Convert member IZUSEC from RACF to TSS commands.
Article ID: 95769
Updated On:
Products
Issue/Introduction
Convert z/OS 2.4 member IZUSEC from RACF to TSS commands.
Environment
Component: TSSMVS
Resolution
This is the IZUSEC version containing both RACF and TSS commands for comparison:
//IZUCORE JOB MSGCLASS=C,MSGLEVEL=(1,1),USER=XXXXXXX,NOTIFY=XXXXXXX
//********************************************************************
//* PROPRIETARY STATEMENT: *
//* Licensed Materials - Property of IBM *
//* 5650-ZOS *
//* Copyright IBM Corp. 2014, 2019 *
//* *
//* Status = HSMA240 *
//*------------------------------------------------------------------*
//* *
//* DESCRIPTIVE NAME: *
//* z/OSMF SERVER default security setup *
//* *
//* The JCL contains the security setup for z/OSMF server. *
//* You can customize this JCL to create a security setup *
//* for the z/OSMF Server as you wish. *
//* *
//* NOTE: The V2R4 step is added to the IZUSEC job in this *
//* release. The V2R4 step contains the profiles that are new in *
//* z/OS V2R4. If you have previously installed and configured *
//* z/OSMF, step V2R4 is the only step you need to run. *
//* *
//********************************************************************
//*
//* This job must be run using a user ID that has the RACF SPECIAL *
//* attribute. *
//* *
//* This job assumes that the BPX.NEXT.USER profile has been *
//* defined in the FACILITY class to enable the use of AUTOUID *
//* and AUTOGID. See the topic "Automatically assigning unique *
//* IDs through UNIX services" in z/OS Security Server RACF *
//* Security Administrator's Guide for additional information *
//* about automatic UID and GID assignment. If this function has *
//* not been enabled, you must assign unique UIDs to the IZUSVR *
//* and IZUGUEST user IDs, and unique GIDs to the groups *
//* IZUADMIN, IZUSECAD, IZUUSER, and IZUUNGRP. *
//* *
//********************************************************************
//*
//* This step sets up z/OSMF core security settings.
//*
//STEP1 EXEC PGM=IKJEFT01,DYNAMNBR=99
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
/* Begin "Core" Setup */
/* */
/* This commented section contains the CLASS activation commands. */
/* Ensure the following classes are active before executing this */
/* script or creating profiles in these classes. */
/* */
/* Activate the APPL class */
/*SETROPTS CLASSACT(APPL) */
/* Not needed. No equivalent in TSS */
/*SETROPTS RACLIST(APPL) GENERIC(APPL) */
/* Not needed. No equivalent in TSS */
/* */
/* Activate the EJBROLE class */
/*SETROPTS CLASSACT(EJBROLE) */
/* Not needed. No equivalent in TSS */
/*SETROPTS RACLIST(EJBROLE) GENERIC(EJBROLE) */
/* Not needed. No equivalent in TSS */
/* */
/* Activate the FACILITY class */
/*SETROPTS CLASSACT(FACILITY) */
/* Not needed. No equivalent in TSS */
/*SETROPTS RACLIST(FACILITY) */
/* Not needed. No equivalent in TSS */
/* */
/* Activate the SERVER class */
/*SETROPTS CLASSACT(SERVER) */
/* Not needed. No equivalent in TSS */
/*SETROPTS RACLIST(SERVER) */
/* Not needed. No equivalent in TSS */
/* */
/* Activate the SERVAUTH class */
/*SETROPTS CLASSACT(SERVAUTH) */
/* Not needed. No equivalent in TSS */
/*SETROPTS RACLIST(SERVAUTH) GENERIC(SERVAUTH) */
/* Not needed. No equivalent in TSS */
/* */
/* Activate the STARTED class */
/*SETROPTS CLASSACT(STARTED) */
/* Not needed. No equivalent in TSS */
/*SETROPTS RACLIST(STARTED) GENERIC(STARTED) */
/* Not needed. No equivalent in TSS */
/* */
/* Activate the ZMFAPLA class */
/*SETROPTS CLASSACT(ZMFAPLA) */
/* Not needed. No equivalent in TSS */
/*SETROPTS RACLIST(ZMFAPLA) GENERIC(ZMFAPLA) */
/* Not needed. No equivalent in TSS */
/* */
/* Activate the ACCTNUM class */
/*SETROPTS CLASSACT(ACCTNUM) */
/* Not needed. No equivalent in TSS */
/* Activate the TSOPROC class */
/*SETROPTS CLASSACT(TSOPROC) */
/* Not needed. No equivalent in TSS */
/* Refresh the ACCTNUM class */
/* SETROPTS RACLIST(ACCTNUM) REFRESH */
/* Not needed. No equivalent in TSS */
/* Refresh the TSOPROC class */
/* SETROPTS RACLIST(TSOPROC) REFRESH */
/* Not needed. No equivalent in TSS */
/* */
/* Activate the TSOAUTH class */
SETROPTS CLASSACT(TSOAUTH)
/* Not needed. No equivalent in TSS */
/* Refresh the TSOAUTH class */
/* Not needed. No equivalent in TSS */
SETROPTS RACLIST(TSOAUTH)
/* Not needed. No equivalent in TSS */
/* */
/* Activate the OPERCMDS class */
SETROPTS CLASSACT(OPERCMDS)
/* Not needed. No equivalent in TSS */
/* Refresh the OPERCMDS class */
SETROPTS RACLIST(OPERCMDS)
/* Not needed. No equivalent in TSS */
/* Create the z/OSMF Administrators group */
ADDGROUP IZUADMIN OMVS(GID(9003))
TSS CRE(IZUADMGP) NAME('IZUADMIN GROUP') TYPE(GROUP) DEPT(dept)
TSS ADD(IZUADMGP) GID(9003)
TSS CRE(IZUADMIN) NAME('IZUADMIN PROFILE') TYPE(PROFILE) DEPT(dept)
/* You cannot add GROUP to a PROFILE acid in TSS. When you add
/* IZUADMIN to an acid, you will also need to attach IZADMNGP also.
/* Example: TSS ADD(acid) PROFILE(IZUADMIN) GROUP(IZADMNGP)
/* Create the z/OSMF Users group */
ADDGROUP IZUUSER OMVS(GID(9004))
TSS CRE(IZUUSRGP) NAME('IZUUSER GROUP') TYPE(GROUP) DEPT(dept)
TSS ADD(IZUUSRGP) GID(9004)
TSS CRE(IZUUSER) NAME('IZUUSER PROFILE') TYPE(PROFILE) DEPT(dept)
/* You cannot add GROUP to a PROFILE acid in TSS. When you add
/* IZUADMIN to an acid, you will also need to attach IZADMNGP also.
/* Example: TSS ADD(acid) PROFILE(IZUUSER) GROUP(IZUUSRGP)
/* Create the z/OSMF Unauthenticated group */
ADDGROUP IZUUNAGRP OMVS(GID(9012))
TSS CRE(IZUUNAGP) NAME('zOSMF Unauthenticated USERID Group') TYPE(GROUP) DEPT(dept)
TSS ADD(IZUUNAGP) GID(9012)
TSS CRE(IZUUNGRP) NAME('IZUUNGRP PROFILE') TYPE(PROFILE) DEPT(dept)
/* You cannot add GROUP to a PROFILE acid in TSS. When you add
/* IZUUNGRP to an acid, you will also need to attach IZADMNGP also.
/* Example: TSS ADD(acid) PROFILE(IZUUNGRP) GROUP(IZUUNAGP)
/* Create the started task USERID for the z/OSMF Server */
/* Please note, the HOME directory should be created with */
/* utility IZUMKFS. */
ADDUSER IZUSVR DFLTGRP(IZUADMIN) OMVS(UID(9010) +
HOME(/var/zosmf/data/home/izusvr) +
PROGRAM(/bin/sh)) NAME('zOSMF Started Task USERID') +
NOPASSWORD NOOIDCARD
TSS CRE(IZUSVR) NAME('zOSMF Started Task USERID') TYPE(USER) -
DEPT(dept) PASS(NOPW,0) FAC(STC)
TSS ADD(IZUSVR) GROUP(IZUADMGP) DFLTGRP(IZUADMGP) UID(9010) -
HOME(/var/zosmf/data/home/izusvr) OMVSPGM(/bin/sh) FAC(ZOSMF)
/* Change concurrent open file number for started task USERID */
ALTUSER IZUSVR OMVS(FILEPROC(10000))
TSS ADD(IZUSVR) OEFILEP(10000)
/* Create the z/OSMF unauthenticated USERID */
ADDUSER IZUGUEST RESTRICTED DFLTGRP(IZUUNAGP) OMVS(UID(9011)) +
NAME('zOSMF Unauthenticated USERID') NOPASSWORD NOOIDCARD
TSS CRE(IZUGUEST) NAME(IZUGUEST) TYPE(USER) DEPT(dept) PASS(NOPW,0)
TSS ADD(IZUGUEST) UID(9011) OMVSPGM('/bin/sh') -
HOME('/u/izuguest') DFLTGRP(IZUUNAGP) GROUP(IZUUNAGP) FAC(ZOSMF)
/* Define the STARTED profiles for the z/OSMF server */
RDEFINE STARTED IZUSVR1.* UACC(NONE) STDATA(USER(IZUSVR) +
GROUP(IZUADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
TSS ADD(STC) PROCNAME(IZUSVR1) ACID(IZUSVR)
RDEFINE STARTED IZUANG1.* UACC(NONE) STDATA(USER(IZUSVR) +
GROUP(IZUADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
TSS ADD(STC) PROCNAME(IZUANG1) ACID(IZUSVR)
/* Define the APPL profile for the z/OSMF server */
RDEFINE APPL IZUDFLT UACC(NONE)
TSS ADD(owngingacid) APPL(IZUDFLT)
/* Define the SERVER profiles for the z/OSMF server */
RDEFINE SERVER BBG.SECPFX.IZUDFLT UACC(NONE)
RDEFINE SERVER BBG.ANGEL UACC(NONE)
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE)
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE)
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.ZOSWLM UACC(NONE)
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.TXRRS UACC(NONE)
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.ZOSDUMP UACC(NONE)
TSS ADD(ownginacid) SERVER(BBG)
/* Permit the z/OSMF unauthenticated USERID access */
PERMIT IZUDFLT CLASS(APPL) ID(IZUGUEST) ACCESS(READ)
TSS PER(IZUGUEST) APPL(IZUDFLT) ACC(READ)
/* Permit the started task USERID access */
PERMIT BBG.SECPFX.IZUDFLT CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
TSS PER(IZUSVR) SERVER(BBG.SECPFX.IZUDFLT) ACC(READ)
PERMIT BBG.ANGEL CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
TSS PER(IZUSVR) SERVER(BBG.ANGEL) ACC(READ)
PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM) ACC(READ)
PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) ACCESS(READ) +
ID(IZUSVR)
TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.SAFCRED) ACC(READ)
PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSWLM CLASS(SERVER) ACCESS(READ) +
ID(IZUSVR)
TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.ZOSWLM) ACC(READ)
PERMIT BBG.AUTHMOD.BBGZSAFM.TXRRS CLASS(SERVER) ACCESS(READ) +
ID(IZUSVR)
TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.TXRRS) ACC(READ)
PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSDUMP CLASS(SERVER) ACCESS(READ) +
ID(IZUSVR)
TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.ZOSDUMPM) ACC(READ)
/* Define the BPX.CONSOLE profile to supress the BPXM023I message */
/* prefix for console messages */
RDEFINE FACILITY BPX.CONSOLE UACC(NONE)
TSS ADD(owningacid) IBMFAC(BPX.)
/* Permit the started task USERID access */
PERMIT BPX.CONSOLE CLASS(FACILITY) ID(IZUSVR) ACCESS(READ)
TSS PER(IZUSVR) IBMFAC(BPX.CONSOLE) ACC(READ)
/* Define the Sync-to-OS-thread FACILITY profile */
RDEFINE FACILITY BBG.SYNC.IZUDFLT UACC(NONE)
TSS ADD(owningacid) IBMFAC(BBG.)
/* Permit the started task USERID access */
PERMIT BBG.SYNC.IZUDFLT CLASS(FACILITY) ID(IZUSVR) ACCESS(CONTROL)
TSS PER(IZUSVR) IBMFAC(BBG.SYNC.IZUDFLT) ACC(CONTROL)
/* Define the FACILITY profile for working with digital */
/* certificates */
RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
TSS ADD(owngingacid) IBMFAC(IRR.)
/* Allow users of the z/OSMF Configuration Workflow to extract */
/* profile information */
RDEFINE FACILITY IRR.RADMIN.LISTUSER
RDEFINE FACILITY IRR.RADMIN.LISTGRP
RDEFINE FACILITY IRR.RADMIN.RLIST
RDEFINE FACILITY IRR.RADMIN.SETROPTS.LIST
Not needed. Done in the prevsious step.
/* Permit the started task USERID access */
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(IZUSVR) ACCESS(READ)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(IZUSVR) +
ACCESS(READ)
TSS PER(ISUSVR) IBMFAC(IRR.DIGTCERT.LIST) ACC(READ)
/* Create the CA certificate for the z/OSMF server */
RACDCERT CERTAUTH GENCERT +
SUBJECTSDN(CN('z/OSMF CertAuth for Security Domain') +
OU('IZUDFLT')) WITHLABEL('zOSMFCA') +
TRUST NOTAFTER(DATE(2023/05/17))
TSS GENCERT(CERTAUTH) DIGICERT(ZOSMFCA) -
SUBJECTN('CN="z/OSMF CertAuth for Security Domain" OU="ZUDFLT"') -
LABLCERT('zOSMFCA') NADATE(05/17/23)
RACDCERT ADDRING(IZUKeyring.IZUDFLT) ID(IZUSVR)
TSS ADD(IZUSVR) KEYRING(IZUSVRKR) LABLRING(‘IZUKeyring.IZUDFLT’)
/* Create the server certificate for the z/OSMF server */
/* Change HOST NAME in CN field into real local host name */
/* Usually the format of the host name is 'XXXX.XXX.XXX.XXX' */
RACDCERT ID( IZUSVR ) GENCERT SUBJECTSDN(CN('HOST NAME') +
O('IBM') OU('IZUDFLT')) WITHLABEL('DefaultzOSMFCert.IZUDFLT'), +
SIGNWITH(CERTAUTH LABEL('zOSMFCA')) NOTAFTER(DATE(2023/05/17))
TSS GENCERT(IZUSVR) DIGICERT(DEFOSMFC) -",
SUBJECTN('CN="'HOST NAME'" OU="IZUDFLT" O="IBM"'),
LABLCERT('DefaultzOSMFCert.IZUDFLT')
SIGNWITH(CERTAUTH,ZOSMFCA)
NADATE(05/17/23)
RACDCERT ALTER(LABEL('DefaultzOSMFCert.IZUDFLT')) ID(IZUSVR) TRUST
TSS ADD(IZUSVR) DIGICERT(DEFOSMFC) TRUST
RACDCERT ID( IZUSVR ) CONNECT (LABEL('DefaultzOSMFCert.IZUDFLT') +
RING(IZUKeyring.IZUDFLT) DEFAULT)
TSS ADD(IZUSVR) KEYRING(IZUSVRKR) LABLRING('IZUKeyring.IZUDFLT')
TSS ADD(IZUSVR) KEYRING(IZUSVRKR) RINGDATA(IZUSVR,DEFOSMFC) -
USAGE(PERSONAL) DEFAULT
RACDCERT ID( IZUSVR ) CONNECT (LABEL('zOSMFCA') +
RING(IZUKeyring.IZUDFLT) CERTAUTH)
TSS ADD(IZUSVR) KEYRING(IZUSVRKR) RINGDATA(CERTAUTH,ZOSMFCA) -
USAGE(CERTAUTH)
/* Assumption: SERVAUTH class is active */
/* SETROPTS GENERIC(SERVAUTH) */
/* Not needed. No equivalent in TSS */
/* Define the CEA resource profile required for z/OSMF server */
RDEFINE SERVAUTH CEA.CEATSO.* UACC(NONE)
TSS ADD(owningacid) SERVAUTH(CEA)
/* Define the Account Number resource profile for REST File API */
RDEFINE ACCTNUM IZUACCT UACC(NONE)
TSS ADD(owngingacid) TSOACCT(IZUACCT)
/* Define the TSO Procedure resource profile for REST File API */
RDEFINE TSOPROC IZUFPROC UACC(NONE)
TSS ADD(owningacid) TSOPROC(IZUFPROC)
/* List-of-groups authority checking supplements the normal RACF */
/* access authority checking by allowing all groups of which a */
/* user ID is amember to enter into the access list checking */
/* process.Un-comment the following line to activate this. */
/* SETROPTS GRPLIST */
/* Not needed. No equivalent in TSS */
/* Create the z/OS Security Administrators group */
ADDGROUP IZUSECAD OMVS(GID(9006))
TSS CRE(IZUSECGP) NAME('z/OS Security Administrators group') -
TYPE(GROUP) DEPT(dept)
TSS ADD(IZUSECGP) GID(9006)
TSS CRE(IZUSECAD) NAME('z/OS Security Administrators PROFILE') -
TYPE(PROFILE) DEPT(dept)
/* You cannot add GROUP to a PROFILE acid in TSS. When you add
/* IZUSECAD to an acid, you will also need to attach IZUSECGP also.
/* Example: TSS ADD(acid) PROFILE(IZUSECAD) GROUP(IZUSECGP)
/* Define the ZMFAPLA profile for the z/OSMF server */
RDEFINE ZMFAPLA IZUDFLT.ZOSMF UACC(NONE)
TSS ADD(ownginacid) ZMFAPLA(IZUDFLT)
/* The EJBROLE definitions are case-sensitive in RACF. Insure you*/
/* preserve case for these commands */
/* Assumption: EJBROLE is defined, activated, and raclisted. */
RDEFINE EJBROLE IZUDFLT.*.izuUsers UACC(NONE)
TSS ADD(ownginacid) EJBROLE(IZUDFLT)
/* Define the z/OSMF Server profile */
RDEFINE SERVER BBG.SECCLASS.ZMFAPLA UACC(NONE)
RDEFINE SERVER BBG.SECCLASS.ZMFCLOUD UACC(NONE)
TSS ADD(owningacid) SERVER(BBG)
/* Permit the started task USERID access */
PERMIT BBG.SECCLASS.ZMFAPLA CLASS(SERVER) ID(IZUSVR) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.ZMFAPLA) ACC(READ)
PERMIT BBG.SECCLASS.ZMFCLOUD CLASS(SERVER) ID(IZUSVR) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.ZMFAPLA) ACC(READ)
/* Roles processing will permit the z/OSMF Server groups to the */
/* Application Server resources */
/* Assumption: APPL class has been defined, activated, raclisted. */
/* Permit the Administrators group to this profile */
PERMIT CEA.CEATSO.* CLASS(SERVAUTH) ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) SERVAUTH(CEA.CEATSO) ACC(READ)
/* Permit the Users group to this profile */
PERMIT CEA.CEATSO.* CLASS(SERVAUTH) ID(IZUUSER) ACCESS(READ)
TSS PER(IZUUSER) SERVAUTH(CEA.CEATSO) ACC(READ)
/* Permit the started task USERID to this profile */
PERMIT CEA.CEATSO.* CLASS(SERVAUTH) ID(IZUSVR) ACCESS(READ)
TSS PER(IZUSVR) SERVAUTH(CEA.CEATSO) ACC(READ)
/* Make changes effective */
SETROPTS RACLIST(SERVAUTH) REFRESH
/* Not needed. No equivalent in TSS */
/* Permit the Administrators group to these profiles */
PERMIT IZUACCT CLASS(ACCTNUM) ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) TSOACCT(IZUACCT) ACC(READ)
PERMIT IZUFPROC CLASS(TSOPROC) ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) TSOPROC(IZUFPROC) ACC(READ)
/* Permit the Users group to these profiles */
PERMIT IZUACCT CLASS(ACCTNUM) ID(IZUUSER) ACCESS(READ)
TSS PER(IZUUSER) TSOACCT(IZUACCT) ACC(READ)
PERMIT IZUFPROC CLASS(TSOPROC) ID(IZUUSER) ACCESS(READ)
TSS PER(IZUUSER) TSOPROC(IZUFPROC) ACC(READ)
/* Define console profile in class TSOAUTH to issue MVS commands */
/* via EMCS consoles */
RDEFINE TSOAUTH CONSOLE UACC(NONE)
TSS ADD(owningacid) TSOAUTH(CONSOLE)
/* Permit the Administrators group to these profiles */
PERMIT CONSOLE CLASS(TSOAUTH) ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) TSOAUTH(CONSOLE) ACC(READ)
/* Permit the Users group to these profiles */
PERMIT CONSOLE CLASS(TSOAUTH) ID(IZUUSER) ACCESS(READ)
TSS PER(IZUUSER) TSOAUTH(CONSOLE) ACC(READ)
/* Make changes effective */
SETROPTS RACLIST(TSOAUTH) REFRESH
/* Not needed. No equivalent in TSS */
/* Define MCS operator profile starting with prefix IZU@ */
RDEFINE OPERCMDS MVS.MCSOPER.IZU@* UACC(NONE)
TSS ADD(owningacid) OPERCMDS(MVS.)
/* Permit the Administrators group to these profiles */
PERMIT MVS.MCSOPER.IZU@* CLASS(OPERCMDS) ID(IZUADMIN) ACCESS(READ)
TSS ADD(IZUADMIN) OPERCMDS(MVS.MCSOPER.IZU) ACC(READ)
/* Permit the Users group to these profiles */
PERMIT MVS.MCSOPER.IZU@* CLASS(OPERCMDS) ID(IZUUSER) ACCESS(READ)
TSS ADD(IZUUSER) OPERCMDS(MVS.MCSOPER.IZU) ACC(READ)
/* Make changes effective */
SETROPTS RACLIST(OPERCMDS) REFRESH
/* Not needed. No equivalent in TSS */
/*If your installation utilizes hardware crypto in combination */
/*with ICSF, various services like CSFRNGL, CSFDSV, CSFOWH, */
/*CSFIQF ,etc.may be protected by profiles established in your */
/*security product.In certain cases, z/OSMF will utilize these */
/*services, and the z/OSMF started task USERID will need to be */
/*permitted to these profiles.If concrete profiles in the CSFSERV */
/*class has been defined to protect these resources, then, the */
/*following commented commands would permit the started task */
/*userid to that profile which is used by associated ICSF service.*/
/*PERMIT CSFIQF CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */
/*TSS PER(IZUSVR) CSFERV(CSFIQF) ACCESS(READ) */
/*encipher callable service */
/*PERMIT CSFENC CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */
/*TSS PER(IZUSVR) CSFERV(CSFENC) ACCESS(READ) */
/*cryptographic variable encipher callable */
/*PERMIT CSFCVE CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */
/*TSS PER(IZUSVR) CSFERV(CSFCVE) ACCESS(READ) */
/*decipher callable service */
/*PERMIT CSFDEC CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */
/*TSS PER(IZUSVR) CSFERV(CSFDEC) ACCESS(READ) */
/*symmetric algorithm encipher callable service */
/*PERMIT CSFSAE CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */
/*TSS PER(IZUSVR) CSFERV(CSFSAE) ACCESS(READ) */
/*symmetric algorithm decipher callable service */
/*PERMIT CSFSAD CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */
/*TSS PER(IZUSVR) CSFERV(CSFSAD) ACCESS(READ) */
/*one-way hash generate callable service */
/*PERMIT CSFOWH CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */
/*TSS PER(IZUSVR) CSFERV(CSFOWH) ACCESS(READ) */
/*random number generate callable service */
/*PERMIT CSFRNG CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */
/*TSS PER(IZUSVR) CSFERV(CSFRNG) ACCESS(READ) */
/*random number generate long callable service */
/*PERMIT CSFRNGL CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */
/*TSS PER(IZUSVR) CSFERV(CSFRNGL) ACCESS(READ) */
/*PKA key generate callable service */
/*PERMIT CSFPKG CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */
/*TSS PER(IZUSVR) CSFERV(CSFPKG) ACCESS(READ) */
/*digital signature generate service */
/*PERMIT CSFDSG CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */
/*TSS PER(IZUSVR) CSFERV(CSFDSG) ACCESS(READ) */
/*digital signature verify callable service */
/*PERMIT CSFDSV CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */
/*TSS PER(IZUSVR) CSFERV(CSFDSV) ACCESS(READ) */
/*PKA key token change callable service */
/*PERMIT CSFPKT CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */
/*TSS PER(IZUSVR) CSFERV(CSFPKT) ACCESS(READ) */
/*retained key list callable service */
/*PERMIT CSFRKL CLASS(CSFSRKL) ACCESS(READ) ID(IZUSVR) */
/*TSS PER(IZUSVR) CSFERV(CSFRKL) ACCESS(READ) */
/*PKA Public Key Extract callable service */
/*PERMIT CSFPKX CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */
/*TSS PER(IZUSVR) CSFERV(CSFPKX) ACCESS(READ) */
/*PKA encrypt callable service */
/*PERMIT CSFPKE CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */
/*TSS PER(IZUSVR) CSFERV(CSFPKE) ACCESS(READ) */
/*PKA decrypt callable service */
/*PERMIT CSFPKD CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */
/*TSS PER(IZUSVR) CSFERV(CSFPKD) ACCESS(READ) */
/*PKA key import callable service */
/*PERMIT CSFPKI CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */
/*TSS PER(IZUSVR) CSFERV(CSFPKI) ACCESS(READ) */
/*multiple clear key import callable service */
/*PERMIT CSFCKM CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */
/*TSS PER(IZUSVR) CSFERV(CSFCKM) ACCESS(READ) */
/*key generate callable service */
/*PERMIT CSFKGN CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */
/*TSS PER(IZUSVR) CSFERV(CSFKGN) ACCESS(READ) */
/*ECC Diffie-Hellman callable service */
/*PERMIT CSFEDH CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */
/*TSS PER(IZUSVR) CSFERV(CSFEDH) ACCESS(READ) */
/*SETROPTS RACLIST(CSFSERV) REFRESH */
/* Not needed. No equivalent in TSS */
/* */
/* Profile Definitions for Core */
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.APPLINKING UACC(NONE)
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.IMPORTMANAGER UACC(NONE)
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.LINKSTASK UACC(NONE)
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.LOGGER UACC(NONE)
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.UI_LOG_MANAGEMENT +
UACC(NONE)
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.USAGESTATISTICS +
UACC(NONE)
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.LINK.** UACC(NONE)
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW UACC(NONE)
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.MODIFY UACC(NONE)
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.SYSTEMS UACC(NONE)
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS UACC(NONE)
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW UACC(NONE)
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.MODIFY +
UACC(NONE)
TSS ADD(owningacid) ZMFAPLA(IZUDFLT)
/* Profile Definitions for "Workflow" */
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS UACC(NONE)
/* Done in previous step */
/* Profile Definitions for "Workflow administrator role" */
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.WORKFLOW.ADMIN UACC(NONE)
/* Done in previous step */
/* Profile Definitions for "z/OSMF notification" */
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS UACC(NONE) */
/* Done in previous step */
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS.ADMIN UACC(NONE)
/* Done in previous step */
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.NOTIFICATION.MODIFY UACC(NONE)
/* Done in previous step */
/* End Core Setup */
/* */
/* Begin zOSMF User Role Setup */
/* */
PERMIT IZUDFLT CLASS(APPL) ID(IZUUSER) ACCESS(READ)
PERMIT IZUDFLT.*.izuUsers CLASS(EJBROLE) ID(IZUUSER) ACCESS(READ)
PERMIT IZUDFLT.ZOSMF CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
TSS PER(IZUUSER) APPL(IZUDFLT) ACC(READ)
TSS PER(IZUUSER) EJBROLE(IZUDFLT.*.izUsers) ACC(READ)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF) ACC(READ)
/* Permit definitions for Core */
PERMIT IZUDFLT.ZOSMF.LINK.** CLASS(ZMFAPLA) ID(IZUUSER) +
ACCESS(READ)
TSS PER(IZUUSER) ZMFAPLA(PERMIT IZUDFLT.ZOSMF.LINK) ACC(READ)
PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW CLASS(ZMFAPLA) +
ID(IZUUSER) ACCESS(READ)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW) -
ACC(READ)
PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS CLASS(ZMFAPLA) ID(IZUUSER) +
ACCESS(READ)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS) -
ACC(READ)
PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS CLASS(ZMFAPLA) +
ID(IZUUSER) ACCESS(READ)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS) -
ACC(READ)
PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW CLASS(ZMFAPLA) +
ID(IZUUSER) ACCESS(READ)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW) -
ACC(READ)
/* Permit definitions for Workflow */
PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) +
ID(IZUUSER) ACCESS(READ)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) -
ACC(READ)
/* Permit definitions for notification */
PERMIT IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS CLASS(ZMFAPLA) +
ID(IZUUSER) ACCESS(READ)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS) -
ACC(READ)
PERMIT IZUDFLT.ZOSMF.NOTIFICATION.MODIFY CLASS(ZMFAPLA) +
ID(IZUUSER) ACCESS(READ)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.NOTIFICATION.MODIFY) -
ACC(READ)
/* */
/* End zOSMF User Role Setup */
/* */
/* */
/* Begin zOSMF Administrator Role Setup */
/* */
PERMIT IZUDFLT CLASS(APPL) ID(IZUADMIN) ACCESS(READ)
PERMIT IZUDFLT.*.izuUsers CLASS(EJBROLE) ID(IZUADMIN) ACCESS(READ)
PERMIT IZUDFLT.ZOSMF CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) APPL(IZUDFLT) ACC(READ)
TSS PER(IZUADMIN) EJBROLE(IZUDFLT.*.izuUsers) ACC(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF) ACC(READ)
/* Permit definitions for Core */
PERMIT IZUDFLT.ZOSMF.ADMINTASKS.APPLINKING CLASS(ZMFAPLA) +
ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.APPLINKING) -
ACC(READ)
PERMIT IZUDFLT.ZOSMF.ADMINTASKS.IMPORTMANAGER CLASS(ZMFAPLA) +
ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) -
ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.IMPORTMANAGER) -
ACC(READ)
PERMIT IZUDFLT.ZOSMF.ADMINTASKS.LINKSTASK CLASS(ZMFAPLA) +
ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.LINKSTASK) -
ACC(READ)
PERMIT IZUDFLT.ZOSMF.ADMINTASKS.LOGGER CLASS(ZMFAPLA) +
ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.LOGGER) -
ACC(READ)
PERMIT IZUDFLT.ZOSMF.ADMINTASKS.UI_LOG_MANAGEMENT CLASS(ZMFAPLA) +
ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) -
ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.UI_LOG_MANAGEMENT) -
ACC(READ)
PERMIT IZUDFLT.ZOSMF.ADMINTASKS.USAGESTATISTICS +
CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) -
ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.USAGESTATISTICS) -
ACC(READ)
PERMIT IZUDFLT.ZOSMF.LINK.** CLASS(ZMFAPLA) ID(IZUADMIN) +
ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.LINK) -
ACC(READ)
PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW CLASS(ZMFAPLA) +
ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW) -
ACC(READ)
PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.MODIFY CLASS(ZMFAPLA) +
ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.MODIFY) -
ACC(READ)
PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS CLASS(ZMFAPLA) ID(IZUADMIN) +
ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS) -
ACC(READ)
PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS CLASS(ZMFAPLA) +
ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS) -
ACC(READ)
PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW CLASS(ZMFAPLA) +
ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) -
ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW) -
ACC(READ)
PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.MODIFY CLASS(ZMFAPLA) +
ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) -
ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.MODIFY) -
ACC(READ)
/* Permit definitions for Workflow */
PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) +
ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) -
ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) ACC(READ)
/* Permit definitions for "Workflow administrator role" */
PERMIT IZUDFLT.ZOSMF.WORKFLOW.ADMIN CLASS(ZMFAPLA) +
ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.ADMIN) -
ACC(READ)
/* Permit definitions for "z/OSMF notification" */
PERMIT IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS CLASS(ZMFAPLA) +
ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS) -
ACC(READ)
PERMIT IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS.ADMIN CLASS(ZMFAPLA) +
ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) -
ZMFAPLA(IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS.ADMIN) -
ACC(READ)
PERMIT IZUDFLT.ZOSMF.NOTIFICATION.MODIFY CLASS(ZMFAPLA) +
ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.NOTIFICATION.MODIFY) -
ACC(READ)
/* Permit the z/OSMF administrator access */
PERMIT IRR.RADMIN.LISTUSER CLASS(FACILITY) ID(IZUADMIN) +
ACCESS(READ)
TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.LISTUSER) ACC(READ)
PERMIT IRR.RADMIN.LISTGRP CLASS(FACILITY) ID(IZUADMIN) +
ACCESS(READ)
TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.LISTGRP) ACC(READ)
PERMIT IRR.RADMIN.RLIST CLASS(FACILITY) ID(IZUADMIN) +
ACCESS(READ)
TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.RLIST) ACC(READ)
PERMIT IRR.RADMIN.SETROPTS.LIST CLASS(FACILITY) ID(IZUADMIN) +
ACCESS(READ)
TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.SETROPTS.LIST) ACC(READ)
/* */
/* End zOSMF Administrator Role Setup */
/* */
/* */
/* Begin zOS Security Administrator Role Setup */
/* */
PERMIT IZUDFLT CLASS(APPL) ID(IZUSECAD) ACCESS(READ)
PERMIT IZUDFLT.*.izuUsers CLASS(EJBROLE) ID(IZUSECAD) ACCESS(READ)
PERMIT IZUDFLT.ZOSMF CLASS(ZMFAPLA) ID(IZUSECAD) ACCESS(READ)
TSS PER(IZUSECAD) APPL(IZUDFLT) ACC(READ)
TSS PER(IZUSECAD) EJBROLE(IZUDFLT.*.izuUsers) ACC(READ)
TSS PER(IZUSECAD) ZMFAPLA(IZUDFLT.ZOSMF) ACC(READ)
/* Permit definitions for Workflow */
PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) +
ID(IZUSECAD) ACCESS(READ)
TSS PER(IZUSECAD) ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) -
ACC(READ)
/* */
/* End zOS Security Administrator Role Setup */
/* */
/*----------------------------------------------------------------*/
/* Begin Cloud Provisioning Setup */
/* */
/* Generally, all resource profiles related to Cloud Provisioning */
/* are in the ZMFCLOUD class. The exceptions are the navigation */
/* task resource profiles, which are in the ZMFAPLA class. */
/* */
/* The basic authorization approach used in Cloud Provisioning is */
/* straight forward. */
/* - Authority to perform an action associated with a specific */
/* user role is controlled by having READ access to the */
/* RESOURCE PROFILE for that role. */
/* - Access to the resource profile for a given role is given to */
/* a GROUP defined for that role. That group is granted READ */
/* access to the RESOURCE PROFILE for that role. */
/* - Specific users are assigned roles by connecting their IDs to */
/* the GROUP associated with that role. */
/* */
/* For example: */
/* Cloud Provisioning specifies that only domain administrators */
/* or landlords can perform certain actions, such as assigning */
/* Network/WLM Administrators and domain template approvers for */
/* the domain they administer. */
/* */
/* - Domain administrators for the default domain are users */
/* with READ access to the ZMFCLOUD class profile: */
/* IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU0 */
/* This profile is defined with the IYU0 group having READ */
/* access. */
/* - The IYU0 group is used as a convenience. All domain */
/* administrators for the default domain will be connected */
/* to the IYU0 group. */
/* - Every Cloud Provisioning Resource Management operation */
/* performed against the default domain and requiring a */
/* domain administrator checks if the requesting user has */
/* READ access to the ZMFCLOUD class profile: */
/* IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU0 */
/* - When a landlord assigns domain administrators to the */
/* default domain, the IDs are connected to the IYU0 group. */
/* */
/* By default, Cloud Provisioning will automatically manage the */
/* security environment when performing operations requiring */
/* security changes. */
/* */
/* Part of the security setup that follows is for the purpose */
/* of establishing the security environment for the default */
/* domain and tenant that will be created when z/OSMF starts for */
/* the first time. Existing default domain and tenant settings */
/* will remain unchanged during subsequent restarts. */
/*----------------------------------------------------------------*/
/* Activate the ZMFCLOUD class */
SETROPTS CLASSACT(ZMFCLOUD)
/* Not needed. No equivalent in TSS */
SETROPTS RACLIST(ZMFCLOUD) GENERIC(ZMFCLOUD)
/* Not needed. No equivalent in TSS */
/* Setup the Cloud Provisioning landlord role. */
/* Connect users with landlord authority to the IYU group. */
/* This is a manual operation to be performed outside of z/OSMF. */
ADDGROUP IYU
TSS CRE(IYU) TYPE(PROFILE) NAME('IYU PROFILE') DEPT(dept)
RDEFINE ZMFCLOUD +
(IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU) +
UACC(NONE)
TSS ADD(owngingacid) ZMFCLOUD(IZUDFLT)
PERMIT IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU +
CLASS(ZMFCLOUD) ID(IYU) ACCESS(READ)
TSS PER(IYU) -
ZMFCLOUD(IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU) -
ACC(READ)
/* Setup the domain administrator role for the default domain. */
/* Subsequent Resource Management operations through the user */
/* interface will automatically update the default domain */
/* security environment when administrators are added/removed. */
/* */
/* The IYU group should generally not be included in the access */
/* list for the default domain's domain administrator role */
/* profile. It is here for compatibility purposes. */
ADDGROUP IYU0 SUPGROUP(IYU)
TSS CRE(IYU0) TYPE(PROFILE) NAME('IYU0 PROFILE') DEPT(dept)
/* TSS doesnt allow for PROFILE nesting. So when you add IYU to a
/* user, you will also need to add IYU0 to that user.
RDEFINE ZMFCLOUD +
(IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU0) +
UACC(NONE)
Done in a previous step.
PERMIT IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU0 +
CLASS(ZMFCLOUD) ID(IYU IYU0) ACCESS(READ)
TSS PER(IYU) -
ZMFCLOUD(IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU0) -
ACC(READ)
TSS PER(IYU0) -
ZMFCLOUD(IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU0) -
ACC(READ)
/* Setup the network and WLM administrator roles for the default */
/* domain. */
ADDGROUP IYU0RPAW SUPGROUP(IYU)
TSS CRE(IYU0RPAW) TYPE(PROFILE) NAME('IYU0RPAW PROFILE') DEPT(dept)
/* TSS doesnt allow for PROFILE nesting. So when you add IYU to a
/* user, you will also need to add IYU0RPAW to that user.
RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.RESOURCE_POOL.WLM.IYU0) UACC(NONE)
Done is previous step.
PERMIT IZUDFLT.ZOSMF.RESOURCE_POOL.WLM.IYU0 CLASS(ZMFCLOUD) +
ID(IYU0RPAW) ACCESS(READ)
TSS PER(IYU0RPAW) -
ZMFCLOUD(IZUDFLT.ZOSMF.RESOURCE_POOL.WLM.IYU0) -
ACC(READ)
ADDGROUP IYU0RPAN SUPGROUP(IYU)
TSS CRE(IYU0RPAN) TYPE(PROFILE) NAME('IYU0RPAN PROFILE') DEPT(dept)
/* TSS doesnt allow for PROFILE nesting. So when you add IYU to a
/* user, you will also need to add IYU0RPAN to that user.
RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.RESOURCE_POOL.NETWORK.IYU0) +
UACC(NONE)
Done in previous step.
PERMIT IZUDFLT.ZOSMF.RESOURCE_POOL.NETWORK.IYU0 CLASS(ZMFCLOUD) +
ID(IYU0RPAN) ACCESS(READ)
TSS PER(IYU0RPAN) -
ZMFCLOUD(IZUDFLT.ZOSMF.RESOURCE_POOL.NETWORK.IYU0) -
ACC(READ)
/* Setup the domain template approver role for the default domain */
RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.TEMPLATE.APPROVERS.IYU0) UACC(NONE)
Done in previos step.
/* Setup the consumer role for the default tenant. */
ADDGROUP IYU000 SUPGROUP(IYU0)
TSS CRE(IYU000) TYPE(PROFILE) NAME('IYU000 PROFILE') DEPT(dept)
/* TSS doesnt allow for PROFILE nesting. So when you add IYU to a
/* user, you will also need to add IYU000 to that user.
RDEFINE ZMFCLOUD +
(IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU000) +
UACC(NONE)
Done in previous step.
PERMIT IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU000 +
CLASS(ZMFCLOUD) ID(IYU000) ACCESS(READ)
TSS PER(IYU000) -
ZMFCLOUD(IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU000) -
ACC(READ)
/* Define the ZMFAPLA profiles for the following resources: */
/* - Cloud Provisioning's Software Services task */
/* - Cloud Provisioning's Resource Management task */
/* - The Workflow Editor task */
/* - System Variables administrator resource */
RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES) +
UACC(NONE)
TSS ADD(owningacid) ZMFAPLA(IZUDFLT)
RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT) +
UACC(NONE)
Done in previous step
RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.WORKFLOW.EDITOR) UACC(NONE)
Done in previous step
RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.VARIABLES.SYSTEM.ADMIN) UACC(NONE)
Done in previous step
/* Grant access to z/OSMF to the landlord, default domain */
/* administrator and the default tenant consumer groups. The */
/* IYU0RPAN and IYU0RPAW groups do not need explicit access */
/* because users connected to them are required to be Networking */
/* and Workload Manager administrators, who will already be in */
/* the IZUUSER group. */
PERMIT IZUDFLT.ZOSMF CLASS(ZMFAPLA) ID(IYU IYU0 IYU000) +
ACCESS(READ)
TSS PER(IYU) ZMFAPLA(IZUDFLT.ZOSMF) ACC(READ)
TSS PER(IYU0) ZMFAPLA(IZUDFLT.ZOSMF) ACC(READ)
TSS PER(IYU000) ZMFAPLA(IZUDFLT.ZOSMF) ACC(READ)
/* Setup access so Cloud Provisioning users (landlords, default */
/* domain's domain administrators and default tenant's consumers) */
/* can access the Software Services, Workflows and Workflow Editor*/
/* tasks. */
PERMIT IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES CLASS(ZMFAPLA) +
ID(IYU IYU0 IYU000) ACCESS(READ)
PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) +
ID(IYU IYU0 IYU000) ACCESS(READ)
PERMIT IZUDFLT.ZOSMF.WORKFLOW.EDITOR CLASS(ZMFAPLA) +
ID(IYU IYU0) ACCESS(READ)
TSS PER(IYU) -
ZMFAPLA(IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES) ACC(READ)
TSS PER(IYU0) -
ZMFAPLA(IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES) ACC(READ)
TSS PER(IYU000) -
ZMFAPLA(IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES) ACC(READ)
TSS PER(IYU) -
ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) ACC(READ)
TSS PER(IYU0) -
ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWSF) ACC(READ)
TSS PER(IYU000) -
ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) ACC(READ)
TSS PER(IYU) -
ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.EDITOR) ACC(READ)
TSS PER(IYU0) -
ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.EDITOR) ACC(READ)
TSS PER(IYU000) -
ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.EDITOR) ACC(READ)
/* Setup access so Cloud Provisioning administrative users */
/* (landlords, default domain's administrators) can access the */
/* Resource Management task. */
PERMIT IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT +
CLASS(ZMFAPLA) ID(IYU IYU0) ACCESS(READ)
TSS PER(IYU) -
ZMFAPLA(IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT) ACC(READ)
TSS PER(IYU0) -
ZMFAPLA(IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT) ACC(READ)
/* Setup access so Cloud Provisioning resource administrators can */
/* login and access the Workflows and Software Services tasks. */
PERMIT IZUDFLT.ZOSMF CLASS(ZMFAPLA) ID(IYU0RPAN IYU0RPAW) +
ACCESS(READ)
PERMIT IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES +
CLASS(ZMFAPLA) ID(IYU0RPAN IYU0RPAW) ACCESS(READ)
PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) +
ID(IYU0RPAN IYU0RPAW) ACCESS(READ)
TSS PER(IYU0RPAN) -
ZMFAPLA(IZUDFLT.ZOSMF) ACC(READ)
TSS PER(IYU0RPAN) -
ZMFAPLA(IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES) -
ACC(READ)
TSS PER(IYU0RPAN) -
ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) ACC(READ)
TSS PER(IYU0RPAW) -
ZMFAPLA(IZUDFLT.ZOSMF) ACC(READ)
TSS PER(IYU0RPAW) -
ZMFAPLA(IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES) -
ACC(READ)
TSS PER(IYU0RPAW) -
ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) ACC(READ)
/* Grant authority to the z/OSMF Administrator group to modify and*/
/* delete System Variables via the Systems task or the REST API. */
PERMIT IZUDFLT.ZOSMF.VARIABLES.SYSTEM.ADMIN CLASS(ZMFAPLA) +
ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) -
ZMFAPLA(IZUDFLT.ZOSMF.VARIABLES.SYSTEM.ADMIN) ACC(READ)
/* Setup the security administrator profile used to determine if */
/* an ID being specified as the security administrator of a domain*/
/* is permitted to be assigned as such. */
/* */
/* Define the ZMFCLOUD class IZUDFLT.ZOSMF.SECURITY.ADMIN profile */
/* and grant read access to the IZUSECAD z/OSMF security */
/* administrator group.
/*
/* Landlords can only specify the IDs of security administrators */
/* that have read access to the IZUDFLT.ZOSMF.SECURITY.ADMIN */
/* ZMFCLOUD class profile.
/*
/* --- Only security administrator IDs that are approved */
/* --- beforehand should be added to the IZUSECAD group. IDs */
/* --- assigned as security administrator in a domain will have */
/* --- that ID used to perform Resource Management dynamic */
/* --- security updates. */
RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.SECURITY.ADMIN) UACC(NONE)
Done in a previous step
PERMIT IZUDFLT.ZOSMF.SECURITY.ADMIN CLASS(ZMFCLOUD) +
ID(IZUSECAD) ACCESS(READ)
TSS PER(IZUSECAD) ZMFCLOUD(IZUDFLT.ZOSMF.SECURITY.ADMIN) -
ACC(READ)
/* Connect the server ID IZUSVR to the IZUSECAD group. This is */
/* necessary so the server can change the group ownership of the */
/* dynamic security REXX exec to IZUSECAD in order to secure it */
/* from updates by anyone other than authorized security admins. */
/* This izu.provisioning.security.config.rexx exec resides in the */
/* configuration/workflow of the USERDIR specified in the server */
/* PROC. The permissions are set to 570 and ownership set to */
/* IZUSVR:IZUSECAD. */
/* */
/* This operation only occurs during server startup when the */
/* the REXX exec is not yet present. If the exec already exists, */
/* then the server will not make any changes to it. */
CONNECT (IZUSVR) GROUP(IZUSECAD)
/*----------------------------------------------------------------*/
/* End "Cloud" Setup */
/*----------------------------------------------------------------*/
/* Need to REFRESH these classes for Roles */
SETROPTS RACLIST(APPL) REFRESH
/* Not needed. No equivalent in TSS */
SETROPTS RACLIST(EJBROLE) REFRESH
/* Not needed. No equivalent in TSS */
SETROPTS RACLIST(ZMFAPLA) REFRESH
/* Not needed. No equivalent in TSS */
SETROPTS RACLIST(SERVER) REFRESH
/* Not needed. No equivalent in TSS */
SETROPTS RACLIST(STARTED) REFRESH
/* Not needed. No equivalent in TSS */
SETROPTS RACLIST(FACILITY) REFRESH
/* Not needed. No equivalent in TSS */
SETROPTS RACLIST(ZMFCLOUD) REFRESH
/* Not needed. No equivalent in TSS */
/* Connect the started task USERID to the CIM USER group */
CONNECT (IZUSVR) GROUP(CFZUSRGP)
TSS ADD(IZUSVR) PROFILE(CFZUSRGP)
/*
//V2R3 EXEC PGM=IKJEFT01,DYNAMNBR=99
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
/* */
/* The V2R3 step contains the profiles which are added in V2R3 */
/* release */
/* Define the STARTED profiles for auto start function */
RDEFINE STARTED IZUINSTP.* UACC(NONE) STDATA(USER(IZUSVR) +
GROUP(IZUADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
TSS ADD(STC) PROCN(IZUINSTP) ACID(IZUSVR)
/* Define the CEA resource profile required for auto start */
/* function */
RDEFINE SERVAUTH CEA.SIGNAL.* UACC(NONE)
TSS ADD(owningacid) SERVAUTH(CEA)
/* Permit the started task USERID to this profile */
PERMIT CEA.SIGNAL.* CLASS(SERVAUTH) ID(IZUSVR) ACCESS(READ)
TSS PER(IZUSVR) SERVAUTH(CEA.SIGNAL) ACC(READ)
/* Profile for general setting */
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.GENERAL.SETTINGS UACC(NONE)
Done is previous step.
/* Permit the Administrators group to this profile */
PERMIT IZUDFLT.ZOSMF.GENERAL.SETTINGS CLASS(ZMFAPLA) +
ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.GENERAL.SETTINGS) -
ACCESS(READ)
/* Profile Definitions for "z/OSMF email function" */
RDEFINE FACILITY IRR.RUSERMAP UACC(NONE)
Done in previous step.
/* Permit the started task USERID to this profile */
PERMIT IRR.RUSERMAP CLASS(FACILITY) ID(IZUSVR) ACC(READ)
TSS PER(IZUSVR) IBMFAC(IRR.RUSERMAP) ACC(READ)
/*----------------------------------------------------------------*/
/* Begin Setup for Discovery CPC function in Systems task */
/*----------------------------------------------------------------*/
/* Replace the <netid.nau> with the 3-17 character SNA name of */
/* the particular CPC. */
/* Replace the <uppercasecommunityname> with the SNMP community */
/* name that is associated with the CPC. */
/* Replace the <imagename> with the 1-8 character which */
/* represents LPAR name. */
/* */
/* RDEFINE FACILITY HWI.APPLNAME.HWISERV UACC(NONE) */
/* TSS ADD(owningacid) IBMFAC(HWI) */
/* PERMIT HWI.APPLNAME.HWISERV CLASS(FACILITY) ID(IZUADMIN) + */
/* ACCESS(READ) */
/* TSS PER(IZUADMIN) IBMFAC(HWI.APPLNAME.HWISERV) ACC(READ) */
/* RDEFINE FACILITY HWI.APPLNAME.HWISERV UACC(NONE) */
/* APPLDATA('<uppercasecommunityname>') */
/* Done in previous step */
/* RDEFINE FACILITY HWI.TARGET.<netid.nau>.<imagename> UACC(NONE) */
/* Done in previous step */
/* PERMIT HWI.TARGET.<netid.nau> CLASS(FACILITY) ID(IZUADMIN) + */
/* ACCESS(READ) */
/* TSS PER(IZUADMIN) IBMFAC(HWI.APPLNAME.HWISERV) - */
/* APPLDATA('<uppercasecommunityname>') ACC(READ) */
/* PERMIT HWI.TARGET.<netid.nau>.<imagename> CLASS(FACILITY) + */
/* ID(IZUADMIN) ACCESS(READ) */
/* TSS PER(IZUADMIN) IBMFAC(HWI.TARGET.<netid.nau>.<imagename>) - */
/* ACC(READ) */
/*----------------------------------------------------------------*/
/* End Setup for Discovery CPC function in Systems task */
/*----------------------------------------------------------------*/
/* If AT_TLS is enable, z/OSMF started task userid needs to be */
/* permitted on resource EZB.INITSTACK.sysname.tcpname */
/* */
/* PERMIT EZB.INITSTACK.sysname.tcpname CLASS(SERVAUTH) + */
/* ID(IZUSVR) ACCESS(READ) */
/* TSS PER(IZUSVR) SERVAUTH(EZB.INITSTACK.sysname.tcpname) - */
/* ACC(READ) */
/* Profile Definitions for "zOS Operator Consoles" task */
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.CONSOLES.ZOSOPER UACC(NONE)
/* Done in a previous step. */
/* Permit definitions for "zOS Operator Consoles" task */
PERMIT IZUDFLT.ZOSMF.CONSOLES.ZOSOPER CLASS(ZMFAPLA) +
ID(IZUUSER) ACCESS(READ)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.CONSOLES.ZOSOPER) -
ACC(READ)
/* Permit definitions for "zOS Operator Consoles" task */
PERMIT IZUDFLT.ZOSMF.CONSOLES.ZOSOPER CLASS(ZMFAPLA) +
ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.CONSOLES.ZOSOPER) -
ACC(READ)
/* Profile definitions for Named Angel Support */
RDEFINE SERVER BBG.ANGEL.IZUANG1 UACC(NONE)
Done in a previous step.
PERMIT BBG.ANGEL.IZUANG1 CLASS(SERVER) ID(IZUSVR) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.ANGEL.IZUANG1) ACC(READ)
/* Define security setup to permit Authorized WLM Service(ZOSWLM )*/
RDEFINE FACILITY BPX.WLMSERVER UACC(NONE)
Done in a previous step
PERMIT BPX.WLMSERVER CLASS(FACILITY) ID(IZUSVR) ACCESS(READ)
TSS PER(IZUSVR) IBMFaC(BPX.WLMSERVER) ACC(READ)
/* Make changes effective */
SETROPTS RACLIST(SERVER) REFRESH
/* Not needed. No equivalent in TSS */
SETROPTS RACLIST(SERVAUTH) REFRESH
/* Not needed. No equivalent in TSS */
SETROPTS RACLIST(ZMFAPLA) REFRESH
/* Not needed. No equivalent in TSS */
SETROPTS RACLIST(FACILITY) REFRESH
/* Not needed. No equivalent in TSS */
/* */
/* End V2R3 step Setup */
/* */
/* */
/* The CLOUD step performs setup that is only required if you */
/* plan to use the Cloud Provisioning and Management support AND */
/* you configure Cloud Provisioning and Management for REXX */
/* workflow support for automatic security processing. */
/* */
/* IBM recommends using the IRRSMO00 (R_SecMgtOper) support when */
/* using automatic security processing for Cloud Provisioning and */
/* Management. Then this step is not necessary. */
/* */
/* Connect the started task user ID to the IZUSECAD group. */
/* This is needed so z/OSMF initialization processing can create */
/* a CLOUD properties file and assign its group ownership to */
/* IZUSECAD. */
/* */
/* This is necessary when using automatic security processing */
/* with REXX workflows because the properties file identifies the */
/* location of the REXX exec that performs the automatic security */
/* operations, AS THE CLOUD_SEC_ADMIN SECURITY ADMINISTRATOR ID */
/* SPECIFIED IN IZUPRMxx. This properties file MUST BE properly */
/* secured to prevent unauthorized changes to it. */
/* */
/* If the CLOUD step is not done, when Cloud Provisioning and */
/* Management is configured to the REXX implementation for */
/* automatic security processing, Cloud Provisioning and */
/* Management will issue IYURM0041E messages to the operator */
/* console when performing operations that require security */
/* processing and the requested operation will fail. On startup, */
/* IZUG202E error messages will be issued to the server's job log.*/
/* */
/* The rest of z/OSMF is not affected and will operate normally. */
CONNECT (IZUSVR) GROUP(IZUSECAD)
TSS ADD(IZUSVR) PROFILE(IZUSECAD)
/* */
/* End CLOUD step Setup */
/* */
/*
//V2R4 EXEC PGM=IKJEFT01,DYNAMNBR=99
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
/* */
/* The V2R4 setup contains the profiles which are added in V2R4 */
/* release */
/* */
/* Begin " z/OSMF Security Configuration Assistant" Setup */
/* */
/* Profile Definitions for z/OSMF Security Configuration Assistant */
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.CONFIGURATION.SECURITY_ASSISTANT +
UACC(NONE)
/* No action, as the ZMFAPLA(IZUDFLT) is already owned in STEP1 */
RDEFINE SERVER BBG.SECCLASS.SERVER UACC(NONE)
RDEFINE SERVER BBG.SECCLASS.APPL UACC(NONE)
RDEFINE SERVER BBG.SECCLASS.FACILITY UACC(NONE)
RDEFINE SERVER BBG.SECCLASS.EJBROLE UACC(NONE)
RDEFINE SERVER BBG.SECCLASS.SERVAUTH UACC(NONE)
RDEFINE SERVER BBG.SECCLASS.STARTED UACC(NONE)
RDEFINE SERVER BBG.SECCLASS.ACCTNUM UACC(NONE)
RDEFINE SERVER BBG.SECCLASS.TSOPROC UACC(NONE)
RDEFINE SERVER BBG.SECCLASS.TSOAUTH UACC(NONE)
RDEFINE SERVER BBG.SECCLASS.OPERCMDS UACC(NONE)
RDEFINE SERVER BBG.SECCLASS.CSFSERV UACC(NONE)
RDEFINE SERVER BBG.SECCLASS.JESSPOOL UACC(NONE)
RDEFINE SERVER BBG.SECCLASS.LOGSTRM UACC(NONE)
RDEFINE SERVER BBG.SECCLASS.UNIXPRIV UACC(NONE)
RDEFINE SERVER BBG.SECCLASS.RDATALIB UACC(NONE)
/* No action, as the BBG is already owned in STEP1 */
/******************************************************************/
/* Permit definitions for z/OSMF Security Configuration Assistant*/
/******************************************************************/
/* Begin zOSMF Administrator Role Setup */
/******************************************************************/
PERMIT IZUDFLT.ZOSMF.CONFIGURATION.SECURITY_ASSISTANT +
CLASS(ZMFAPLA) ACCESS(READ) ID(IZUADMIN)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.CONFIGURATION.) ACC(READ)
/******************************************************************/
/* End zOSMF Administrator Role Setup */
/******************************************************************/
/******************************************************************/
/* Permit the started task USERID access */
/******************************************************************/
PERMIT BBG.SECCLASS.SERVER CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
PERMIT BBG.SECCLASS.APPL CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
PERMIT BBG.SECCLASS.FACILITY CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
PERMIT BBG.SECCLASS.EJBROLE CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
PERMIT BBG.SECCLASS.SERVAUTH CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
PERMIT BBG.SECCLASS.STARTED CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
PERMIT BBG.SECCLASS.ACCTNUM CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
PERMIT BBG.SECCLASS.TSOPROC CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
PERMIT BBG.SECCLASS.TSOAUTH CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
PERMIT BBG.SECCLASS.OPERCMDS CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
PERMIT BBG.SECCLASS.CSFSERV CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
PERMIT BBG.SECCLASS.JESSPOOL CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
PERMIT BBG.SECCLASS.LOGSTRM CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
PERMIT BBG.SECCLASS.UNIXPRIV CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
PERMIT BBG.SECCLASS.RDATALIB CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.SERVER) ACC(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.APPL) ACC(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.FACILITY) ACC(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.EJBROLE) ACC(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.SERVAUTH) ACC(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.STARTED) ACC(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.ACCTNUM) ACC(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.TSOPROC) ACC(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.TSOAUTH) ACC(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.OPERCMDS) ACC(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.CSFSERV) ACC(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.JESSPOOL) ACC(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.LOGSTRM) ACC(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.UNIXPRIV) ACC(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.RDATALIB) ACC(READ)
/******************************************************************/
/* End Permit the started task USERID access */
/******************************************************************/
/* Need to REFRESH these classes for Roles */
SETROPTS RACLIST(ZMFAPLA) REFRESH
SETROPTS RACLIST(SERVER) REFRESH
/* Not needed. No equivalent in TSS */
/* */
/* End " z/OSMF Security Configuration Assistant" Setup */
/* */
/* */
/* Begin "z/OSMF Diagnostic Assistant" Setup */
/* */
/* Profile Definition for z/OSMF Diagnostic Assistant */
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.DIAGNOSTIC_ASSISTANT +
UACC(NONE)
/* No action, as the ZMFAPLA(IZUDFLT) is already owned in STEP1 */
/* Permit definition for z/OSMF Diagnostic Assistant */
PERMIT IZUDFLT.ZOSMF.ADMINTASKS.DIAGNOSTIC_ASSISTANT +
CLASS(ZMFAPLA) ACCESS(READ) ID(IZUADMIN)
TSS PER(IZUADMIN) -
ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.DIAGNOSTIC_ASSISTANT) ACC(READ)
/* Profile Definition for z/OSMF Cloud Provisioning */
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES +
UACC(NONE)
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT +
UACC(NONE)
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.WORKFLOW.EDITOR UACC(NONE)
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.VARIABLES.SYSTEM.ADMIN UACC(NONE)
/* No action, as the ZMFAPLA(IZUDFLT) is already owned in STEP1 */
/* Need to REFRESH these classes for Roles */
SETROPTS RACLIST(ZMFAPLA) REFRESH
/* Not needed. No equivalent in TSS */
/* */
/* End "z/OSMF Diagnostic Assistant" Setup */
/* */
/* */
/* End V2R4 step Setup */
/* */
/*
//PH40017 EXEC PGM=IKJEFT01,DYNAMNBR=99
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
/* */
/* The PH40017 setup contains the profiles which are added for */
/* Feedback Collection */
/* Profile Definitions for "z/OSMF Feedback Collection" */
RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SEND.IBM.FEEDBACK UACC(NONE)
/* No action, as the ZMFAPLA(IZUDFLT) is already owned in STEP1 */
/* */
/* Begin zOSMF User Role Setup */
/* */
/* Permit definitions for z/OSMF Feedback Collection */
PERMIT IZUDFLT.ZOSMF.SEND.IBM.FEEDBACK CLASS(ZMFAPLA) +
ID(IZUUSER) ACCESS(READ)
TSS PER(IZUUSER) -
ZMFAPLA(IZUDFLT.ZOSMF.SEND.IBM.FEEDBACK) ACC(READ)
/* */
/* End zOSMF User Role Setup */
/* */
/* */
/* Begin zOSMF Administrator Role Setup */
/* */
/* Permit definitions for z/OSMF Feedback Collection */
PERMIT IZUDFLT.ZOSMF.SEND.IBM.FEEDBACK CLASS(ZMFAPLA) +
ID(IZUADMIN) ACCESS(READ)
TSS PER(IZUADMIN) -
ZMFAPLA(IZUDFLT.ZOSMF.SEND.IBM.FEEDBACK) ACC(READ)
/* */
/* End zOSMF Administrator Role Setup */
/* */
/* Need to REFRESH these classes for Roles */
SETROPTS RACLIST(ZMFAPLA) REFRESH
/* Not needed. No equivalent in TSS */
/* */
/* End PH40017 step Setup */
/* */
/*
This is the IZUSEC version containing only the TSS commands:
//IZUCORE JOB MSGCLASS=C,MSGLEVEL=(1,1),USER=XXXXXXX,NOTIFY=XXXXXXX
//* ------------------------------------------------------------ *
//* CA TOP SECRET (16.00) SECURITY FOR Z/OS *
//* Copyright 8 2018 CA, Inc. All rights reserved. *
//* ------------------------------------------------------------ *
//********************************************************************
//* *
//* DESCRIPTIVE NAME: *
//* z/OSMF SERVER default security setup *
//* *
//* The JCL contains the security setup for z/OSMF server. *
//* You can customize this JCL to create a security setup *
//* for the z/OSMF Server as you wish. *
//* *
//* NOTE: The V2R4 step is added to the IZUSEC job in this *
//* release. The V2R4 step contains the profiles that are new in *
//* z/OS V2R4. If you have previously installed and configured *
//* z/OSMF, step V2R4 is the only step you need to run. *
//* *
//********************************************************************
//* *
//* This job must be run using a user ID that has the RACF SPECIAL *
//* attribute. *
//* *
//* This job assumes that the UID and GID Auto-Assignement has been *
//* set up. See the topic "Set Up UID and GID Auto-Assignment" *
//* in the CA Top Secret for z/OS manual. If this function has not *
//* been enabled, you must assign unique UIDS to the IZUSVR and *
//* IZUGUEST user IDs and unigue GIDs to the group IZUADMIN, *
//* IZUSECAD, IZUUSER, and IZUUNGRP. *
//* *
//********************************************************************
//* *
//********************************************************************
//*
//* JOB CORE sets up z/OSMF core security settings. */
//* Replace with your job card */
//* The following update need to be made before submitting this */
//* JCL */
//* */
//* 1. Update <owningacid> with the resource owner. */
//* */
//* */
//* */
//********************************************************************
//STEP1 EXEC PGM=IKJEFT01,DYNAMNBR=99
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
/* Begin "Core" Setup */
/* */
/* This commented section contains the CLASS activation commands. */
/* Ensure the following classes are active before executing this */
/* script or creating profiles in these classes. */
/* */
TSS CRE(IZUADMGP) NAME('IZUADMIN GROUP') TYPE(GROUP) -
DEPT(<owningacid>)
TSS ADD(IZUADMGP) GID(?)
TSS CRE(IZUADMIN) NAME('IZUADMIN PROFILE') TYPE(PROFILE) -
DEPT(<owningacid>)
/* You cannot add GROUP to a PROFILE acid in TSS. When you add */
/* IZUADMIN to an acid, you will also need to attach IZADMNGP also.*/
/* Example: TSS ADD(acid) PROFILE(IZUADMIN) GROUP(IZADMNGP) */
/* Create the z/OSMF Users group */
TSS CRE(IZUUSRGP) NAME('IZUUSER GROUP') TYPE(GROUP) -
DEPT(<owningacid>)
TSS ADD(IZUUSRGP) GID(?)
TSS CRE(IZUUSER) NAME('IZUUSER PROFILE') TYPE(PROFILE) -
FAC(zosmf) -
DEPT(<owningacid>)
/* You cannot add GROUP to a PROFILE acid in TSS. When you add */
/* IZUADMIN to an acid, you will also need to attach IZADMNGP also.*/
/* Example: TSS ADD(acid) PROFILE(IZUUSER) GROUP(IZUUSRGP) */
/* Create the z/OSMF Unauthenticated group */
TSS CRE(IZUUNAGP) NAME('zOSMF Unauthenticated Group') -
TYPE(GROUP) -
DEPT(<owningacid>)
TSS ADD(IZUUNAGP) GID(?)
TSS CRE(IZUUNGRP) NAME('IZUUNGRP PROFILE') TYPE(PROFILE) -
DEPT(<owningacid>)
/* You cannot add GROUP to a PROFILE acid in TSS. When you add */
/* IZUUNGRP to an acid, you will also need to attach IZADMNGP also.*/
/* Example: TSS ADD(acid) PROFILE(IZUUNGRP) GROUP(IZUUNAGP) */
/* Create the started task USERID for the z/OSMF Server */
/* Please note, the HOME directory should be created with */
/* utility IZUMKFS. */
TSS CRE(IZUSVR) NAME('zOSMF Started Task USERID') TYPE(USER) -
PASS(NOPW,0) FAC(STC) -
DEPT(<owningacid>)
TSS ADD(IZUSVR) PROFILE(IZUADMIN)
TSS ADD(IZUSVR) GROUP(IZUADMGP)
TSS ADD(IZUSVR) DFLTGRP(IZUADMGP)
TSS ADD(IZUSVR) UID(?)
TSS ADD(IZUSVR) HOME(/var/zosmf/data/home/izusvr)
TSS ADD(IZUSVR) OMVSPGM(/bin/sh)
TSS ADD(IZUSVR) MASTFAC(ZOSMF)
TSS ADD(<owningacid>) PROGRAM(BPX)
TSS PER(IZUSVR) PROGRAM(BPXBATCH)
TSS PER(IZUSVR) PROGRAM(BPXBATSL)
TSS PER(IZUSVR) PROGRAM(BPXBATA2)
/* Change concurrent open file number for started task USERID */
TSS ADD(IZUSVR) OEFILEP(10000)
/* Create the z/OSMF unauthenticated USERID */
TSS CRE(IZUGUEST) NAME('zOSMF Unauthenticated USERID') -
TYPE(USER) PASS(NOPW,0) -
DEPT(<owningacid>)
TSS ADD(IZUGUEST) RSTDACC
TSS ADD(IZUGUEST) UID(?) OMVSPGM('/bin/sh') -
HOME('/u/izuguest') DFLTGRP(IZUUNAGP) GROUP(IZUUNAGP) FAC(ZOSMF)
/* Define the STARTED profiles for the z/OSMF server */
TSS ADD(STC) PROCNAME(IZUSVR1) ACID(IZUSVR)
TSS ADD(STC) PROCNAME(IZUANG1) ACID(IZUSVR)
TSS ADD(<owningacid>) APPL(IZUDFLT)
/* Define the SERVER profiles for the z/OSMF server */
TSS ADD(<owningacid>) SERVER(BBG)
/* Permit the z/OSMF unauthenticated USERID access */
TSS PER(IZUGUEST) APPL(IZUDFLT)
/* Permit the started task USERID access */
TSS PER(IZUSVR) SERVER(BBG.SECPFX.IZUDFLT) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.ANGEL) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.SAFCRED) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.ZOSWLM) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.TXRRS) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.ZOSDUMP) ACCESS(READ)
/* Define the BPX.CONSOLE profile to supress the BPXM023I message */
/* prefix for console messages */
TSS ADD(<owningacid>) IBMFAC(BPX.)
/* thiS WILL FAIL WILL FOLLOWING ERROR */
TSS PER(IZUSVR) IBMFAC(BPX.CONSOLE) ACCESS(READ)
/* Define the Sync-to-OS-thread FACILITY profile */
TSS ADD(<owningacid>) IBMFAC(BBG.)
/* Permit the started task USERID access */
TSS PER(IZUSVR) IBMFAC(BBG.SYNC.IZUDFLT) ACCESS(CONTROL)
/* Define the FACILITY profile for working with digital */
/* certificates */
TSS ADD(<owningacid>) IBMFAC(IRR.)
/* Allow users of the z/OSMF Configuration Workflow to extract */
/* profile information */
/* Permit the started task USERID access */
TSS PER(IZUSVR) IBMFAC(IRR.DIGTCERT.LIST) ACCESS(READ)
/* Create the CA certificate for the z/OSMF server */
TSS GENCERT(CERTAUTH) DIGICERT(ZOSMFCA) -
SUBJECTN('CN="z/OSMF CertAuth for Security Domain" OU="ZUDFLT"') -
LABLCERT('zOSMFCA') NADATE(05/17/23)
TSS ADD(IZUSVR) KEYRING(IZUSVRKR) LABLRING('IZUKeyring.IZUDFLT')
/* Create the server certificate for the z/OSMF server */
/* Change HOST NAME in CN field into real local host name */
/* Usually the format of the host name is 'XXXX.XXX.XXX.XXX' */
TSS GENCERT(IZUSVR) DIGICERT(DEFOSMFC) -
SUBJECTN('CN="HOST NAME" OU="IZUDFLT" O="IBM"') -
LABLCERT('DefaultzOSMFCert.IZUDFLT') -
SIGNWITH(CERTAUTH,ZOSMFCA) -
NADATE(05/17/23)
TSS REPL(IZUSVR) DIGICERT(DEFOSMFC) TRUST
TSS ADD(IZUSVR) KEYRING(IZUSVRKR) RINGDATA(IZUSVR,DEFOSMFC) -
USAGE(PERSONAL) DEFAULT
/*RACDCERT ID( IZUSVR ) CONNECT (LABEL('zOSMFCA') + */
/* RING('IZUKeyring.IZUDFLT') CERTAUTH) */
TSS ADD(IZUSVR) KEYRING(IZUSVRKR) RINGDATA(CERTAUTH,ZOSMFCA) -
USAGE(CERTAUTH)
/* Define the CEA resource profile required for z/OSMF server */
TSS ADD(<owningacid>) SERVAUTH(CEA)
/* Define the Account Number resource profile for REST File API */
TSS ADD(<owningacid>) TSOACCT(IZUACCT)
/* Define the TSO Procedure resource profile for REST File API */
TSS ADD(<owningacid>) TSOPROC(IZUFPROC)
/* List-of-groups authority checking supplements the normal */
/* access authority checking by allowing all groups of which a */
/* user ID is amember to enter into the access list checking */
/* process.Un-comment the following line to activate this. */
TSS CRE(IZUSECGP) NAME('z/OS Security Admin Group') -
TYPE(GROUP) -
DEPT(<owningacid>)
TSS ADD(IZUSECGP) GID(?)
TSS ADD(IZUSVR) GROUP(IZUSECGP)
TSS CRE(IZUSECAD) NAME('z/OS Security Admin PROFILE') -
TYPE(PROFILE) -
DEPT(<owningacid>)
/* You cannot add GROUP to a PROFILE acid in TSS. When you add */
/* IZUSECAD to an acid, you will also need to attach IZUSECGP */
/* Example: TSS ADD(acid) PROFILE(IZUSECAD) GROUP(IZUSECGP) */
/* Define the ZMFAPLA profile for the z/OSMF server */
TSS ADD(<owningacid>) ZMFAPLA(IZUDFLT)
/* The EJBROLE definitions are case-sensitive. Insure you */
/* preserve case for these commands */
/* Assumption: EJBROLE is defined, activated, and raclisted. */
TSS ADD(<owningacid>) EJBROLE(IZUDFLT)
/* Permit the started task USERID access */
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.ZMFAPLA) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.ZMFAPLA) ACCESS(READ)
/* Roles processing will permit the z/OSMF Server groups to the */
/* Application Server resources */
/* Assumption: APPL class has been defined, activated, raclisted. */
/* Permit the Administrators group to this profile */
TSS PER(IZUADMIN) SERVAUTH(CEA.CEATSO) ACCESS(READ)
/* Permit the Users group to this profile */
TSS PER(IZUUSER) SERVAUTH(CEA.CEATSO) ACCESS(READ)
/* Permit the started task USERID to this profile */
TSS PER(IZUSVR) SERVAUTH(CEA.CEATSO) ACCESS(READ)
/* Not needed. No equivalent in TSS */
/* Permit the Administrators group to these profiles */
TSS PER(IZUADMIN) TSOACCT(IZUACCT)
TSS PER(IZUADMIN) TSOPROC(IZUFPROC)
/* Permit the Users group to these profiles */
TSS PER(IZUUSER) TSOACCT(IZUACCT)
TSS PER(IZUUSER) TSOPROC(IZUFPROC)
/* Define console profile in class TSOAUTH to issue MVS commands */
/* via EMCS consoles */
TSS ADD(<owningacid>) TSOAUTH(CONSOLE)
/* Permit the Administrators group to these profiles */
TSS PER(IZUADMIN) TSOAUTH(CONSOLE)
/* Permit the Users group to these profiles */
TSS PER(IZUUSER) TSOAUTH(CONSOLE)
*/
/* Not needed. No equivalent in TSS */
/* Define MCS operator profile starting with prefix IZU@ */
TSS ADD(<owningacid>) OPERCMDS(MVS.)
/* Permit the Administrators group to these profiles */
TSS PER(IZUADMIN) OPERCMDS(MVS.MCSOPER.IZU)
/* Permit the Users group to these profiles */
TSS PER(IZUUSER) OPERCMDS(MVS.MCSOPER.IZU)
/*If your installation utilizes hardware crypto in combination */
/*with ICSF, various services like CSFRNGL, CSFDSV, CSFOWH, */
/*CSFIQF ,etc.may be protected by profiles established in your */
/*security product.In certain cases, z/OSMF will utilize these */
/*services, and the z/OSMF started task USERID will need to be */
/*permitted to these profiles.If concrete profiles in the CSFSERV */
/*class has been defined to protect these resources, then, the */
/*following commented commands would permit the started task */
/*userid to that profile which is used by associated ICSF service.*/
/* .*/
/*TSS PER(IZUSVR) CSFSERV(CSFIQF) */
/* .*/
/*encipher callable service */
/*TSS PER(IZUSVR) CSFSERV(CSFENC) */
/* .*/
/*cryptographic variable encipher callable */
/*TSS PER(IZUSVR) CSFSERV(CSFCVE) */
/* .*/
/*decipher callable service */
/*TSS PER(IZUSVR) CSFSERV(CSFDEC) */
/* .*/
/*symmetric algorithm encipher callable service */
/*TSS PER(IZUSVR) CSFSERV(CSFSAE) */
/* .*/
/*symmetric algorithm decipher callable service */
/*TSS PER(IZUSVR) CSFSERV(CSFSAD) */
/* .*/
/*one-way hash generate callable service */
/*TSS PER(IZUSVR) CSFSERV(CSFOWH) */
/* .*/
/*random number generate callable service */
/*TSS PER(IZUSVR) CSFSERV(CSFRNG) */
/* .*/
/*random number generate long callable service */
/*TSS PER(IZUSVR) CSFSERV(CSFRNGL) */
/* .*/
/*PKA key generate callable service */
/*TSS PER(IZUSVR) CSFSERV(CSFPKG) */
/* .*/
/*digital signature generate service */
/*TSS PER(IZUSVR) CSFSERV(CSFDSG) */
/* .*/
/*digital signature verify callable service */
/*TSS PER(IZUSVR) CSFSERV(CSFDSV) */
/* .*/
/*PKA key token change callable service */
/*TSS PER(IZUSVR) CSFSERV(CSFPKT) */
/* .*/
/*retained key list callable service */
/*TSS PER(IZUSVR) CSFSERV(CSFRKL) */
/* .*/
/*PKA Public Key Extract callable service */
/*TSS PER(IZUSVR) CSFSERV(CSFPKX) */
/* .*/
/*PKA encrypt callable service */
/* .*/
/*TSS PER(IZUSVR) CSFSERV(CSFPKE) ACCESS(READ) */
/* .*/
/*PKA decrypt callable service */
/*TSS PER(IZUSVR) CSFSERV(CSFPKD) */
/* .*/
/*PKA key import callable service */
/*TSS PER(IZUSVR) CSFSERV(CSFPKI) */
/* .*/
/*multiple clear key import callable service */
/*TSS PER(IZUSVR) CSFSERV(CSFCKM) */
/* .*/
/*key generate callable service */
/*TSS PER(IZUSVR) CSFSERV(CSFKGN) */
/* .*/
/*ECC Diffie-Hellman callable service */
/*TSS PER(IZUSVR) CSFSERV(CSFEDH) */
/* .*/
/* Profile Definitions for "Workflow" */
/* */
/* Begin zOSMF User Role Setup */
/* */
TSS PER(IZUUSER) APPL(IZUDFLT)
TSS PER(IZUUSER) EJBROLE(IZUDFLT.-.izuUsers)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF)
/* Permit definitions for Core */
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.LINK) ACCESS(READ)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW) -
ACCESS(READ)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS) -
ACCESS(READ)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS) -
ACCESS(READ)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW) -
ACCESS(READ)
/* Permit definitions for Workflow */
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) -
ACCESS(READ)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS) -
ACCESS(READ)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.NOTIFICATION.MODIFY) -
ACCESS(READ)
/* */
/* End zOSMF User Role Setup */
/* */
/* */
/* Begin zOSMF Administrator Role Setup */
/* */
TSS PER(IZUADMIN) APPL(IZUDFLT)
TSS PER(IZUADMIN) EJBROLE(IZUDFLT.-.izuUsers)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF)
/* Permit definitions for Core */
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.APPLINKING) -
ACCESS(READ)
TSS PER(IZUADMIN) -
ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.IMPORTMANAGER) -
ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.LINKSTASK) -
ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.LOGGER) -
ACCESS(READ)
TSS PER(IZUADMIN) -
ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.UI_LOG_MANAGEMENT) -
ACCESS(READ)
TSS PER(IZUADMIN) -
ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.USAGESTATISTICS) -
ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.LINK) -
ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW) -
ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.MODIFY) -
ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS) -
ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS) -
ACCESS(READ)
TSS PER(IZUADMIN) -
ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW) -
ACCESS(READ)
TSS PER(IZUADMIN) -
ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.MODIFY) -
ACCESS(READ)
TSS PER(IZUADMIN) -
ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.ADMIN) -
ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS) -
ACCESS(READ)
TSS PER(IZUADMIN) -
ZMFAPLA(IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS.ADMIN) -
ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.NOTIFICATION.MODIFY) -
ACCESS(READ)
TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.LISTUSER) ACCESS(READ)
TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.LISTGRP) ACCESS(READ)
TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.RLIST) ACCESS(READ)
TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.SETROPTS.LIST) ACCESS(READ)
/* */
/* End zOSMF Administrator Role Setup */
/* */
/* */
/* Begin zOS Security Administrator Role Setup */
/* */
TSS PER(IZUSECAD) APPL(IZUDFLT)
TSS PER(IZUSECAD) EJBROLE(IZUDFLT.-.izuUsers)
TSS PER(IZUSECAD) ZMFAPLA(IZUDFLT.ZOSMF)
/* Permit definitions for Workflow */
TSS PER(IZUSECAD) ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) -
ACCESS(READ)
/* */
/* End zOS Security Administrator Role Setup */
/* */
/*----------------------------------------------------------------*/
/* Begin Setup for API Discovery Swagger User Interface */
/*----------------------------------------------------------------*/
/* The API Discovery feature lets you view z/OSMF REST APIs in */
/* a Swagger User Interface. That feature uses the Liberty REST */
/* handler framework, which requires the following resource */
/* permissions to allow all z/OSMF users to access the Swagger */
/* User Interface. */
/* RDEFINE EJBROLE + */
/* IZUDFLT.com.ibm.ws.management.security.resource.+ */
/* allAuthenticatedUsers UACCESS(NONE) */
TSS PER(IZUUSER) -
EJBROLE(IZUDFLT.com.ibm.ws.management.security.resource.+
allAuthenticatedUsers)
TSS PER(IZUADMIN) -
EJBROLE(IZUDFLT.com.ibm.ws.management.security.resource.+
allAuthenticatedUsers)
/*----------------------------------------------------------------*/
/* End Setup for API Discovery Swagger User Interface */
/*----------------------------------------------------------------*/
/*
//V2R3 EXEC PGM=IKJEFT01,DYNAMNBR=99
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
/* */
/* The V2R3 step contains the profiles which are added in V2R3 */
/* release */
/* Define the STARTED profiles for auto start function */
TSS ADD(STC) PROCN(IZUINSTP) ACID(IZUSVR)
/* Define the CEA resource profile required for auto start */
/* function */
TSS ADD(<owningacid>) SERVAUTH(CEA)
/* Permit the started task USERID to this profile */
TSS PER(IZUSVR) SERVAUTH(CEA.SIGNAL) ACCESS(READ)
/* Profile for general setting */
Done is previous step.
/* Permit the Administrators group to this profile */
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.GENERAL.SETTINGS) -
ACCESS(READ)
/* Profile Definitions for "z/OSMF email function" */
/* Permit the started task USERID to this profile */
TSS PER(IZUSVR) IBMFAC(IRR.RUSERMAP) ACCESS(READ)
/*----------------------------------------------------------------*/
/* Begin Setup for Discovery CPC function in Systems task */
/*----------------------------------------------------------------*/
/* Replace the <netid.nau> with the 3-17 character SNA name of */
/* the particular CPC. */
/* Replace the <uppercasecommunityname> with the SNMP community */
/* name that is associated with the CPC. */
/* Replace the <imagename> with the 1-8 character which */
/* represents LPAR name. */
/* */
/* TSS ADD(<owningacid>) IBMFAC(HWI) */
/* TSS PER(IZUADMIN) IBMFAC(HWI.APPLNAME.HWISERV) ACCESS(READ) */
/* TSS PER(IZUADMIN) IBMFAC(HWI.APPLNAME.HWISERV) - */
/* TSS PER(IZUADMIN) IBMFAC(HWI.TARGET.<netid.nau>.<imagename>) - */
/* ACCESS(READ) */
/*----------------------------------------------------------------*/
/* End Setup for Discovery CPC function in Systems task */
/*----------------------------------------------------------------*/
/* If AT_TLS is enable, z/OSMF started task userid needs to be */
/* permitted on resource EZB.INITSTACK.sysname.tcpname */
/* */
/* TSS PER(IZUSVR) SERVAUTH(EZB.INITSTACK.sysname.tcpname) - */
/* ACCESS(READ) */
/* Profile Definitions for "zOS Operator Consoles" task */
/* Permit definitions for "zOS Operator Consoles" task */
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.CONSOLES.ZOSOPER) -
ACCESS(READ)
/* Permit definitions for "zOS Operator Consoles" task */
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.CONSOLES.ZOSOPER) -
ACCESS(READ)
/* Profile definitions for Named Angel Support */
TSS PER(IZUSVR) SERVER(BBG.ANGEL.IZUANG1) ACCESS(READ)
/* Define security setup to permit Authorized WLM Service(ZOSWLM )*/
TSS PER(IZUSVR) IBMFaC(BPX.WLMSERVER) ACCESS(READ)
/* */
/* End V2R3 step Setup */
/* */
/* */
/* The CLOUD step performs setup that is only required if you */
/* plan to use the Cloud Provisioning and Management support AND */
/* you configure Cloud Provisioning and Management for REXX */
/* workflow support for automatic security processing. */
/* */
/* IBM recommends using the IRRSMO00 (R_SecMgtOper) support when */
/* using automatic security processing for Cloud Provisioning and */
/* Management. Then this step is not necessary. */
/* */
/* Connect the started task user ID to the IZUSECAD group. */
/* This is needed so z/OSMF initialization processing can create */
/* a CLOUD properties file and assign its group ownership to */
/* IZUSECAD. */
/* */
/* This is necessary when using automatic security processing */
/* with REXX workflows because the properties file identifies the */
/* location of the REXX exec that performs the automatic security */
/* operations, AS THE CLOUD_SEC_ADMIN SECURITY ADMINISTRATOR ID */
/* SPECIFIED IN IZUPRMxx. This properties file MUST BE properly */
/* secured to prevent unauthorized changes to it. */
/* */
/* If the CLOUD step is not done, when Cloud Provisioning and */
/* Management is configured to the REXX implementation for */
/* automatic security processing, Cloud Provisioning and */
/* Management will issue IYURM0041E messages to the operator */
/* console when performing operations that require security */
/* processing and the requested operation will fail. On startup, */
/* IZUG202E error messages will be issued to the server's job log.*/
/* */
/* The rest of z/OSMF is not affected and will operate normally. */
TSS ADD(IZUSVR) PROFILE(IZUSECAD)
/* */
/* End CLOUD step Setup */
/* */
/*
//********************************************************************
//* *
//* Security Setup for z/OSMF Security Configuration Assistant. *
//* *
//********************************************************************
//V2R4 EXEC PGM=IKJEFT01,DYNAMNBR=99
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
/******************************************************************/
/* Permit definitions for z/OSMF Security Configuration Assistant*/
/******************************************************************/
/* Begin zOSMF Administrator Role Setup */
/******************************************************************/
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.CONFIGURATION.SEC+
URITY_ASSISTANT) ACCESS(READ)
/******************************************************************/
/* End zOSMF Administrator Role Setup */
/******************************************************************/
/******************************************************************/
/* Permit the started task USERID access */
/******************************************************************/
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.SERVER) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.APPL) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.FACILITY) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.EJBROLE) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.SERVAUTH) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.STARTED) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.ZMFCLOUD) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.ACCTNUM) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.TSOPROC) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.TSOAUTH) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.OPERCMDS) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.CSFSERV) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.JESSPOOL) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.LOGSTRM) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.UNIXPRIV) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.SECCLASS.RDATALIB) ACCESS(READ)
/******************************************************************/
/* End Permit the started task USERID access */
/******************************************************************/
/* End " z/OSMF Security Configuration Assistant" Setup */
/* */
/*
//PH40017 EXEC PGM=IKJEFT01,DYNAMNBR=99
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
/* */
/* The PH40017 setup contains the profiles which are added for */
/* Feedback Collection */
/* */
/* Begin zOSMF User Role Setup */
/* */
/* Permit definitions for z/OSMF Feedback Collection */
TSS PER(IZUUSER) -
ZMFAPLA(IZUDFLT.ZOSMF.SEND.IBM.FEEDBACK) ACC(READ)
/* */
/* End zOSMF User Role Setup */
/* */
/* */
/* Begin zOSMF Administrator Role Setup */
/* */
/* Permit definitions for z/OSMF Feedback Collection */
TSS PER(IZUADMIN) -
ZMFAPLA(IZUDFLT.ZOSMF.SEND.IBM.FEEDBACK) ACC(READ)
/* */
/* End zOSMF Administrator Role Setup */
/* */
/* End PH40017 step Setup */
/* */
/*
Feedback
