Installing z/OSMF in z/OS v 2.3.

The job IZUSEC contains the RACF commands to create a security setup for the z/OSMF Server.

The following link contains the translation of the RACF commands to Top Secret commands but it was created for z/OS 2.4 systems.

https://knowledge.broadcom.com/external/article/95769/convert-zos-24-member-izusec-from-racf-t.html

This article translates the RACF commands provided by the job IZUSEC for Z/OS 2.3 environments.

Release : 16.0

This is the IZUSEC version containing both RACF and TSS commands for Z/OS 2.3

//IZUCORE JOB MSGCLASS=C,MSGLEVEL=(1,1),USER=XXXXXXX,NOTIFY=XXXXXXX
//********************************************************************
//* PROPRIETARY STATEMENT:                                           *
//*    Licensed Materials - Property of IBM                          *
//*    5650-ZOS Copyright IBM Corp. 2015, 2018                       *
//*                                                                  *
//*    STATUS=HSMA230                                                *
//*                                                                  *
//* DESCRIPTIVE NAME:                                                *
//*    z/OSMF SERVER default security setup                          *
//*                                                                  *
//*    The JCL contains the security setup for z/OSMF server.        *
//*    You can customize this JCL to create a security setup         *
//*    for the z/OSMF Server as you wish.                            *
//*                                                                  *
//*    NOTE: Step V2R3 is added to job IZUSEC in this release.       *
//*    This step contains the profiles which are new in z/OS         *
//*    V2R3.  If you have previously installed and configured        *
//*    z/OSMF, step V2R3 is the only step you need to run.           *
//*                                                                  *
//********************************************************************
//*                                                                  *
//* This job must be run using a user ID that has the RACF SPECIAL   *
//* attribute.                                                       *
//*                                                                  *
//* This job assumes that the BPX.NEXT.USER profile has been         *
//* defined in the FACILITY class to enable the use of AUTOUID       *
//* and AUTOGID.  See the topic "Automatically assigning unique      *
//* IDs through UNIX services" in z/OS Security Server RACF          *
//* Security Administrator's Guide for additional information        *
//* about automatic UID and GID assignment.  If this function has    *
//* not been enabled, you must assign unique UIDs to the IZUSVR      *
//* and IZUGUEST user IDs, and unique GIDs to the groups             *
//* IZUADMIN, IZUSECAD, IZUUSER, and IZUUNGRP.                       *
//*                                                                  *
//********************************************************************
//*
//* This step sets up z/OSMF core security settings.
//*
//STEP1  EXEC PGM=IKJEFT01
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *

 /* Begin "Core" Setup                                             */
 /*                                                                */
 /* This commented section contains the CLASS activation commands. */
 /* Ensure the following classes are active before executing this  */
 /* script or creating profiles in these classes.                  */
 /*                                                                */
 /* Activate and RACLIST the APPL class                            */
 /*SETROPTS CLASSACT(APPL)                                         */
 /* Not needed. No equivalent in TSS                               */
 /*SETROPTS RACLIST(APPL) GENERIC(APPL)                            */
 /* Not needed. No equivalent in TSS                               */
 /*                                                                */
 /* Activate and RACLIST the EJBROLE class                         */
 /*SETROPTS CLASSACT(EJBROLE)                                      */
 /* Not needed. No equivalent in TSS                               */
 /*SETROPTS RACLIST(EJBROLE) GENERIC(EJBROLE)                      */
 /* Not needed. No equivalent in TSS                               */
 /*                                                                */
 /* Activate and RACLIST the FACILITY class                        */
 /*SETROPTS CLASSACT(FACILITY)                                     */
 /* Not needed. No equivalent in TSS                               */
 /*SETROPTS RACLIST(FACILITY)                                      */
 /* Not needed. No equivalent in TSS                               */
 /*                                                                */
 /* Activate and RACLIST the SERVER class                          */
 /*SETROPTS CLASSACT(SERVER)                                       */
 /* Not needed. No equivalent in TSS                               */
 /*SETROPTS RACLIST(SERVER)                                        */
 /* Not needed. No equivalent in TSS                               */
 /*                                                                */
 /* Activate and RACLIST the SERVAUTH class                        */
 /*SETROPTS CLASSACT(SERVAUTH)                                     */
 /* Not needed. No equivalent in TSS                               */
 /*SETROPTS RACLIST(SERVAUTH) GENERIC(SERVAUTH)                    */
 /* Not needed. No equivalent in TSS                               */
 /*                                                                */
 /* Activate and RACLIST the STARTED class                         */
 /*SETROPTS CLASSACT(STARTED)                                      */
 /* Not needed. No equivalent in TSS                               */
 /*SETROPTS RACLIST(STARTED) GENERIC(STARTED)                      */
 /* Not needed. No equivalent in TSS                               */
 /*                                                                */
 /* Activate and RACLIST the ZMFAPLA class                         */
 /*SETROPTS CLASSACT(ZMFAPLA)                                      */
 /* Not needed. No equivalent in TSS                               */
 /*SETROPTS RACLIST(ZMFAPLA) GENERIC(ZMFAPLA)                      */
 /* Not needed. No equivalent in TSS                               */
 /*                                                                */
 /* Activate the ACCTNUM class                                     */
 /*SETROPTS CLASSACT(ACCTNUM)                                      */
 /* Not needed. No equivalent in TSS                               */
 /* Activate the TSOPROC class                                     */
 /*SETROPTS CLASSACT(TSOPROC)                                      */
 /* Not needed. No equivalent in TSS                               */
 /* Refresh the ACCTNUM class                                      */
 /* SETROPTS RACLIST(ACCTNUM) REFRESH                              */
 /* Not needed. No equivalent in TSS                               */
 /* Refresh the TSOPROC class                                      */
 /* SETROPTS RACLIST(TSOPROC) REFRESH                              */
 /* Not needed. No equivalent in TSS                               */
 /*                                                                */
 /* Activate the TSOAUTH class                                     */
 SETROPTS CLASSACT(TSOAUTH)
 /* Not needed. No equivalent in TSS                               */
 /* Refresh the TSOAUTH class                                      */
 SETROPTS RACLIST(TSOAUTH)
 /* Not needed. No equivalent in TSS                               */
 /*                                                                */
 /* Activate the OPERCMDS class                                    */
 SETROPTS CLASSACT(OPERCMDS)
 /* Not needed. No equivalent in TSS                               */
 /* Refresh the OPERCMDS class                                     */
 SETROPTS RACLIST(OPERCMDS)
 /* Not needed. No equivalent in TSS                               */

 /* Create the z/OSMF Administrators group                         */
 ADDGROUP IZUADMIN OMVS(AUTOGID)
 TSS CRE(IZUADMGP) NAME('IZUADMIN GROUP') TYPE(GROUP) DEPT(dept)
 TSS ADD(IZUADMGP) GID(?)
 TSS CRE(IZUADMIN) NAME('IZUADMIN PROFILE') TYPE(PROFILE) DEPT(dept)
 /* The following command will add IZUADMIN as a profile and IZUADMGP as a group
 /* See the following article https://knowledge.broadcom.com/external/article?articleId=103502   
 /* Example: TSS ADD(acid) PROFILE(IZUADMIN,IZUADMGP)                  

 /* Create the z/OSMF Users group                                  */
 ADDGROUP IZUUSER OMVS(AUTOGID)
 TSS CRE(IZUUSRGP) NAME('IZUUSER GROUP') TYPE(GROUP) DEPT(dept)
 TSS ADD(IZUUSRGP) GID(?)
 TSS CRE(IZUUSER) NAME('IZUUSER PROFILE') TYPE(PROFILE) DEPT(dept)
 /* The following command will add IZUUSER as a profile and IZUUSRGP as a group
 /* See the following article https://knowledge.broadcom.com/external/article?articleId=103502  
 /* Example: TSS ADD(acid) PROFILE(IZUUSER,IZUUSRGP)                  

 /* Create the z/OSMF Unauthenticated group                        */
 ADDGROUP IZUUNGRP OMVS(AUTOGID)
 TSS CRE(IZUUNAGP) NAME('zOSMF Unauthenticated USERID Group') TYPE(GROUP) DEPT(dept)
 TSS ADD(IZUUNAGP) GID(?)
 TSS CRE(IZUUNGRP) NAME('IZUUNGRP PROFILE') TYPE(PROFILE) DEPT(dept)
 /* The following command will add IZUUNGRP as a profile and IZUUNAGP as a group
 /* See the following article https://knowledge.broadcom.com/external/article?articleId=103502   
 /* Example: TSS ADD(acid) PROFILE(IZUUNGRP,IZUUNAGP)                 

 /* Create the started task USERID for the z/OSMF Server           */
 /* Note: The HOME directory will be created by the IZUMKFS        */
 /* sample job.                                                    */
 ADDUSER IZUSVR DFLTGRP(IZUADMIN) OMVS(AUTOUID   +
   HOME(/global/zosmf/data/home/izusvr) +
   PROGRAM(/bin/sh)) NAME('zOSMF Started Task USERID')  +
   NOPASSWORD
 TSS CRE(IZUSVR) NAME('zOSMF Started Task USERID') TYPE(USER) -
 DEPT(dept) PASS(NOPW,0) FAC(STC)
 TSS ADD(IZUSVR) GROUP(IZUADMGP) DFLTGRP(IZUADMGP) UID(?) -     
 HOME(/var/zosmf/data/home/izusvr) OMVSPGM(/bin/sh) FAC(ZOSMF)

 /* Change concurrent open file number for started task USERID     */
 ALTUSER IZUSVR OMVS(FILEPROC(10000))
 TSS ADD(IZUSVR) OEFILEP(10000)

 /* Create the z/OSMF unauthenticated USERID                       */
 ADDUSER IZUGUEST RESTRICTED DFLTGRP(IZUUNGRP) OMVS(AUTOUID)   +
   NAME('zOSMF Unauthenticated USERID') NOPASSWORD
 TSS CRE(IZUGUEST) NAME(IZUGUEST) TYPE(USER) DEPT(dept) PASS(NOPW,0)
 TSS ADD(IZUGUEST) UID(?) OMVSPGM('/bin/sh') -                       
 HOME('/u/izuguest') DFLTGRP(IZUUNAGP) GROUP(IZUUNAGP) FAC(ZOSMF)
 
 /* Define the STARTED profiles for the z/OSMF server              */
 RDEFINE STARTED IZUSVR1.* UACC(NONE) STDATA(USER(IZUSVR) +
   GROUP(IZUADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
  TSS ADD(STC) PROCNAME(IZUSVR1) ACID(IZUSVR)
 RDEFINE STARTED IZUANG1.* UACC(NONE) STDATA(USER(IZUSVR) +
   GROUP(IZUADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
 TSS ADD(STC) PROCNAME(IZUANG1) ACID(IZUSVR)

 /* Define the APPL profile for the z/OSMF server                  */
 RDEFINE APPL IZUDFLT UACC(NONE)
 TSS ADD(owngingacid) APPL(IZUDFLT)

 /* Define the SERVER profiles for the z/OSMF server               */
 RDEFINE SERVER BBG.SECPFX.IZUDFLT UACC(NONE)
 RDEFINE SERVER BBG.ANGEL UACC(NONE)
 RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE)
 RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE)
 RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.ZOSWLM UACC(NONE)
 RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.TXRRS UACC(NONE)
 RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.ZOSDUMP UACC(NONE)
 TSS ADD(ownginacid) SERVER(BBG)

 /* Permit the z/OSMF unauthenticated USERID access                */
 PERMIT IZUDFLT CLASS(APPL)    ID(IZUGUEST) ACCESS(READ)
 TSS PER(IZUGUEST) APPL(IZUDFLT) ACC(READ)

 /* Permit the started task USERID access                          */
 PERMIT BBG.SECPFX.IZUDFLT CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
 TSS PER(IZUSVR) SERVER(BBG.SECPFX.IZUDFLT) ACC(READ)

 PERMIT BBG.ANGEL CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
 TSS PER(IZUSVR) SERVER(BBG.ANGEL) ACC(READ)

 PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
 TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM) ACC(READ)

 PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) ACCESS(READ) +
   ID(IZUSVR)
 TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.SAFCRED) ACC(READ)

 PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSWLM CLASS(SERVER) ACCESS(READ) +
   ID(IZUSVR)
 TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.ZOSWLM) ACC(READ)

 PERMIT BBG.AUTHMOD.BBGZSAFM.TXRRS CLASS(SERVER) ACCESS(READ) +
   ID(IZUSVR)
 TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.TXRRS) ACC(READ)

 PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSDUMP CLASS(SERVER) ACCESS(READ) +
   ID(IZUSVR)
 TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.ZOSDUMPM) ACC(READ)

 /* Define the BPX.CONSOLE profile to supress the BPXM023I message */
 /* prefix for console messages                                    */
 RDEFINE FACILITY BPX.CONSOLE UACC(NONE)
 TSS ADD(owningacid) IBMFAC(BPX.)

 /* Permit the started task USERID access                          */
 PERMIT  BPX.CONSOLE CLASS(FACILITY) ID(IZUSVR) ACCESS(READ)
 TSS PER(IZUSVR) IBMFAC(BPX.CONSOLE) ACC(READ)

 /* Define the Sync-to-OS-thread FACILITY profile                  */
 RDEFINE FACILITY BBG.SYNC.IZUDFLT UACC(NONE)
 TSS ADD(owningacid) IBMFAC(BBG.)

 /* Permit the started task USERID access                          */
 PERMIT  BBG.SYNC.IZUDFLT CLASS(FACILITY) ID(IZUSVR) ACCESS(CONTROL)
 TSS PER(IZUSVR) IBMFAC(BBG.SYNC.IZUDFLT) ACC(CONTROL)

 /* Define the FACILITY class profiles for working with digital    */
 /* certificates                                                   */
 RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
 RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
 TSS ADD(owngingacid) IBMFAC(IRR.)

 /* Allow users of the z/OSMF Configuration Workflow to extract    */
 /* profile information                                            */
 RDEFINE FACILITY IRR.RADMIN.LISTUSER
 RDEFINE FACILITY IRR.RADMIN.LISTGRP
 RDEFINE FACILITY IRR.RADMIN.RLIST
 RDEFINE FACILITY IRR.RADMIN.SETROPTS.LIST
 Not needed. Done in the prevsious step.


 /* Permit the started task USERID access                          */
 PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(IZUSVR) ACCESS(READ)
 PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(IZUSVR) +
   ACCESS(READ)
 TSS PER(ISUSVR) IBMFAC(IRR.DIGTCERT.LIST) ACC(READ)

 /* Create the CA certificate for the z/OSMF server                */
 RACDCERT CERTAUTH GENCERT +
   SUBJECTSDN(CN('z/OSMF CertAuth for Security Domain') +
   OU('IZUDFLT')) WITHLABEL('zOSMFCA')  +
   TRUST NOTAFTER(DATE(2023/05/17))

 TSS GENCERT(CERTAUTH) DIGICERT(ZOSMFCA) -
 SUBJECTN('CN="z/OSMF CertAuth for Security Domain" OU="ZUDFLT"') -
 LABLCERT('zOSMFCA') NADATE(05/17/23)

 RACDCERT ADDRING(IZUKeyring.IZUDFLT) ID(IZUSVR)
TSS ADD(IZUSVR) KEYRING(IZUSVRKR) LABLRING(‘IZUKeyring.IZUDFLT’)

 /* Create the server certificate for the z/OSMF server            */
 /* Change HOST NAME in CN field into real local host name         */
 /* Usually the format of the host name is 'XXXX.XXX.XXX.XXX'      */
 RACDCERT ID( IZUSVR ) GENCERT SUBJECTSDN(CN('HOST NAME') +
   O('IBM') OU('IZUDFLT')) WITHLABEL('DefaultzOSMFCert.IZUDFLT'), +
   SIGNWITH(CERTAUTH LABEL('zOSMFCA')) NOTAFTER(DATE(2023/05/17))

 TSS GENCERT(IZUSVR) DIGICERT(DEFOSMFC) -",
 SUBJECTN('CN="'HOST NAME'" OU="IZUDFLT" O="IBM"'),
 LABLCERT('DefaultzOSMFCert.IZUDFLT')
 SIGNWITH(CERTAUTH,ZOSMFCA)
 NADATE(05/17/23)

 RACDCERT ALTER(LABEL('DefaultzOSMFCert.IZUDFLT')) ID(IZUSVR) TRUST
 TSS ADD(IZUSVR) DIGICERT(DEFOSMFC) TRUST

 RACDCERT ID( IZUSVR ) CONNECT (LABEL('DefaultzOSMFCert.IZUDFLT') +
   RING(IZUKeyring.IZUDFLT) DEFAULT)
 TSS ADD(IZUSVR) KEYRING(IZUSVRKR) LABLRING('IZUKeyring.IZUDFLT')
 TSS ADD(IZUSVR) KEYRING(IZUSVRKR) RINGDATA(IZUSVR,DEFOSMFC) -
 USAGE(PERSONAL) DEFAULT

 RACDCERT ID( IZUSVR ) CONNECT (LABEL('zOSMFCA') +
   RING(IZUKeyring.IZUDFLT) CERTAUTH)
 TSS ADD(IZUSVR) KEYRING(IZUSVRKR) RINGDATA(CERTAUTH,ZOSMFCA) -
 USAGE(CERTAUTH)

 /* Assumption: SERVAUTH class is active                           */
 /* SETROPTS GENERIC(SERVAUTH)                                     */
 /* Not needed. No equivalent in TSS                               */

 /* Define the CEA resource profile required for z/OSMF server     */
 RDEFINE SERVAUTH CEA.CEATSO.* UACC(NONE)
 TSS ADD(owningacid) SERVAUTH(CEA)

 /* Define the Account Number resource profile for REST File API   */
 RDEFINE ACCTNUM IZUACCT UACC(NONE)
 TSS ADD(owngingacid) TSOACCT(IZUACCT)

 /* Define the TSO Procedure resource profile for REST File API    */
 RDEFINE TSOPROC IZUFPROC UACC(NONE)
 TSS ADD(owningacid) TSOPROC(IZUFPROC)

 /* List-of-groups authority checking supplements the normal RACF  */
 /* access authority checking by allowing all groups of which a    */
 /* user ID is a member to enter into the access list checking     */
 /* process. Uncomment the following line to activate this.        */
 /* SETROPTS GRPLIST                                               */
 /* Not needed. No equivalent in TSS

 /* Create the z/OS Security Administrators group                  */
 ADDGROUP IZUSECAD OMVS(AUTOGID)
 TSS CRE(IZUSECGP) NAME('z/OS Security Administrators group') -
 TYPE(GROUP) DEPT(dept)
 TSS ADD(IZUSECGP) GID(?)                                     
 TSS CRE(IZUSECAD) NAME('z/OS Security Administrators PROFILE') -
 TYPE(PROFILE) DEPT(dept)
 /* The following command will add IZUSECAD as a profile and IZUSECGP as a group
 /* See the following article https://knowledge.broadcom.com/external/article?articleId=103502  
 /* Example: TSS ADD(acid) PROFILE(IZUSECAD,IZUSECGP)                   

 /* Define the ZMFAPLA profile for the z/OSMF server               */
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF UACC(NONE)
 TSS ADD(ownginacid) ZMFAPLA(IZUDFLT)

 /* The EJBROLE definitions are case-sensitive in RACF.  Insure you*/
 /* preserve case for these commands                               */
 /* Assumption: EJBROLE is defined, activated, and raclisted.      */
 RDEFINE EJBROLE IZUDFLT.*.izuUsers UACC(NONE)
 TSS ADD(ownginacid) EJBROLE(IZUDFLT)

 /* Define the z/OSMF Server profile                               */
 RDEFINE SERVER BBG.SECCLASS.ZMFAPLA UACC(NONE)
 TSS ADD(owningacid) SERVER(BBG)

 /* Permit the started task USERID access                          */
 PERMIT BBG.SECCLASS.ZMFAPLA CLASS(SERVER) ID(IZUSVR) ACCESS(READ)
 TSS PER(IZUSVR) SERVER(BBG.SECCLASS.ZMFAPLA) ACC(READ)

 /* Roles processing will permit the z/OSMF Server groups to the   */
 /* Application Server resources                                   */
 /* Assumption: APPL class has been defined, activated, raclisted. */

 /* Permit the Administrators group to this profile                */
 PERMIT CEA.CEATSO.* CLASS(SERVAUTH) ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) SERVAUTH(CEA.CEATSO) ACC(READ)

 /* Permit the Users group to this profile                         */
 PERMIT CEA.CEATSO.* CLASS(SERVAUTH) ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) SERVAUTH(CEA.CEATSO) ACC(READ)

 /* Permit the started task USERID to this profile                 */
 PERMIT CEA.CEATSO.* CLASS(SERVAUTH) ID(IZUSVR) ACCESS(READ)
 TSS PER(IZUSVR) SERVAUTH(CEA.CEATSO) ACC(READ)

 /* Make changes effective                                         */
 SETROPTS RACLIST(SERVAUTH) REFRESH
 /* Not needed. No equivalent in TSS                               */

 /* Permit the Administrators group to these profiles              */
 PERMIT IZUACCT CLASS(ACCTNUM) ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) TSOACCT(IZUACCT) ACC(READ)

 PERMIT IZUFPROC CLASS(TSOPROC) ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) TSOPROC(IZUFPROC) ACC(READ)

 /* Permit the Users group to these profiles                       */
 PERMIT IZUACCT CLASS(ACCTNUM) ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) TSOACCT(IZUACCT) ACC(READ)
 PERMIT IZUFPROC CLASS(TSOPROC) ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) TSOPROC(IZUFPROC) ACC(READ)

 /* Define console profile in class TSOAUTH to issue MVS commands  */
 /* via EMCS consoles                                              */
 RDEFINE TSOAUTH CONSOLE UACC(NONE)
 TSS ADD(owningacid) TSOAUTH(CONSOLE)

 /* Permit the Administrators group to these profiles              */
 PERMIT CONSOLE CLASS(TSOAUTH) ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) TSOAUTH(CONSOLE) ACC(READ)

 /* Permit the Users group to these profiles                       */
 PERMIT CONSOLE CLASS(TSOAUTH) ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) TSOAUTH(CONSOLE) ACC(READ)

 /* Make changes effective                                         */
 SETROPTS RACLIST(TSOAUTH) REFRESH
 /* Not needed. No equivalent in TSS                               */

 /* Define MCS operator profile starting with prefix IZU@          */
 RDEFINE OPERCMDS MVS.MCSOPER.IZU@* UACC(NONE)
 TSS ADD(owningacid) OPERCMDS(MVS.)

 /* Permit the Administrators group to these profiles              */
 PERMIT MVS.MCSOPER.IZU@* CLASS(OPERCMDS) ID(IZUADMIN) ACCESS(READ)
 TSS ADD(IZUADMIN) OPERCMDS(MVS.MCSOPER.IZU) ACC(READ)

 /* Permit the Users group to these profiles                       */
 PERMIT MVS.MCSOPER.IZU@* CLASS(OPERCMDS) ID(IZUUSER) ACCESS(READ)
TSS ADD(IZUUSER) OPERCMDS(MVS.MCSOPER.IZU) ACC(READ)

 /* Make changes effective                                         */
 SETROPTS RACLIST(OPERCMDS) REFRESH
 /* Not needed. No equivalent in TSS                               */

 /*If your installation uses hardware crypto in combination with   */
 /*ICSF, the use of various ICSF services might be restricted by   */
 /*your security policy. Some z/OSMF functions use these services. */
 /*To use those functions if their use has been restricted by      */
 /*profiles in the CSFSERV class, the user ID assigned to the      */
 /*z/OSMF started task will need to be granted access to those     */
 /*profiles.  The commands below will permit the started task user */
 /*ID to use the necessary ICSF services.                          */
 /*PERMIT CSFIQF  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFIQF) ACCESS(READ)                     */
 /*encipher callable service                                       */
 /*PERMIT CSFENC  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFENC) ACCESS(READ)                     */
 /*cryptographic variable encipher callable                        */
 /*PERMIT CSFCVE  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFCVE) ACCESS(READ)                     */
 /*decipher callable service                                       */
 /*PERMIT CSFDEC  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFDEC) ACCESS(READ)                     */
 /*symmetric algorithm encipher callable service                   */
 /*PERMIT CSFSAE  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFSAE) ACCESS(READ)                     */
 /*symmetric algorithm decipher callable service                   */
 /*PERMIT CSFSAD  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFSAD) ACCESS(READ)                     */
 /*one-way hash generate callable service                          */
 /*PERMIT CSFOWH  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFOWH) ACCESS(READ)                     */
 /*random number generate callable service                         */
 /*PERMIT CSFRNG  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFRNG) ACCESS(READ)                     */
 /*random number generate long callable service                    */
 /*PERMIT CSFRNGL CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFRNGL) ACCESS(READ)                    */
 /*PKA key generate callable service                               */
 /*PERMIT CSFPKG  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFPKG) ACCESS(READ)                     */
 /*digital signature generate service                              */
 /*PERMIT CSFDSG  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFDSG) ACCESS(READ)                     */
 /*digital signature verify callable service                       */
 /*PERMIT CSFDSV  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFDSV) ACCESS(READ)                     */
 /*PKA key token change callable service                           */
 /*PERMIT CSFPKT  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFPKT) ACCESS(READ)                     */
 /*retained key list callable service                              */
 /*PERMIT CSFRKL  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFRKL) ACCESS(READ)                     */
 /*PKA Public Key Extract callable service                         */
 /*PERMIT CSFPKX  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFPKX) ACCESS(READ)                     */
 /*PKA encrypt callable service                                    */
 /*PERMIT CSFPKE  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFPKE) ACCESS(READ)                     */
 /*PKA decrypt callable service                                    */
 /*PERMIT CSFPKD  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFPKD) ACCESS(READ)                     */
 /*PKA key import callable service                                 */
 /*PERMIT CSFPKI  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFPKI) ACCESS(READ)                     */
 /*multiple clear key import callable service                      */
 /*PERMIT CSFCKM  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFCKM) ACCESS(READ)                     */
 /*key generate callable service                                   */
 /*PERMIT CSFKGN  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFKGN) ACCESS(READ)                     */
 /*ECC Diffie-Hellman callable service                             */
 /*PERMIT CSFEDH  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFEDH) ACCESS(READ)                     */
 /*SETROPTS RACLIST(CSFSERV) REFRESH                               */
 /* Not needed. No equivalent in TSS                               */
 /*                                                                */

 /*   Profile Definitions for Core                                 */
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.APPLINKING UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.IMPORTMANAGER UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.LINKSTASK UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.LOGGER UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.UI_LOG_MANAGEMENT +
   UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.USAGESTATISTICS +
   UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.LINK.** UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.MODIFY UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.SYSTEMS UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.MODIFY +
   UACC(NONE)
 TSS ADD(owningacid) ZMFAPLA(IZUDFLT)

 /*   Profile Definitions for "Workflow"                           */
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS UACC(NONE)
 /* Done in previous step                                          */

 /* Profile Definitions for "Workflow administrator role" */
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.WORKFLOW.ADMIN UACC(NONE)
 /* Done in previous step                                          */

 /* Profile Definitions for "z/OSMF notification" */
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS UACC(NONE)
 /* Done in previous step                                          */
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS.ADMIN UACC(NONE)
 /* Done in previous step                                          */
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.NOTIFICATION.MODIFY UACC(NONE)
 /* Done in previous step                                          */

 /*  End Core Setup                                                */
 /*                                                                */
 /*   Begin zOSMF User Role Setup                                  */
 /*                                                                */
 PERMIT IZUDFLT             CLASS(APPL)    ID(IZUUSER) ACCESS(READ)
 PERMIT IZUDFLT.*.izuUsers  CLASS(EJBROLE) ID(IZUUSER) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF       CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) APPL(IZUDFLT) ACC(READ)
 TSS PER(IZUUSER) EJBROLE(IZUDFLT.*.izUsers) ACC(READ)
 TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF) ACC(READ)

 /*   Permit definitions for Core                                  */
 PERMIT IZUDFLT.ZOSMF.LINK.** CLASS(ZMFAPLA) ID(IZUUSER) +
   ACCESS(READ)
 TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.LINK) ACC(READ)  

 PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW CLASS(ZMFAPLA) +
   ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW) -
   ACC(READ)

 PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS CLASS(ZMFAPLA) ID(IZUUSER) +
   ACCESS(READ)
 TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS) -
 ACC(READ)

 PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS CLASS(ZMFAPLA) +
   ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS) -
 ACC(READ)

 PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW CLASS(ZMFAPLA) +
   ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW) -
 ACC(READ)


 /*   Permit definitions for Workflow                              */
 PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) +
   ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) -
 ACC(READ)

 /*   Permit definitions for notification                          */
 PERMIT IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS CLASS(ZMFAPLA) +
   ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS) -
 ACC(READ)

 PERMIT IZUDFLT.ZOSMF.NOTIFICATION.MODIFY CLASS(ZMFAPLA) +
   ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.NOTIFICATION.MODIFY) -
 ACC(READ)

 /*                                                                */
 /*  End zOSMF User Role Setup                                     */
 /*                                                                */

 /*                                                                */
 /*   Begin zOSMF Administrator Role Setup                         */
 /*                                                                */
 PERMIT IZUDFLT             CLASS(APPL)    ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) APPL(IZUDFLT) ACC(READ)
 PERMIT IZUDFLT.*.izuUsers  CLASS(EJBROLE) ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) EJBROLE(IZUDFLT.*.izuUsers) ACC(READ)
 PERMIT IZUDFLT.ZOSMF       CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF) ACC(READ)

 /*   Permit definitions for Core                                  */
 PERMIT IZUDFLT.ZOSMF.ADMINTASKS.APPLINKING CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.APPLINKING) -
 ACC(READ)

 PERMIT IZUDFLT.ZOSMF.ADMINTASKS.IMPORTMANAGER   CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) -
 ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.IMPORTMANAGER) -
 ACC(READ)

 PERMIT IZUDFLT.ZOSMF.ADMINTASKS.LINKSTASK  CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.LINKSTASK) -
 ACC(READ)

 PERMIT IZUDFLT.ZOSMF.ADMINTASKS.LOGGER   CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.LOGGER) -
 ACC(READ)

 PERMIT IZUDFLT.ZOSMF.ADMINTASKS.UI_LOG_MANAGEMENT  CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) -
 ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.UI_LOG_MANAGEMENT) -
 ACC(READ)

 PERMIT IZUDFLT.ZOSMF.ADMINTASKS.USAGESTATISTICS   +
   CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) -
 ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.USAGESTATISTICS) -
 ACC(READ)

 PERMIT IZUDFLT.ZOSMF.LINK.** CLASS(ZMFAPLA) ID(IZUADMIN) +
   ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.LINK) -
 ACC(READ)

 PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW) -
 ACC(READ)

 PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.MODIFY CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.MODIFY) -
 ACC(READ)

 PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS CLASS(ZMFAPLA) ID(IZUADMIN) +
   ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS) -
 ACC(READ)

 PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS) -
 ACC(READ)

 PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) -
 ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW) -
 ACC(READ)

 PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.MODIFY CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) -
 ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.MODIFY) -
 ACC(READ)

 /*   Permit definitions for Workflow                              */
 PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) -
 ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) ACC(READ)

 /* Permit definitions for "Workflow administrator role"  */
 PERMIT IZUDFLT.ZOSMF.WORKFLOW.ADMIN CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.ADMIN) -
 ACC(READ)

 /* Permit definitions for "z/OSMF notification"  */
 PERMIT IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS) -
 ACC(READ)

 PERMIT IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS.ADMIN CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) -
 ZMFAPLA(IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS.ADMIN) -
 ACC(READ)

 PERMIT IZUDFLT.ZOSMF.NOTIFICATION.MODIFY CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.NOTIFICATION.MODIFY) -
 ACC(READ)

 /* Permit the z/OSMF administrator access                         */
 PERMIT IRR.RADMIN.LISTUSER CLASS(FACILITY) ID(IZUADMIN) +
   ACCESS(READ)
 TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.LISTUSER) ACC(READ)

 PERMIT IRR.RADMIN.LISTGRP CLASS(FACILITY) ID(IZUADMIN) +
   ACCESS(READ)
 TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.LISTGRP) ACC(READ)

 PERMIT IRR.RADMIN.RLIST CLASS(FACILITY) ID(IZUADMIN) +
   ACCESS(READ)
 TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.RLIST) ACC(READ)

 PERMIT IRR.RADMIN.SETROPTS.LIST CLASS(FACILITY) ID(IZUADMIN) +
   ACCESS(READ)
 TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.SETROPTS.LIST) ACC(READ)


 /*                                                                */
 /*  End zOSMF Administrator Role Setup                            */
 /*                                                                */
 /*                                                                */
 /*   Begin zOS Security Administrator Role Setup                  */
 /*                                                                */

 PERMIT IZUDFLT             CLASS(APPL)    ID(IZUSECAD) ACCESS(READ)
 TSS PER(IZUSECAD) APPL(IZUDFLT) ACC(READ)
 PERMIT IZUDFLT.*.izuUsers  CLASS(EJBROLE) ID(IZUSECAD) ACCESS(READ)
 TSS PER(IZUSECAD) EJBROLE(IZUDFLT.*.izuUsers) ACC(READ)
 PERMIT IZUDFLT.ZOSMF       CLASS(ZMFAPLA) ID(IZUSECAD) ACCESS(READ)
 TSS PER(IZUSECAD) ZMFAPLA(IZUDFLT.ZOSMF) ACC(READ)

 /*   Permit definitions for Workflow                              */
 PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) +
   ID(IZUSECAD) ACCESS(READ)
 TSS PER(IZUSECAD) ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) -
 ACC(READ)


 /*                                                                */
 /*  End zOS Security Administrator Role Setup                     */
 /*                                                                */

 /*----------------------------------------------------------------*/
 /* Begin Setup for API Discovery Swagger User Interface           */
 /*----------------------------------------------------------------*/
 /* The API Discovery feature lets you view z/OSMF REST APIs in    */
 /* a Swagger User Interface. That feature uses the Liberty REST   */
 /* handler framework, which requires the following RACF resource  */
 /* permissions to allow all z/OSMF users to access the Swagger    */
 /* User Interface.                                                */
 RDEFINE EJBROLE +
  IZUDFLT.com.ibm.ws.management.security.resource.+
  allAuthenticatedUsers UACC(NONE)
 PERMIT IZUDFLT.com.ibm.ws.management.security.resource.+
  allAuthenticatedUsers CLASS(EJBROLE) ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) -                                                            
  EJBROLE(IZUDFLT.com.ibm.ws.management.security.resource.+                    
  allAuthenticatedUsers) ACC(READ)                                                                   

 PERMIT IZUDFLT.com.ibm.ws.management.security.resource.+
  allAuthenticatedUsers CLASS(EJBROLE) ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) -                                                           
  EJBROLE(IZUDFLT.com.ibm.ws.management.security.resource.+                    
  allAuthenticatedUsers) ACC(READ)                  


***

**


 /*----------------------------------------------------------------*/
 /* End Setup for API Discovery Swagger User Interface             */
 /*----------------------------------------------------------------*/

 /* Need to REFRESH these classes for Roles                        */
 SETROPTS RACLIST(APPL) REFRESH
 /* Not needed. No equivalent in TSS                               */
 SETROPTS RACLIST(EJBROLE) REFRESH
 /* Not needed. No equivalent in TSS                               */
 SETROPTS RACLIST(ZMFAPLA) REFRESH
 /* Not needed. No equivalent in TSS                               */
 SETROPTS RACLIST(SERVER) REFRESH
 /* Not needed. No equivalent in TSS                               */
 SETROPTS RACLIST(STARTED) REFRESH
 /* Not needed. No equivalent in TSS                               */
 SETROPTS RACLIST(FACILITY) REFRESH
 /* Not needed. No equivalent in TSS                               */

 /* Connect the started task USERID to the CIM USER group          */
 CONNECT (IZUSVR) GROUP(CFZUSRGP)
 TSS ADD(IZUSVR) PROFILE(CFZUSRGP)

/*
//V2R3   EXEC PGM=IKJEFT01
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *
 /*                                                                */
 /*  The V2R3 step contains the profiles which are added in V2R3   */
 /*  release                                                       */

 /* Define the STARTED profiles for auto start function            */
 RDEFINE STARTED IZUINSTP.* UACC(NONE) STDATA(USER(IZUSVR) +
   GROUP(IZUADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
 TSS ADD(STC) PROCN(IZUINSTP) ACID(IZUSVR)

 /* Define the CEA resource profile required for auto start        */
 /* function                                                       */
 RDEFINE SERVAUTH CEA.SIGNAL.* UACC(NONE)
 TSS ADD(owningacid) SERVAUTH(CEA)

 /* Permit the started task USERID to this profile                 */
 PERMIT CEA.SIGNAL.* CLASS(SERVAUTH) ID(IZUSVR) ACCESS(READ)
 TSS PER(IZUSVR) SERVAUTH(CEA.SIGNAL) ACC(READ)

 /* Profile for general setting                                    */
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.GENERAL.SETTINGS UACC(NONE)
 Done in previous step.

 /* Permit the Administrators group to this profile                */
 PERMIT IZUDFLT.ZOSMF.GENERAL.SETTINGS CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.GENERAL.SETTINGS) -
 ACCESS(READ)

 /* Profile Definitions for "z/OSMF email function" */
 RDEFINE FACILITY IRR.RUSERMAP UACC(NONE)
 Done in previous step.

 /* Permit the started task USERID to this profile                 */
 PERMIT IRR.RUSERMAP CLASS(FACILITY) ID(IZUSVR) ACC(READ)
 TSS PER(IZUSVR) IBMFAC(IRR.RUSERMAP) ACC(READ)

 /*----------------------------------------------------------------*/
 /* Begin Setup for Discovery CPC function in Systems task         */
 /*----------------------------------------------------------------*/
 /* Replace the <netid.nau> with the 3-17 character SNA name of    */
 /* the particular CPC.                                            */
 /* Replace the <uppercasecommunityname> with the SNMP community   */
 /* name that is associated with the CPC.                          */
 /* Replace the <imagename> with the 1-8 character which           */
 /* represents LPAR name.                                          */
 /*                                                                */
 /* RDEFINE FACILITY HWI.APPLNAME.HWISERV UACC(NONE)               */
 /* TSS ADD(owningacid) IBMFAC(HWI)                                */
 /* PERMIT HWI.APPLNAME.HWISERV CLASS(FACILITY) ID(IZUADMIN) +     */
 /*   ACCESS(READ)                                                 */
 /* TSS PER(IZUADMIN) IBMFAC(HWI.APPLNAME.HWISERV) ACC(READ)       */
 /* RDEFINE FACILITY HWI.TARGET.<netid.nau> UACC(NONE) +           */
 /*   APPLDATA('<uppercasecommunityname>')                         */
 /* Done in previous step                                          */
 /* RDEFINE FACILITY HWI.TARGET.<netid.nau>.<imagename> UACC(NONE) */
 /* Done in previous step                                          */
 /* PERMIT HWI.TARGET.<netid.nau> CLASS(FACILITY) ID(IZUADMIN) +   */
 /*   ACCESS(READ)                                                 */
 /* TSS PER(IZUADMIN) IBMFAC(HWI.APPLNAME.HWISERV) -               */
 /* APPLDATA('<uppercasecommunityname>') ACC(READ)                 */
 /* PERMIT HWI.TARGET.<netid.nau>.<imagename> CLASS(FACILITY) +    */
 /*   ID(IZUADMIN) ACCESS(READ)                                    */
 /* TSS PER(IZUADMIN) IBMFAC(HWI.TARGET.<netid.nau>.<imagename>) - */
 /* ACC(READ)                                                      */
 /*----------------------------------------------------------------*/
 /* End Setup for Discovery CPC function in Systems task           */
 /*----------------------------------------------------------------*/

 /* If AT_TLS is enabled, the z/OSMF started task userid needs to  */
 /* be permitted on resource EZB.INITSTACK.sysname.tcpname         */
 /*                                                                */
 /* PERMIT EZB.INITSTACK.sysname.tcpname CLASS(SERVAUTH)  +        */
 /*   ID(IZUSVR) ACCESS(READ)                                      */
 /* TSS PER(IZUSVR) SERVAUTH(EZB.INITSTACK.sysname.tcpname) -      */
 /* ACC(READ)                                                      */

 /* Profile Definitions for "zOS Operator Consoles" task */
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.CONSOLES.ZOSOPER UACC(NONE)
 /* Done in a previous step.                             */
 /* Permit definitions for "zOS Operator Consoles" task */
 PERMIT IZUDFLT.ZOSMF.CONSOLES.ZOSOPER CLASS(ZMFAPLA) +
   ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.CONSOLES.ZOSOPER) -
 ACC(READ)
 /* Permit definitions for "zOS Operator Consoles" task */
 PERMIT IZUDFLT.ZOSMF.CONSOLES.ZOSOPER CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.CONSOLES.ZOSOPER) -
 ACC(READ)

 /* Profile definitions for Named Angel Support                    */
 RDEFINE SERVER BBG.ANGEL.IZUANG1 UACC(NONE)
 /* Done in a previous step.                             */
 PERMIT BBG.ANGEL.IZUANG1 CLASS(SERVER) ID(IZUSVR) ACCESS(READ)
 TSS PER(IZUSVR) SERVER(BBG.ANGEL.IZUANG1) ACC(READ)

 /* Define security setup to permit Authorized WLM Service(ZOSWLM )*/
 RDEFINE FACILITY BPX.WLMSERVER UACC(NONE)
 /* Done in a previous step.                             */
 PERMIT BPX.WLMSERVER CLASS(FACILITY) ID(IZUSVR) ACCESS(READ)
 TSS PER(IZUSVR) IBMFAC(BPX.WLMSERVER) ACC(READ)

 /* Profile for TSO RESTful API remote support */
 RDEFINE SERVAUTH CEA.CEATSO.FLOW.* UACC(NONE)
 /* Done in a previous step.                             */
 PERMIT CEA.CEATSO.FLOW.* CLASS(SERVAUTH) ID(IZUSVR) ACCESS(READ)
 TSS PER(IZUSVR) SERVAUTH(CEA.CEATSO.FLOW) ACC(READ)
 PERMIT CEA.CEATSO.FLOW.* CLASS(SERVAUTH) ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) SERVAUTH(CEA.CEATSO.FLOW) ACC(READ)
 PERMIT CEA.CEATSO.FLOW.* CLASS(SERVAUTH) ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) SERVAUTH(CEA.CEATSO.FLOW) ACC(READ)

 /* Make changes effective                                         */
 SETROPTS RACLIST(SERVER) REFRESH
 /* Not needed. No equivalent in TSS                               */
 SETROPTS RACLIST(SERVAUTH) REFRESH
 /* Not needed. No equivalent in TSS                               */
 SETROPTS RACLIST(ZMFAPLA) REFRESH
 /* Not needed. No equivalent in TSS                               */
 SETROPTS RACLIST(FACILITY) REFRESH
 /* Not needed. No equivalent in TSS                               */

 /*                                                                */
 /*  End V2R3 step Setup                                           */
 /*                                                                */

/*