I am implementing Capacity Provisioning Manager component of z/OSMF. Is there an ACF2 equivalent to the RACF CPOSEC1 job for security setup?
Article ID: 43589
Updated On:
Products
Issue/Introduction
Question:
I am implementing Capacity Provisioning Manager component of z/OSMF. Is there an ACF2 equivalent to the RACF CPOSEC1 job for security setup?
Answer:
//CPOSEC1 JOB <job parameters>
//*
//*------------------------------------------------------------------
//* DESCRIPTION:
//* ACF command equivalents for RACF commands from:
//*
//* CPOSEC1 "z/OS MVS Capacity Provisioning User's Guide"
//*
//* NOTE: the RACF statements are commented for reference, and
//* are noted if there no ACF2 equivalent commands.
//*
//* This job contains statements with the following fields that MUST be
//* updated with installation-specific data.
//*
//* GID(nn)
//* UID(nn)
//* PASSWORD(pppppppp)
//* SSKEY(KEY16......)
//* UID(UID string for CPOSRV)
//* (UID STRING FOR CPOCIM)
//* UID(UID string for CPCCUSR) ** Note CPCCUSR pertains to all Capacity
//* Provisioning Control Center (CPCC) users
//*
//*-------------------------------------------------------------------
//STEP01 EXEC PGM=ACFBATCH
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
* ADDUSER (CPOSRV)
* ALTUSER (CPOSRV) +
* NORESTRICTED +
* NOOIDCARD +
* DFLTGRP(........) +
* OMVS(HOME('/u/cposrv') UID(......) ) +
* NOPASSWORD
SET LID
INSERT CPOSRV NAME(CPM Logonid) RESTRICT UID(nn)
HOME(/u/cposrv)
* ADDUSER (CPOCIM)
* ALTUSER (CPOCIM) +
* NORESTRICTED +
* DFLTGRP(........) +
* OMVS(HOME('/u/cpocim') UID(......) ) +
* PASSWORD(......)
SET LID
INSERT CPOCIM NAME(CPM Configured) PASSWORD(pppppppp) UID(nn)
HOME(/u/cpocim)
* Started task/job definitions.
* Required.
* RDEFINE STARTED CPOSERV.* STDATA(USER(CPOSRV))
* SETROPTS RACLIST (STARTED) REFRESH
SET CONTROL(GSO)
INSERT STC.CPOSRV LOGONID(CPOSRV) STCID(CPOSERV-)
* Definitions related to Automatic Restart Management (ARM)
* Optional. Only required when using ARM.
* RDEFINE FACILITY IXCARM.SYSCPM.SYSCPO UACC(NONE)
* PERMIT IXCARM.SYSCPM.SYSCPO CLASS(FACILITY) ID(CPOSRV) +
* ACCESS(UPDATE)
* SETROPTS RACLIST(FACILITY) REFRESH
SET RESOURCE(FAC)
RECKEY IXCARM ADD(SYSCPM.SYSCPO uid(UID string for CPOSRV) -
SERVICE(UPDATE) ALLOW)
* Definitions related to the Capacity Provisioning user.
* Required.
* Group IDs should be unique.
* ADDGROUP CPOQUERY OMVS(GID(......))
* ADDGROUP CPOCTRL OMVS(GID(......))
* CONNECT CPOSRV GROUP(CPOQUERY) AUTH(USE)
* CONNECT CPOSRV GROUP(CPOCTRL) AUTH(USE)
SET PROFILE(GROUP) DIV(OMVS)
INSERT CPOQUERY GID(nn)
INSERT CPOCTRL GID(nn)
INSERT CFZUSRGP GID(nn)
SET RESOURCE(TGR)
RECKEY CPOQUERY ADD( uid(UID string for CPOSRV) ALLOW)
RECKEY CPOCTRL ADD( uid(UID string for CPOSRV) ALLOW)
* Authorize system observation user to logon to CIM
* CONNECT CPOCIM GROUP(CFZUSRGP) AUTH(USE)
* Definitions related to the setup of the domain.
* Required.
* ADDSD 'CPO.DOMAIN1.*' GENERIC UACC(NONE)
* PERMIT 'CPO.DOMAIN1.*' GENERIC ID(CPOSRV) ACCESS(UPDATE)
SET RULE
RECKEY CPO ADD(DOMAIN1. uid(UID string for CPOSRV) WRITE(A)
* CPOSRV.** needs to be changed if RACF Enhanced Generic Naming
* is not in effect
* ADDSD 'CPOSRV.**' GENERIC UACC(NONE)
* PERMIT 'CPOSRV.**' GENERIC ID(CPOSRV) ACCESS(CONTROL)
* SETROPTS GENERIC(DATASET) REFRESH
* ACF2 logonids by default have access to datasets that HLQ matches
* the logonid, no ACF2 equivalent statements needed.
* Permit CPM to use authorized console interfaces.
* Optional.
* CPM messages will be prefixed with BPXM023I if not granted.
* RDEFINE FACILITY BPX.CONSOLE UACC(NONE)
* PERMIT BPX.CONSOLE CLASS(FACILITY) ID(CPOSRV) ACCESS(READ)
* SETROPTS RACLIST(FACILITY) REFRESH
SET RESOURCE(FAC)
RECKEY BPX ADD(CONSOLE uid(UID string for CPOSRV) -
SERVICE(READ) ALLOW)
* Definitions related to the use of passtickets/secure signon.
* Required. The KEYMASKED() value must be identical across all
* runtime and observed systems.
* SETROPTS CLASSACT(PTKTDATA)
* SETROPTS RACLIST(PTKTDATA)
* RDEFINE PTKTDATA CFZAPPL SSIGNON(KEYMASKED(................)) +
* APPLDATA('NO REPLAY PROTECTION')
* PERMIT CFZAPPL CLASS(PTKTDATA) ID(CPOCIM) ACCESS(READ)
* SETROPTS RACLIST(PTKTDATA) REFRESH
* RDEFINE PTKTDATA IRRPTAUTH.CFZAPPL.CPOCIM
* PERMIT IRRPTAUTH.CFZAPPL.CPOCIM CLASS(PTKTDATA) ID(CPOSRV) +
* ACCESS(UPDATE)
* SETROPTS RACLIST(PTKTDATA) REFRESH
*
SET PROFILE(PTKTDATA) DIV(SSIGNON)
INSERT CFZAPPL MULT-USE SSKEY(KEY16......)
SET RESOURCE(PTK)
RECKEY CFZAPPL ADD( UID((UID STRING FOR CPOCIM) -
SERVICE(READ) ALLOW)
RECKEY IRRPTAUTH ADD(CFZAPPL.- UID((UID STRING FOR CPOSRV) -
SERVICE(UPDATE) ALLOW)
* Definitions required to allow Capacity Provisioning Control
* Center (CPCC) users to connect to the CPM and query and/or
* modify CPM controls.
* Required for all users connecting from the CPCC. Replace
* 'CPCCUSR' with the appropriate user ID(s).
* CONNECT (CPCCUSR) GROUP(CPOQUERY) AUTH(USE)
* CONNECT (CPCCUSR) GROUP(CPOCTRL ) AUTH(USE)
* CONNECT (CPCCUSR) GROUP(CFZUSRGP) AUTH(USE)
SET RESOURCE(TGR)
RECKEY CPOQUERY ADD( uid(UID string for CPCCUSR) ALLOW)
RECKEY CPOCTRL ADD( uid(UID string for CPCCUSR) ALLOW)
RECKEY CFZUSRGPL ADD( uid(UID string for CPCCUSR) ALLOW)
* BCPii-related definitions for the Provisioning
* Manager. They contain templates for physical capacity
* (On/Off CoD) management and defined capacity management.
* In the HWI profiles below 'netname.cpc1' refers to the
* the SNA (System Network Architecture) name of the CPC as
* defined at the SE.
* Definitions related to the use of z/OS BCPii.
* Repeat definitions for additional CPCs.
* SETROPTS CLASSACT(SERVAUTH)
* RDEFINE SERVAUTH CEA.CONNECT UACC(NONE)
* RDEFINE SERVAUTH CEA.SUBSCRIBE.ENF_0068* UACC(NONE)
* If more generic CEA profiles have already been defined,
* such as CEA.*, you may want to reuse those.
* PERMIT CEA.CONNECT CLASS(SERVAUTH) ID(CPOSRV) ACCESS(READ)
* PERMIT CEA.SUBSCRIBE.ENF_0068* CLASS(SERVAUTH) ID(CPOSRV) +
* ACCESS(READ)
SET RESOURCE(SER)
RECKEY CEA ADD(CONNECT uid(UID string for CPOSRV) -
SERVICE(READ) ALLOW)
RECKEY CEA ADD(SUBSCRIBE.ENF_0068.- uid(UID string for CPOSRV) -
SERVICE(READ) ALLOW)
* SETROPTS RACLIST(SERVAUTH) REFRESH
* RDEFINE FACILITY HWI.APPLNAME.HWISERV UACC(NONE)
* The community name in APPLDATA() should be uppercase
* RDEFINE FACILITY HWI.TARGET.netname.cpc1 +
* APPLDATA('.........') UACC(NONE)
* Needed for physical capacity management @L3A */
* RDEFINE FACILITY HWI.CAPREC.netname.cpc1.* UACC(NONE)
* Needed for defined capacity management */
* RDEFINE FACILITY HWI.TARGET.netname.cpc1.* UACC(NONE)
* PERMIT HWI.APPLNAME.HWISERV CLASS(FACILITY) ID(CPOSRV) +
* ACCESS(READ)
* PERMIT HWI.TARGET.netname.cpc1 CLASS(FACILITY) ID(CPOSRV) +
* ACCESS(CONTROL)
* PERMIT HWI.CAPREC.netname.cpc1.* CLASS(FACILITY) +
* ID(CPOSRV) ACCESS(READ)
* PERMIT HWI.TARGET.netname.cpc1.* CLASS(FACILITY) +
* ID(CPOSRV) ACCESS(UPDATE)
SET RESOURCE(FAC)
RECKEY HWI ADD(APPLNAME.HWISERV uid(UID string for CPOSRV) -
SERVICE(READ) ALLOW)
RECKEY HWI ADD(TARGET.netname.cpc1 uid(UID string for CPOSRV) -
SERVICE(DELETE) ALLOW)
RECKEY HWI ADD(CAPREC.netname.cpc1.- uid(UID string for CPOSRV) -
SERVICE(READ) ALLOW)
RECKEY HWI ADD(TARGET.netname.cpc1.- uid(UID string for CPOSRV) -
SERVICE(UPDATE) ALLOW)
F ACF2,REBUILD(PTK)
F ACF2,REBUILD(SER)
F ACF2,REBUILD(TGR)
F ACF2,REBUILD(FAC)
F ACF2,REBUILD(GRP),CLASS(P)
F ACF2,REBUILD(USR),CLASS(P)
F ACF2,REBUILD(PTK),CLASS(P)
F ACF2,REFRESH(STC)
//*
Environment
Component: ACF2MS
Resolution
-
Feedback
