Endevor web services security configuration using RACF
Article ID: 431926
Updated On:
Products
Endevor
Issue/Introduction
Tried to follow configure IBM RACF to setup Endevor Web Services security.
When configuring security using TSS, the first step is to define a new facility named ENDEVOR:
FAC(USERnn=NAME=ENDEVOR)
Then, in step 5, each Web Services user is granted access to the facility:
TSS ADD(USERID) FAC(ENDEVOR)
However, there is no corresponding "step 5" in configure IBM RACF documentation. How to limit access to Endevor Web Services for valid Endevor users?
Environment
All supported Endevor version
Web Services
RACF
Cause
While RACF includes a FACILITY class, it is not related to the Top Secret (TSS) FACILITY definition. Since RACF does not have an equivalent FACILITY definition, there is no need to define a FACILITY profile for RACF. Therefore, step 5 is unnecessary for RACF.
Resolution
Under RACF, If a user has access to classic Endevor, they also have access to Endevor Web Services by default. However, program pathing can be used to limit Web Services access for specific Endevor users.
For DevOps tools based on web services, such as the Web Interface, a passticket is required. Consequently, only Endevor users with access to the APPL class are able to utilize the Web Interface. Please check Configure PassTickets in RACF for more details.
Feedback
Yes
No
Powered by
