ALTMAP +
    CLASS(FACILITY) +
    ID(IBMUSER) +
    ACC(UPDATE)
PE +
    IRR.DIGTCERT.CONNECT +
    CLASS(FACILITY) +
    ID(*) +
    ACC(READ)
PE +
    IRR.DIGTCERT.CONNECT +
    CLASS(FACILITY) +
    ID(IBMUSER) +
    ACC(CONTROL)
PE +
    IRR.DIGTCERT.DELETE +
    CLASS(FACILITY) +
    ID(*) +
    ACC(READ)
PE +
    IRR.DIGTCERT.DELETE +
    CLASS(FACILITY) +
    ID(IBMUSER) +
    ACC(CONTROL)
PE +
    IRR.DIGTCERT.DELMAP +
    CLASS(FACILITY) +
    ID(*) +
    ACC(READ)
PE +
    IRR.DIGTCERT.DELMAP +
    CLASS(FACILITY) +
    ID(IBMUSER) +
    ACC(UPDATE)
PE +
    IRR.DIGTCERT.DELRING +
    CLASS(FACILITY) +
    ID(*) +
    ACC(READ)
PE +
    IRR.DIGTCERT.DELRING +
    CLASS(FACILITY) +
    ID(IBMUSER) +
    ACC(UPDATE)
PE +
    IRR.DIGTCERT.EXPORT +
    CLASS(FACILITY) +
    ID(*) +
    ACC(READ)
PE +
    IRR.DIGTCERT.EXPORT +
    CLASS(FACILITY) +
    ID(IBMUSER) +
    ACC(CONTROL)
PE +
    IRR.DIGTCERT.EXPORTKEY  +
    CLASS(FACILITY) +
    ID(*)  +
    ACC(READ)
PE +
    IRR.DIGTCERT.EXPORTKEY +
    CLASS(FACILITY) +
    ID(IBMUSER) +
    ACC(CONTROL)
PE +
    IRR.DIGTCERT.GENCERT +
    CLASS(FACILITY) +
    ID(*) +
    ACC(READ)
PE +
    IRR.DIGTCERT.GENCERT +
    CLASS(FACILITY) +
    ID(IBMUSER) +
    ACC(CONTROL)
PE +
    IRR.DIGTCERT.GENREQ +
    CLASS(FACILITY)+
    ID(*) +
    ACC(READ)
PE +
    IRR.DIGTCERT.GENREQ +
    CLASS(FACILITY) +
    ID(IBMUSER) +
    ACC(CONTROL)
PE +
    IRR.DIGTCERT.LIST +
    CLASS(FACILITY) +
    ID(*) +
    ACC(READ)
PE +
    IRR.DIGTCERT.LIST +
    CLASS(FACILITY) +
    ID(IBMUSER) +
    ACC(CONTROL)
PE +
    IRR.DIGTCERT.LISTMAP +
    CLASS(FACILITY) +
    ID(*) +
    ACC(READ)
PE +
    IRR.DIGTCERT.LISTMAP +
    CLASS(FACILITY) +
    ID(IBMUSER) +
    ACC(UPDATE)
PE +
    IRR.DIGTCERT.LISTRING +
    CLASS(FACILITY) +
    ID(*) +
    ACC(READ)
PE +
    IRR.DIGTCERT.LISTRING +
    CLASS(FACILITY) +
    ID(IBMUSER) +
    ACC(UPDATE)
PE +
    IRR.DIGTCERT.MAP +
    CLASS(FACILITY) +
    ID(*) +
    ACC(READ)
PE +
    IRR.DIGTCERT.MAP +
    CLASS(FACILITY) +
    ID(IBMUSER) +
    ACC(UPDATE)
PE +
    IRR.DIGTCERT.REMOVE +
    CLASS(FACILITY) +
    ID(*) +
    ACC(READ)
PE +
    IRR.DIGTCERT.REMOVE +
    CLASS(FACILITY) +
    ID(IBMUSER) +
    ACC(CONTROL)
/********  END DIGITAL CERTIFICATE DEFINITIONS AND PERMITS  *******/
/******************************************************************/
/**************  REFRESH THE AFFECTED RACF CLASSES  ***************/
SETROPTS RACLIST(FACILITY  +
           DIGTCERT  +
           DIGTCRIT  +
           DIGTRING  +
           LOGSTRM   +
           STARTED   +
           UNIXPRIV) +
     REFRESH
/**DEFINE STARTED TASK PROFILES AND ACTIVATING CIMS CLASS FOR IMS IVP**/
/********* REFRESH ALL THE IMPACTED PROFILES  ********/
SETROPTS +
   RACLIST(STARTED FACILITY LOGSTRM) +
   REFRESH
SETROPTS +
   GENERIC(DATASET STARTED) +
   REFRESH
%%

 

Resolution

Translation of RACF commands

 IBM Generated RACF Definitions – Fault Analyzer
//*    THIS JOB CREATES RACF DATASET PROFILES
//*
//*    DEFAULT USERID IBMUSER MUST BE CHANGED BEFORE THE JOB IS
//*    SUBMITTED.
//*
//* IMPORTANT:
//*    THE USERID THAT RUNS THIS JOB MUST HAVE SPECIAL AUTHORITY.
//*
//*    RACF PROFILES NEEDED TO SET UP z/OSMF ARE ADDED IN COMMENTS.
//*    IF YOU PLAN TO COPY RACF DATABASE USING OPTIONAL JOB HRF77C0C,
//*    YOU MAY UNCOMMENT z/OSMF PROFILES BEFORE RUNNING THE JOB.
//*    THIS WILL ENABLE YOU TO START z/OSMF SERVER FROM FIRST IPL. ALSO
//*    REVIEW OTHER INSTRUCTIONS UNDER z/OSMF SET UP SECTION OF IYO FOR
//*    INSTRUCTIONS TO SET UP z/OSMF BEFORE FIRST IPL.
//*
//RACFDRV  EXEC PGM=IKJEFT01
//SYSTSPRT DD  SYSOUT=*
//SYSTERM  DD  DUMMY
//SYSTSIN  DD  *,DLM='%%'
/* THE IRRDPI00 COMMAND BUILDS A 'DYNAMIC' TABLE FOR PARSING   */
/* SEGMENT-RELATED  KEYWORDS.    */
RDEFINE +
 FACILITY IRRDPI00 +
 UACC(NONE)


TSS Equivalent:


TSS ADD(dept) IBMFAC(IRRDPI00) 


PE +
 IRRDPI00 +
 CLASS(FACILITY) +
 ID(IBMUSER) +
 ACC(READ)


TSS Equivalent::

TSS PERMIT(IBMUSER) IBMFAC(IRRDPI00) ACCESS(READ)



SETROPTS +
 REFRESH +
 RACLIST(FACILITY)
SETROPTS  +
 GENERIC(DATASET STARTED) +
 GENCMD(DATASET STARTED) +
 CLASSACT(DIGTRING  +
          DIGTCERT  +
          DIGTCRIT  +
          FACILITY  +
          LOGSTRM   +
          UNIXPRIV  +
          STARTED)  +
 RACLIST(DIGTCERT  +
         DIGTCRIT  +
         DIGTRING  +
         FACILITY  +
         UNIXPRIV  +
         LOGSTRM   +
         STARTED)


TSS Equivalent:

No TSS equivalent.





/* THE RACDCERT COMMAND INSTALLS   AND MAINTAINS DIGITAL CERTIFICATES */
/* KEY RINGS AND DIGITAL CERTIFICATE  MAPPINGS IN RACF     */
RACDCERT +
 CERTAUTH +
 ALTER( +
 LABEL('Verisign Class 3 Primary CA')) +
 TRUST


TSS Equivalent:


Note: The above RACF command is for the Verisign certificate to have TRUST so it is assumed that the certificate was already added to CERTAUTH without TRUST and needs to be changed to TRUST.

The TSS command is:

TSS REPLACE(CERTAUTH) LABLCERT('Verisign Class 3 Primary CA') TRUST


If the Verisign certificate was not already added to CERTAUTH then use the following TSS Command to ADD the certificate once it is downloaded from Verisign website:

You should have the certificate in a DCDSN.


TSS ADD(CERTAUTH) DIGICERT(Digicert_name),LABLCERT('Verisign Class 3 Primary CA') DCDSN(dataset.of.cert) TRUST 





RACDCERT +
 ADDRING(SecureFTPKeyRing) +
 ID(IBMUSER)



TSS Equivalent:

TSS ADD(IBMUSER) KEYRING(8-bite ring name) LABLRING(SecureFTPKeyRing)





RACDCERT +
 CONNECT +
 (CERTAUTH +
 RING(SecureFTPKeyRing) +
 LABEL('Verisign Class 3 Primary CA') +
 USAGE(CERTAUTH)) +
 ID(IBMUSER)


TSS Equivalent:


TSS ADD(IBMUSER) KEYRING(8-bite ring name) RINGDATA(CERTAUTH,Digicert_name) USAGE(CERTAUTH)


Where Digicert_name is the Digicert name used in the DIGICERT keyword when the certificate was added to CERTAUTH





SETROPTS  +
 RACLIST(DIGTCERT +
         DIGTCRIT +
         DIGTRING  +
         FACILITY  +
         LOGSTRM   +
         STARTED)  +
 REFRESH
%%



TSS Equivalent:

No TSS equivalent.


//*
//IRRDPI00 EXEC PGM=IKJEFT1B,REGION=1M,PARM='IRRDPI00 UPDATE'
//SYSTSPRT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//SYSUT1   DD DSN=SYS1.SAMPLIB(IRRDPSDS),DISP=SHR
//SYSTSIN  DD DUMMY
//*
//RACFPRF2 EXEC PGM=IKJEFT01
//SYSTSPRT DD  SYSOUT=*
//SYSTERM  DD  DUMMY
//SYSTSIN  DD  *,DLM='%%'
 PROF MSGID WTPMSG
/************ SETROPTS COMMAND SETS SYSTEM-WIDE RACF ************/
/************ OPTIONS RELATED TO RESOURCE PROTECTION ************/
SETROPTS +
  GENERIC(DATASET STARTED) +
  GENCMD(DATASET STARTED) +
  CLASSACT(FACILITY +
           LOGSTRM) +
  RACLIST(FACILITY)


TSS Equivalent:

No TSS equivalent.




/***********  BEGIN SETUP FOR ZFS FILE SYSTEMS  **********/
/** SPECIFIES Z/OS UNIX SYSTEM  SERVICES INFORMATION FOR THE **/
/** GROUP BEING DEFINED TO RACF  **/
ADDGROUP +
 DFSGRP  +
 SUPGROUP(SYS1) +
 OMVS(GID(3))
ADDGROUP +
 ZFSGRP  +
 SUPGROUP(SYS1) +
 OMVS(GID(4))
ADDUSER +
 DFS +
 DFLTGRP(DFSGRP) +
 AUTHORITY(CREATE) +
 OMVS(HOME(/opt/dfslocal/home/dfscntl) UID(0)) +
 UACC(NONE)
ADDUSER +
 ZFS +
 DFLTGRP(ZFSGRP) +
 AUTHORITY(CREATE) +
 OMVS(UID(0)      +
 HOME('/opt/dfslocal/home/dfscntl'))
RDEFINE +
 STARTED +
 DFS.* +
 STDATA(USER(DFS))
RDEFINE +
 STARTED +
 DFSCM.* +
 STDATA(USER(DFS))
RDEFINE +
 STARTED +
 ZFS.* +
 STDATA(USER(ZFS))
CONNECT  +
  ZFS   +
  GROUP(DFSGRP) +
  AUTH(CREATE)



TSS Equivalent:

TSS CRE(DFSGRP) TYPE(GROUP) DEPT(dept) NAME('DFSGRP group')                      
TSS ADD(DFSGRP) GID(3) 
TSS CRE(ZFSGRP) TYPE(GROUP) DEPT(dept) NAME('ZFSGRP group')                      
TSS ADD(ZFSGRP) GID(4)
TSS CRE(DFS) TYPE(USER) NAME(?DFS user?) DEPT(dept) PASS(xxxx,0)
TSS ADD(DFS) GROUP(DFSGRP) DFLTGRP(DFSGRP) UID(0) HOME(/opt/dfslocal/home/dfscntl)
TSS CRE(ZFS) TYPE(USER) NAME(?ZFS user?) DEPT(dept) PASS(xxxx,0)
TSS ADD(ZFS) GROUP(ZFSGRP) DFLTGRP(ZFSGRP) UID(0) HOME(/opt/dfslocal/home/dfscntl)
TSS ADD(STC) PROCNAME(DFS) ACID(DFS)
TSS ADD(STC) PROCNAME(DFSCM) ACID(DFS)
TSS ADD(STC) PROCNAME(ZFS) ACID(DFS)
TSS ADD(ZFS) GROUP(DFSGRP)
TSS MODI OMVSTABS




/************** END SETUP FOR ZFS FILE SYSTEM ***************/
/*****************  PERMIT ACCESS TO BPX FACILITY  ******************/
PE +
  BPX.DAEMON +
  CLASS(FACILITY) +
  ID(SYS1) +
  ACC(READ)
PE +
  BPX.DAEMON +
  CLASS(FACILITY) +
  ID(IBMUSER) +
  ACCESS(READ)



TSS Equivalent:

TSS ADD(dept) IBMFAC(BPX.)
TSS PERMIT(SYS1) IBMFAC(BPX.DAEMON) ACCESS(READ)
TSS PERMIT(IBMUSER) IBMFAC(BPX.DAEMON) ACCESS(READ)





/***************  DEFINE TTY, UUCPG AND UUCP GROUPS  ****************/
ADDGROUP +
 TTY  +
 OMVS(GID(2))
ADDGROUP +
 UUCPG +
 OMVS(GID(8765))
ADDUSER +
 UUCP +
 DFLTGRP(UUCPG) +
 OMVS(UID(396) +
 HOME('/usr/spool/uucppublic') +
 PROGRAM('/bin/sh'))


TSS Equivalent:

TSS CRE(TTY) TYPE(GROUP) DEPT(dept) NAME(?TTY group?)                      
TSS ADD(TTY) GID(2) 
TSS CRE(UUCPG) TYPE(GROUP) DEPT(dept) NAME(?UUCPG group?)                     
TSS ADD(UUCPG) GID(8765) 
TSS CRE(UUCP) TYPE(USER) DEPT(dept) NAME(?UUCP user?) PASS(xxxx,0)                 
TSS ADD(UUCP) UID(396) GROUP(UUCPG) DFLTGRP(UUCPG) HOME(/usr/spool/uucppublic) OMVSPGM(/bin/sh)
TSS MODI OMVSTABS




/********** SET UID(0), HOME DIRECTORY AND **********/
/********** PROGRAM DIRECTORY FOR IBMUSER  **********/
ALTUSER +
  IBMUSER +
  OMVS(UID(0) +
  HOME('/') +
  PROGRAM('/bin/sh'))



TSS Equivalent:

TSS ADD(IBMUSER) UID(0) HOME(/) OMVSPGM(/bin/sh)
TSS MODI OMVSTABS




/****** BEGIN DEFINING DIFFERENT FACILITY CLASS, ******/
/************ PERMIT ACCESS TO IBMUSER  ***************/

RDEFINE +
   FACILITY BPX.FILEATTR.APF +
   UACC(NONE)
RDEFINE +
   FACILITY BPX.FILEATTR.PROGCTL +
   UACC(NONE)
RDEFINE +
   FACILITY BPX.FILEATTR.SHARELIB +
   UACC(NONE)
RDEFINE +
   UNIXPRIV +
   SUPERUSER.FILESYS.PFSCTL +
   UACC(NONE)
PE +
   BPX.FILEATTR.APF +
   CLASS(FACILITY) +
   ID(IBMUSER) +
   ACC(READ)
PE +
   BPX.FILEATTR.PROGCTL +
   CLASS(FACILITY) +
   ID(IBMUSER) +
   ACC(READ)
PE +
   BPX.FILEATTR.SHARELIB +
   CLASS(FACILITY) +
   ID(IBMUSER) +
   ACC(READ)
PE +
   SUPERUSER.FILESYS.PFSCTL +
   CLASS(UNIXPRIV) +
   ID(IBMUSER) +
   ACC(READ)


TSS Equivalent:

The TSS ADD(dept) IBMFAC(BPX.) command earlier defined BPX.FILEATTR.APF, BPX.FILEATTR.PROGCTL, and 

BPX.FILEATTR.SHARELIB.



TSS ADD(dept) UNIXPRIV(SUPERUSE)
TSS PER(IBMUSER) IBMFAC(BPX.FILEATTR.APF) ACC(READ)
TSS PER(IBMUSER) IBMFAC(BPX.FILEATTR.PROGCTL) ACC(READ)
TSS PER(IBMUSER) IBMFAC(BPX.FILEATTR.SHARELIB) ACC(READ)
TSS PER(IBMUSER) UNIXPRIV(SUPERUSER.FILESYS.PFSCTL) ACC(READ)




/******* END DEFINING DIFFERENT FACILITY CLASS, ********/
/*******************************************************/
/*********** BEGIN NEW SMP/E FACILITY CLASS  ***********/

RDEFINE +
   FACILITY +
   GIM.CMD.* +
   UACC(NONE)
PERMIT +
   GIM.CMD.* +
   CLASS(FACILITY) +
   ID(IBMUSER) +
   ACC(READ)
RDEFINE +
   FACILITY +
   GIM.PGM.* +
   UACC(NONE)
PERMIT +
   GIM.PGM.* +
   CLASS(FACILITY) +
   ID(IBMUSER) +
   ACC(READ)



TSS Equivalent:


TSS ADD(dept) IBMFAC(GIM.)
TSS PERMIT(IBMUSER) IBMFAC(GIM.CMD.) ACCESS(READ)
TSS PERMIT(IBMUSER) IBMFAC(GIM.PGM.) ACCESS(READ)



/*********** END NEW SMP/E FACILITY CLASS  ***********/
/****************************************************************/
/**** BEGIN DEFINE, PERMIT DIFFERENT FACILITY FOR LOGSTREAMS ****/
RDEFINE +
 FACILITY +
 MVSADMIN.LOGR +
 UACC(NONE)
RDEFINE +
 LOGSTRM +
 SYSPLEX.OPERLOG +
 UACC(NONE)
 RDEFINE +
 LOGSTRM +
 SYSPLEX.LOGREC.ALLRECS +
 UACC(NONE)
PE +
 MVSADMIN.LOGR +
 CLASS(FACILITY) +
 ID(IBMUSER) +
 ACC(UPDATE)
PE +
 SYSPLEX.OPERLOG +
 CLASS(LOGSTRM) +
 ID(IBMUSER) +
 ACC(ALTER)
PE +
 SYSPLEX.LOGREC.ALLRECS +
 CLASS(LOGSTRM) +
 ID(IBMUSER) +
 ACC(ALTER)



TSS Equivalent:

TSS ADD(dept) IBMFAC(MVSADMIN)
TSS ADD(dept) LOGSTRM(SYSPLEX.)

TSS PER(IBMUSER) IBMFAC(MVSADMIN.LOGR) ACC(UPDATE)
TSS PER(IBMUSER) LOGSTRM(SYSPLEX.OPERLOG) ACC(ALL)
TSS PER(IBMUSER) LOGSTRM(SYSPLEX.LOGREC.ALLRECS) ACC(ALL)




/****  END DEFINE, PERMIT DIFFERENT FACILITY FOR LOGSTREAMS  ****/
/****************************************************************/
/*****  BEGIN DIGITAL CERTIFICATE DEFINITIONS AND PERMITS  *****/
/* FOR SAF GENCERT AND EXPORT REQUESTS WHERE THE APPLICATION HAS READ AND  */
/* UPDATE ACCESS, SUBSEQUENT ACCESS  CHECKS ARE PERFORMED AGAINST THE    */
/* IRR.DIGTCERT.FUNCTION FACILITY      */
/* RESOURCES.                          */

RDEFINE +
   FACILITY +
   IRR.DIGTCERT.ADD +
   UACC(NONE)
RDEFINE +
  FACILITY +
   IRR.DIGTCERT.ADDRING +
   UACC(NONE)
RDEFINE +
   FACILITY +
   IRR.DIGTCERT.ALTER +
   UACC(NONE)
RDEFINE +
   FACILITY +
   IRR.DIGTCERT.ALTMAP +
   UACC(NONE)
RDEFINE +
   FACILITY +
   IRR.DIGTCERT.CONNECT +
   UACC(NONE)
RDEFINE +
   FACILITY +
   IRR.DIGTCERT.DELETE +
   UACC(NONE)
RDEFINE +
   FACILITY +
   IRR.DIGTCERT.DELMAP +
   UACC(NONE)
RDEFINE +
   FACILITY +
   IRR.DIGTCERT.DELRING +
   UACC(NONE)
RDEFINE +
   FACILITY +
   IRR.DIGTCERT.EXPORT +
   UACC(NONE)
RDEFINE +
   FACILITY +
   IRR.DIGTCERT.EXPORTKEY +
   UACC(NONE)
RDEFINE +
   FACILITY +
   IRR.DIGTCERT.GENCERT +
   UACC(NONE)
RDEFINE +
   FACILITY +
   IRR.DIGTCERT.GENREQ +
   UACC(NONE)
RDEFINE +
   FACILITY +
   IRR.DIGTCERT.LIST +
   UACC(NONE)
RDEFINE +
   FACILITY +
   IRR.DIGTCERT.LISTMAP +
   UACC(NONE)
RDEFINE +
   FACILITY +
   IRR.DIGTCERT.LISTRING +
   UACC(NONE)
RDEFINE +
   FACILITY +
   IRR.DIGTCERT.MAP +
   UACC(NONE)
RDEFINE +
   FACILITY +
   IRR.DIGTCERT.REMOVE +
   UACC(NONE)
PE +
   IRR.DIGTCERT.ADD +
   CLASS(FACILITY) +
   ID(*) +
   ACC(READ)
PE +
   IRR.DIGTCERT.ADD +
   CLASS(FACILITY) +
   ID(IBMUSER) +
   ACC(CONTROL)
PE +
   IRR.DIGTCERT.ADDRING +
   CLASS(FACILITY) +
   ID(*) +
   ACC(READ)
PE +
   IRR.DIGTCERT.ADDRING +
   CLASS(FACILITY) +
   ID(IBMUSER) +
   ACC(UPDATE)
PE +
   IRR.DIGTCERT.ALTER +
   CLASS(FACILITY) +
   ID(*) +
   ACC(READ)
PE +
   IRR.DIGTCERT.ALTER +
   CLASS(FACILITY) +
   ID(IBMUSER) +
   ACC(CONTROL)
PE +
   IRR.DIGTCERT.ALTMAP +
   CLASS(FACILITY) +
   ID(*) +
   ACC(READ)
PE +
   IRR.DIGTCERT.ALTMAP +
   CLASS(FACILITY) +
   ID(IBMUSER) +
   ACC(UPDATE)
PE +
   IRR.DIGTCERT.CONNECT +
   CLASS(FACILITY) +
   ID(*) +
   ACC(READ)
PE +
   IRR.DIGTCERT.CONNECT +
   CLASS(FACILITY) +
   ID(IBMUSER) +
   ACC(CONTROL)
PE +
   IRR.DIGTCERT.DELETE +
   CLASS(FACILITY) +
   ID(*) +
   ACC(READ)
PE +
   IRR.DIGTCERT.DELETE +
   CLASS(FACILITY) +
   ID(IBMUSER) +
   ACC(CONTROL)
PE +
   IRR.DIGTCERT.DELMAP +
   CLASS(FACILITY) +
   ID(*) +
   ACC(READ)
PE +
   IRR.DIGTCERT.DELMAP +
   CLASS(FACILITY) +
   ID(IBMUSER) +
   ACC(UPDATE)
PE +
   IRR.DIGTCERT.DELRING +
   CLASS(FACILITY) +
   ID(*) +
   ACC(READ)
PE +
   IRR.DIGTCERT.DELRING +
   CLASS(FACILITY) +
   ID(IBMUSER) +
   ACC(UPDATE)
PE +
   IRR.DIGTCERT.EXPORT +
   CLASS(FACILITY) +
   ID(*) +
   ACC(READ)
PE +
   IRR.DIGTCERT.EXPORT +
   CLASS(FACILITY) +
   ID(IBMUSER) +
   ACC(CONTROL)
PE +
   IRR.DIGTCERT.EXPORTKEY  +
   CLASS(FACILITY) +
   ID(*)  +
   ACC(READ)
PE +
   IRR.DIGTCERT.EXPORTKEY +
   CLASS(FACILITY) +
   ID(IBMUSER) +
   ACC(CONTROL)
PE +
   IRR.DIGTCERT.GENCERT +
   CLASS(FACILITY) +
   ID(*) +
   ACC(READ)
PE +
   IRR.DIGTCERT.GENCERT +
   CLASS(FACILITY) +
   ID(IBMUSER) +
   ACC(CONTROL)
PE +
   IRR.DIGTCERT.GENREQ +
   CLASS(FACILITY)+
   ID(*) +
   ACC(READ)
PE +
   IRR.DIGTCERT.GENREQ +
   CLASS(FACILITY) +
   ID(IBMUSER) +
   ACC(CONTROL)
PE +
   IRR.DIGTCERT.LIST +
   CLASS(FACILITY) +
   ID(*) +
   ACC(READ)
PE +
   IRR.DIGTCERT.LIST +
   CLASS(FACILITY) +
   ID(IBMUSER) +
  ACC(CONTROL)
PE +
   IRR.DIGTCERT.LISTMAP +
   CLASS(FACILITY) +
   ID(*) +
   ACC(READ)
PE +
   IRR.DIGTCERT.LISTMAP +
   CLASS(FACILITY) +
   ID(IBMUSER) +
   ACC(UPDATE)
PE +
   IRR.DIGTCERT.LISTRING +
   CLASS(FACILITY) +
   ID(*) +
   ACC(READ)
PE +
   IRR.DIGTCERT.LISTRING +
   CLASS(FACILITY) +
   ID(IBMUSER) +
   ACC(UPDATE)
PE +
   IRR.DIGTCERT.MAP +
   CLASS(FACILITY) +
   ID(*) +
   ACC(READ)
PE +
   IRR.DIGTCERT.MAP +
   CLASS(FACILITY) +
   ID(IBMUSER) +
   ACC(UPDATE)
PE +
   IRR.DIGTCERT.REMOVE +
   CLASS(FACILITY) +
   ID(*) +
   ACC(READ)
PE +
   IRR.DIGTCERT.REMOVE +
   CLASS(FACILITY) +
   ID(IBMUSER) +
   ACC(CONTROL)


TSS Equivalent:

TSS ADD(dept) IBMFAC(IRR.DIGT)

TSS PER(ALL) IBMFAC(IRR.DIGTCERT.ADD) ACC(READ)
TSS PER(IBMUSER) IBMFAC(IRR.DIGTCERT.ADD) ACC(CONTROL)
TSS PER(ALL) IBMFAC(IRR.DIGTCERT.ADDRING) ACC(READ)
TSS PER(IBMUSER) IBMFAC(IRR.DIGTCERT.ADDRING) ACC(UPDATE)
TSS PER(ALL) IBMFAC(IRR.DIGTCERT.ALTER) ACC(READ)
TSS PER(IBMUSER) IBMFAC(IRR.DIGTCERT.ALTER) ACC(CONTROL)
TSS PER(ALL) IBMFAC(IRR.DIGTCERT.ALTMAP) ACC(READ)
TSS PER(IBMUSER) IBMFAC(IRR.DIGTCERT.ALTMAP) ACC(UPDATE)
TSS PER(ALL) IBMFAC(IRR.DIGTCERT.CONNECT) ACC(READ)
TSS PER(IBMUSER) IBMFAC(IRR.DIGTCERT.CONNECT) ACC(CONTROL)
TSS PER(ALL) IBMFAC(IRR.DIGTCERT.DELETE) ACC(READ)
TSS PER(IBMUSER) IBMFAC(IRR.DIGTCERT.DELETE) ACC(CONTROL)
TSS PER(ALL) IBMFAC(IRR.DIGTCERT.DELMAP) ACC(READ)
TSS PER(IBMUSER) IBMFAC(IRR.DIGTCERT.DELMAP) ACC(UPDATE)
TSS PER(ALL) IBMFAC(IRR.DIGTCERT.DELRING) ACC(READ)
TSS PER(IBMUSER) IBMFAC(IRR.DIGTCERT.DELRING) ACC(UPDATE)
TSS PER(ALL) IBMFAC(IRR.DIGTCERT.EXPORT) ACC(READ)
TSS PER(IBMUSER) IBMFAC(IRR.DIGTCERT.EXPORT) ACC(CONTROL)
TSS PER(ALL) IBMFAC(IRR.DIGTCERT.EXPORTKEY) ACC(READ)
TSS PER(IBMUSER) IBMFAC(IRR.DIGTCERT.EXPORTKEY) ACC(CONTROL)
TSS PER(ALL) IBMFAC(IRR.DIGTCERT.GENCERT) ACC(READ)
TSS PER(IBMUSER) IBMFAC(IRR.DIGTCERT.GENCERT) ACC(CONTROL)
TSS PER(ALL) IBMFAC(IRR.DIGTCERT.GENREQ) ACC(READ)
TSS PER(IBMUSER) IBMFAC(IRR.DIGTCERT.GENREQ) ACC(CONTROL)
TSS PER(ALL) IBMFAC(IRR.DIGTCERT.LIST) ACC(READ)
TSS PER(IBMUSER) IBMFAC(IRR.DIGTCERT.LIST) ACC(CONTROL)
TSS PER(ALL) IBMFAC(IRR.DIGTCERT.LISTMAP) ACC(READ)
TSS PER(IBMUSER) IBMFAC(IRR.DIGTCERT.LISTMAP) ACC(UPDATE)
TSS PER(ALL) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(READ)
TSS PER(IBMUSER) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(UPDATE)
TSS PER(ALL) IBMFAC(IRR.DIGTCERT.MAP) ACC(READ)
TSS PER(IBMUSER) IBMFAC(IRR.DIGTCERT.MAP) ACC(CONTROL)
TSS PER(ALL) IBMFAC(IRR.DIGTCERT.REMOVE) ACC(READ)
TSS PER(IBMUSER) IBMFAC(IRR.DIGTCERT.REMOVE) ACC(CONTROL)


/********  END DIGITAL CERTIFICATE DEFINITIONS AND PERMITS  *******/
/******************************************************************/
/**************  REFRESH THE AFFECTED RACF CLASSES  ***************/
SETROPTS RACLIST(FACILITY  +
          DIGTCERT  +
          DIGTCRIT  +
          DIGTRING  +
          LOGSTRM   +
          STARTED   +
          UNIXPRIV) +
    REFRESH
/**DEFINE STARTED TASK PROFILES AND ACTIVATING CIMS CLASS FOR IMS IVP**/
/********* REFRESH ALL THE IMPACTED PROFILES  ********/
SETROPTS +
  RACLIST(STARTED FACILITY LOGSTRM) +
  REFRESH
SETROPTS +
  GENERIC(DATASET STARTED) +
  REFRESH
%%



TSS Equivalent:

No TSS equivalent.