Convert CFZSEC from RACF to CA Top Secret

Document ID : KB000013819
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

Need CFZSEC member converted from RACF commands to TSS commands.

Answer:
//* Replace with your job card
//CFZSEC JOB MSGCLASS=C,MSGLEVEL=(1,1),USER=XXXXXXX,NOTIFY=XXXXXXX
//********************************************************************
//* PROPRIETARY STATEMENT:                                           *
//*    Licensed Materials - Property of IBM                          *
//*    5694-A01 Copyright IBM Corp. 2010                             *
//*                                                                  *
//*    STATUS=HPG7770                                                *
//*                                                                  *
//* DESCRIPTIVE NAME:                                                *
//*    CIM SERVER default security setup                             *
//*                                                                  *
//*                                                                  *
//*    You can use this job to quickly create a security setup       *
//*    for the CIM Server.                                           *
//*    Some of the RACF commands in the following job steps will     *
//*    intentionally fail, which does not have a negative effect on  *
//*    the successful execution of this job.                         *
//*    There are permits to specific resource profiles in the job.   *
//*    If you haven't defined these profiles you can either omit     *
//*    those job steps, or ignore the resulting ICH60004I messages   *
//*                                                                  *
//*                                                                  *
//*    Before you run the job, read the                              *
//*    "REQUIRED updates" section of the comment header and          *
//*    modify the placeholder for the keymask according to your      *
//*    needs.                                                        *
//*                                                                  *
//*                                                                  *
//*    This job is intended for a quick CIM Server security setup    *
//*    Before using this as a permanent setup in production          *
//*    you might want to perform site dependent customization        *
//*    on this job before you run it. The respective job steps       *
//*    are explained in section "CUSTOMIZATION updates".             *
//*                                                                  *
//*    You might also want to make a few optional changes which are  *
//*    described in the section "OPTIONAL updates".                  *
//*                                                                  *
//********************************************************************
//*                                                                  *
//*    Once this job was executed, to permit a user to CIM, connect  *
//*    the user with group CFZUSRGP.                                 *
//*                                                                  *
//*    CONNECT (<user name>) GROUP(CFZUSRGP) AUTHORITY(USE)          *
//*                                                                  *
//********************************************************************
//* Make sure that you run this job from a user with full access     *
//* to your RACF database.                                           *
//*                                                                  *
//* REQUIRED updates to the job                                      *
//*                                                                  *
//* a) If you do not have RMF installed, remove the last step        *
//*    (ENRMF).                                                      *
//*    Else replace #rkeymask with a 16-digit (0-9,A-F) keymask.     *
//*                                                                  *
//*    ATTENTION:  The keymask is a pass key. For full security      *
//*    ==========  it is recommended to execute step ENRMF           *
//*                separately to avoid storing the passkey in the    *
//*                job log in readable format.                       *
//*                                                                  *
//* b) If profile BPX.SERVER CL(FACILITY) is active on your system   *
//*    you should change the UID for CFZSRV to a value other than 0  *
//*    in step CRUSR. The default for the UID usually is 9500.       *
//*                                                                  *
//*                                                                  *
//* CUSTOMIZATION updates to the job                                 *
//*                                                                  *
//* a) Step ENCLCDS does not define the profile MVSADMIN.XCF.CFRM    *
//*    If this specific profile is not defined yet on your system    *
//*    either define it or change the job to permit the users access *
//*    to the generic profiles (MVSADMIN.** or MVSADMIN.XCF.*)       *
//*    if they are defined.                                          *
//*                                                                  *
//* b) Step ENWLM does not define the profile MVSADMIN.WLM.POLICY    *
//*    If this specific profile is not defined yet on your system    *
//*    either define it or change the job to permit the users access *
//*    to the generic profiles (MVSADMIN.** or MVSADMIN.WLM.*)       *
//*    if they are defined.                                          *
//*                                                                  *
//* c) Step PECEA defines the generic resource profile CEA.* and     *
//*    permits the CIM Server default groups access to it, as well   *
//*    as to the specific resource profiles. If only the             *
//*    generic profile or only the specific profiles are             *
//*    defined, you can omit the job steps permitting the            *
//*    CIM Server default groups access to the non-existent profile. *
//*                                                                  *
//*                                                                  *
//* OPTIONAL updates to the job                                      *
//*                                                                  *
//* a) Check that the GIDs (9501-9503) used in step CRUSR are not    *
//*    already in use on your system, otherwise change them.         *
//*                                                                  *
//********************************************************************
//*
//* Step CRUSR creates default groups and users required for CIM
//* CFZSRVGP    -   CIM Server ID's default group
//* CFZADMGP    -   CIM Admin ID's default group
//* CFZUSRGP    -   CIM End-Users ID's default group
//*
//* CFZSRV      -   CIM Server UserId used by Started Task
//*
//CRUSR EXEC PGM=IKJEFT01,DYNAMNBR=99
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *

ADDGROUP CFZSRVGP OMVS(GID(9501))
TSS ADDTO(CFZSRVGP) GID(9501)

ADDGROUP CFZADMGP OMVS(GID(9502))
TSS ADDTO(CFZADMGP) GID(9502)

ADDGROUP CFZUSRGP OMVS(GID(9503))
TSS ADDTO(CFZUSRGP) GID(9503)


ADDUSER CFZSRV DFLTGRP(CFZSRVGP) OMVS(UID(0) PROGRAM('/bin/sh') +
HOME('/u/cfzsrv')) NOPASSWORD NOOIDCARD

TSS CRE(CFZSRV) NAME(CFZSRV) DEPT(dept) PASS(NOPW,0)
TSS ADD(CFZSRV) UID(0) OMVSPGM('/bin/sh') HOME('/u/cfzsrv')


//* ALTUSER CFZSRV DFLTGRP(CFZSRVGP) OMVS(UID(0) PROGRAM('/bin/sh') +
//*   HOME('/u/cfzsrv')) NOPASSWORD NOOIDCARD NOPHRASE
TSS ADD(CFZSRV) DFLTGRP(CFZSRVGP) UID(0) OMVSPGM('/bin/sh') -
HOME('/u/cfzsrv')

/*
//* Step CRWBEM creates class WBEM and profile CIMSERV
//CRWBEM EXEC PGM=IKJEFT01,DYNAMNBR=99
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *

SETROPTS CLASSACT(CDT) RACLIST(CDT)
* RACF SETROPTS command has no Top Secret equivalent


RDEFINE +
CDT WBEM +
UACC(NONE) +
CDTINFO( CASE(UPPER) +
MAXLENGTH(246) +
FIRST(ALPHA) +
OTHER(ALPHA,NUMERIC) +
MAXLENX(246) +
KEYQUALIFIERS(0) +
PROFILESALLOWED(YES) +
POSIT(200) +
DEFAULTRC(8) +
DEFAULTUACC(NONE) +
RACLIST(REQUIRED))

TSS ADDTO(RDT) RESCLASS(WBEM) RESCODE(xx)                  
  ACLST(ALTER(FFFF),CONTROL(C400),UPDATE(C000),READ(4000)) 

SETROPTS RACLIST(CDT) REFRESH
* RACF SETROPTS command has no Top Secret equivalent


SETROPTS CLASSACT(WBEM) RACLIST(WBEM)
* RACF SETROPTS command has no Top Secret equivalent


RDEFINE WBEM CIMSERV UACC(NONE)
TSS ADDTO(owning-acid) WBEM(CIMSERV)


SETROPTS CLASSACT(WBEM) RACLIST(WBEM)
* RACF SETROPTS command has no Top Secret equivalent

/*
//* Step PEUSR
//*      - permits default UserID's to required resources
//*      - sets up required surrogate
//*      - permits CFZSRV to BPX.SERVER (no effect if BPX.SERVER is not
//*                                     enabled on the system)
//*      - authorizes CIM Server to write SMF records
//*      - authorizes CIM Server to write to console
//PEUSR EXEC PGM=IKJEFT01,DYNAMNBR=99
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *

PERMIT CIMSERV CL(WBEM) ACCESS(CONTROL) ID(CFZSRV)
TSS PERMIT(CFZSRV) WBEM(CIMSERV) ACCESS(CONTROL)

PERMIT CIMSERV CL(WBEM) ACCESS(CONTROL) ID(CFZADMGP)
TSS PERMIT(CFZADMGP) WBEM(CIMSERV) ACCESS(CONTROL)

PERMIT CIMSERV CL(WBEM) ACCESS(UPDATE) ID(CFZUSRGP)
TSS PERMIT(CFZUSRGP) WBEM(CIMSERV) ACCESS(UPDATE)

SETROPTS RACLIST(WBEM) REFRESH
* RACF SETROPTS command has no Top Secret equivalent


SETROPTS CLASSACT(SURROGAT) RACLIST(SURROGAT) GENERIC(SURROGAT)
* RACF SETROPTS command has no Top Secret equivalent

RDEFINE SURROGAT BPX.SRV.** UACC(NONE)
TSS ADDTO(owning-acid) SURROGAT(BPX.)

PERMIT BPX.SRV.** CL(SURROGAT) ACCESS(READ) ID(CFZSRV)
TSS PERMIT(CFZSRV) SURROGAT(BPX.SRV) ACCESS(READ)

SETROPTS RACLIST(SURROGAT) REFRESH
* RACF SETROPTS command has no Top Secret equivalent


PERMIT BPX.SERVER CL(FACILITY) ACCESS(UPDATE) ID(CFZSRV)
TSS PERMIT(CFZSRV) IBMFAC(BPX.SERVER) ACCESS(UPDATE)

SETROPTS RACLIST(FACILITY) REFRESH
* RACF SETROPTS command has no Top Secret equivalent


RDEFINE FACILITY BPX.SMF UACC(NONE)
TSS ADDTO(owning-acid) IBMFAC(BPX.)

PERMIT BPX.SMF CL(FACILITY) ACCESS(READ) ID(CFZSRV)
TSS PERMIT(CFZSRV) IBMFAC(BPX.SMF) ACCESS(READ)

PERMIT BPX.CONSOLE CL(FACILITY) ACCESS(READ) ID(CFZSRV)
TSS PERMIT(CFZSRV) IBMFAC(BPX.CONSOLE) ACCESS(READ)

SETROPTS RACLIST(FACILITY) REFRESH
* RACF SETROPTS command has no Top Secret equivalent


/*
//* Step PEAPPL Permit CIM groups and users to net application CFZAPPL
//*             This has no effect if class APPL is not active.
//PEAPPL EXEC PGM=IKJEFT01,DYNAMNBR=99
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *
RDEFINE APPL CFZAPPL UACC(NONE)
TSS ADDTO(owning-acid) APPL(CFZAPPL)

PERMIT CFZAPPL CL(APPL) ACCESS(READ) ID(CFZSRV)
TSS PERMIT(CFZSRV) APPL(CFZAPPL) ACCESS(READ)

PERMIT CFZAPPL CL(APPL) ACCESS(READ) ID(CFZADMGP)
TSS PERMIT(CFZADMGP) APPL(CFZAPPL) ACCESS(READ)

PERMIT CFZAPPL CL(APPL) ACCESS(READ) ID(CFZUSRGP)
TSS PERMIT(CFZUSRGP) APPL(CFZAPPL) ACCESS(READ)

SETROPTS RACLIST(APPL) REFRESH
* RACF SETROPTS command has no Top Secret equivalent

/*
//* Step SETARM establishes security setup required for ARM
//*             A sample ARM policy (CFZARMP) resides in the installed
//*             SYS1.SAMPLIB
//SETARM EXEC PGM=IKJEFT01,DYNAMNBR=99
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *
SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY)
* RACF SETROPTS command has no Top Secret equivalent

RDEFINE FACILITY IXCARM.DEFAULT.CFZ_SRV_* UACC(NONE)
TSS ADDTO(owning-acid) IBMFAC(IXCARM.)

PERMIT IXCARM.DEFAULT.CFZ_SRV_* CLASS(FACILITY) +
ID(CFZSRV) ACCESS(UPDATE)
TSS PERMIT(CFZUSRGP) IBMFAC(IXCARM.DEFAULT.CFZ_SRV_*) ACCESS(READ)


SETROPTS RACLIST(FACILITY) REFRESH
* RACF SETROPTS command has no Top Secret equivalent

/*
//* Step ENSTC establishes CFZSRV as the Started Task User for CIM
//ENSTC EXEC PGM=IKJEFT01,DYNAMNBR=99
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *
SETROPTS CLASSACT(STARTED) RACLIST(STARTED)
* RACF SETROPTS command has no Top Secret equivalent

RDEFINE STARTED CFZCIM.* STDATA(USER(CFZSRV) GROUP(CFZSRVGP))
TSS ADDTO(STC) PROCN(CFZCIM) ACID(CFZSRV)

SETROPTS RACLIST(STARTED) REFRESH
* RACF SETROPTS command has no Top Secret equivalent

/*
//* Step PECEA permits CIM Cluster and JES jobs provider to access CEA
//*
//PECEA EXEC PGM=IKJEFT01,DYNAMNBR=99
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *
ADDSD CEA.* UACC(NONE)
PERMIT CEA.* CLASS(DATASET) ID(CFZUSRGP) ACCESS(ALTER)
TSS PERMIT(CFZUSRGP) DATASET(CEA) ACCESS(ALTER)

PERMIT CEA.* CLASS(DATASET) ID(CFZADMGP) ACCESS(ALTER)
TSS PERMIT(CFZADMGP) DATASET(CEA) ACCESS(ALTER)

SETROPTS GENERIC(DATASET) REFRESH
* RACF SETROPTS command has no Top Secret equivalent


SETROPTS CLASSACT(SERVAUTH) RACLIST(SERVAUTH) GENERIC(SERVAUTH)
* RACF SETROPTS command has no Top Secret equivalent

RDEFINE SERVAUTH CEA.* UACC(NONE)
TSS ADDTO(owning-acid) SERVAUTH(CEA.)


PERMIT CEA.* CLASS(SERVAUTH) ID(CFZADMGP) ACCESS(UPDATE)
TSS PERMIT(CFZADMGP) SERVAUTH(CEA) ACCESS(UPDATE)

PERMIT CEA.* CLASS(SERVAUTH) ID(CFZUSRGP) ACCESS(UPDATE)
TSS PERMIT(CFZUSRGP) SERVAUTH(CEA) ACCESS(UPDATE)


PERMIT CEA.CONNECT CLASS(SERVAUTH) ID(CFZADMGP) ACCESS(UPDATE)
TSS PERMIT(CFZADMGP) SERVAUTH(CEA.CONNECT) ACCESS(UPDATE)

PERMIT CEA.SUBSCRIBE.* CLASS(SERVAUTH) ID(CFZADMGP) ACCESS(UPDATE)
TSS PERMIT(CFZADMGP) SERVAUTH(CEA.SUBSCRIBE) ACCESS(UPDATE)

PERMIT CEA.SUBSCRIBE.ENF_0068* CLASS(SERVAUTH) ID(CFZADMGP) +
ACCESS(UPDATE)
TSS PERMIT(CFZADMGP) SERVAUTH(CEA.SUBSCRIBE.ENF_0068*) ACCESS(UPDATE)

PERMIT CEA.CEAGETPS CLASS(SERVAUTH) ID(CFZADMGP) ACCESS(UPDATE)
TSS PERMIT(CFZADMGP) SERVAUTH(CEA.CEAGETPS) ACCESS(UPDATE)

PERMIT CEA.CEADOCMD CLASS(SERVAUTH) ID(CFZADMGP) ACCESS(UPDATE)
TSS PERMIT(CFZADMGP) SERVAUTH(CEA.CEADOCMD) ACCESS(UPDATE)

PERMIT CEA.CEAPDWB CLASS(SERVAUTH) ID(CFZADMGP) ACCESS(UPDATE)
TSS PERMIT(CFZADMGP) SERVAUTH(CEA.CEAPDWB) ACCESS(UPDATE)

PERMIT CEA.CEADOCONSOLECMD CLASS(SERVAUTH) ID(CFZADMGP) ACCESS(UPDATE)
TSS PERMIT(CFZADMGP) SERVAUTH(CEA.CEADOCONSOLECMD) ACCESS(UPDATE)


PERMIT CEA.CONNECT CLASS(SERVAUTH) ID(CFZUSRGP) ACCESS(UPDATE)
TSS PERMIT(CFZUSRGP) SERVAUTH(CEA.CONNECT) ACCESS(UPDATE)

PERMIT CEA.SUBSCRIBE.* CLASS(SERVAUTH) ID(CFZUSRGP) ACCESS(UPDATE)
TSS PERMIT(CFZUSRGP) SERVAUTH(CEA.SUBSCRIBE) ACCESS(UPDATE)

PERMIT CEA.SUBSCRIBE.ENF_0068* CLASS(SERVAUTH) ID(CFZUSRGP) +
ACCESS(UPDATE)
TSS PERMIT(CFZUSRGP) SERVAUTH(CEA.SUBSCRIBE.ENF_0068*) ACCESS(UPDATE)

PERMIT CEA.CEAGETPS CLASS(SERVAUTH) ID(CFZUSRGP) ACCESS(UPDATE)
TSS PERMIT(CFZUSRGP) SERVAUTH(CEA.CEAGETPS) ACCESS(UPDATE)

PERMIT CEA.CEADOCMD CLASS(SERVAUTH) ID(CFZUSRGP) ACCESS(UPDATE)
TSS PERMIT(CFZUSRGP) SERVAUTH(CEA.CEADOCMD) ACCESS(UPDATE)

PERMIT CEA.CEAPDWB* CLASS(SERVAUTH) ID(CFZUSRGP) ACCESS(UPDATE)
TSS PERMIT(CFZUSRGP) SERVAUTH(CEA.CEAPDWB*) ACCESS(UPDATE)

PERMIT CEA.CEADOCONSOLECMD CLASS(SERVAUTH) ID(CFZUSRGP) ACCESS(UPDATE)
TSS PERMIT(CFZUSRGP) SERVAUTH(CEA.CEADOCONSOLECMD) ACCESS(UPDATE)


SETROPTS RACLIST(SERVAUTH) REFRESH
* RACF SETROPTS command has no Top Secret equivalent

/*
//* Step ENCLCDS Setup for Cluster/Couple Dataset Providers
//*
//ENCLCDS EXEC PGM=IKJEFT01,DYNAMNBR=99
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *

SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY) GENERIC(FACILITY)
* RACF SETROPTS command has no Top Secret equivalent


RDEFINE FACILITY MRCLASS.CLUSTER UACC(NONE)
TSS ADDTO(owning-acid) IBMFAC(MRCLASS.)

PERMIT MRCLASS.CLUSTER CLASS(FACILITY) ID(CFZUSRGP) ACCESS(UPDATE)
TSS PERMIT(CFZUSRGP) IBMFAC(MRCLASS.CLUSTER) ACCESS(UPDATE)

PERMIT MRCLASS.CLUSTER CLASS(FACILITY) ID(CFZADMGP) ACCESS(UPDATE)
TSS PERMIT(CFZADMGP) IBMFAC(MRCLASS.CLUSTER) ACCESS(UPDATE)


RDEFINE FACILITY MVSADMIN.* UACC(NONE)
TSS ADDTO(owning-acid) IBMFAC(MVSADMIN.)

PERMIT MVSADMIN.* CLASS(FACILITY) ID(CFZUSRGP) ACCESS(UPDATE)
TSS PERMIT(CFZUSRGP) IBMFAC(MVSADMIN) ACCESS(UPDATE)

PERMIT MVSADMIN.* CLASS(FACILITY) ID(CFZADMGP) ACCESS(UPDATE)
TSS PERMIT(CFZADMGP) IBMFAC(MVSADMIN) ACCESS(UPDATE)

PERMIT MVSADMIN.XCF.* CLASS(FACILITY) ID(CFZUSRGP) ACCESS(UPDATE)
TSS PERMIT(CFZUSRGP) IBMFAC(MVSADMIN.XCF) ACCESS(UPDATE)

PERMIT MVSADMIN.XCF.* CLASS(FACILITY) ID(CFZADMGP) ACCESS(UPDATE)
TSS PERMIT(CFZADMGP) IBMFAC(MVSADMIN.XCF) ACCESS(UPDATE)

PERMIT MVSADMIN.XCF.CFRM CLASS(FACILITY) ID(CFZUSRGP) ACCESS(UPDATE)
TSS PERMIT(CFZUSRGP) IBMFAC(MVSADMIN.XCF.CFRM) ACCESS(UPDATE)

PERMIT MVSADMIN.XCF.CFRM CLASS(FACILITY) ID(CFZADMGP) ACCESS(UPDATE)
TSS PERMIT(CFZADMGP) IBMFAC(MVSADMIN.XCF.CFRM) ACCESS(UPDATE)


SETROPTS RACLIST(FACILITY) REFRESH
* RACF SETROPTS command has no Top Secret equivalent

/*
//* Step ENSMIS enables the SMI-S CIM providers
//ENTCPIP EXEC PGM=IKJEFT01,DYNAMNBR=99
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *
SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY) GENERIC(FACILITY)
* RACF SETROPTS command has no Top Secret equivalent

RDEFINE FACILITY IOSCDR UACC(NONE)
TSS ADDTO(owning-acid) IBMFAC(IOSCDR)


PERMIT IOSCDR CL(FACILITY) ID(CFZUSRGP) ACCESS(UPDATE)
TSS PERMIT(CFZUSRGP) IBMFAC(IOSCDR) ACCESS(UPDATE)

PERMIT IOSCDR CL(FACILITY) ID(CFZADMGP) ACCESS(UPDATE)
TSS PERMIT(CFZADMGP) IBMFAC(IOSCDR) ACCESS(UPDATE)


SETROPTS RACLIST(FACILITY) REFRESH
* RACF SETROPTS command has no Top Secret equivalent

/*
//* Step ENTCPIP enables the Network CIM providers
//ENTCPIP EXEC PGM=IKJEFT01,DYNAMNBR=99
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *

SETROPTS CLASSACT(SERVAUTH) RACLIST(SERVAUTH) GENERIC(SERVAUTH)
* RACF SETROPTS command has no Top Secret equivalent

RDEFINE SERVAUTH EZB.CIMPROV.* UACC(NONE)
TSS ADDTO(owning-acid) SERVAUTH(EZB.)


PERMIT EZB.CIMPROV.* CL(SERVAUTH) ID(CFZADMGP) ACCESS(READ)
TSS PERMIT(CFZADMGP) SERVAUTH(EZB.CIMPROV) ACCESS(READ)

PERMIT EZB.CIMPROV.* CL(SERVAUTH) ID(CFZUSRGP) ACCESS(READ)
TSS PERMIT(CFZUSRGP) SERVAUTH(EZB.CIMPROV) ACCESS(READ)


SETROPTS RACLIST(SERVAUTH) REFRESH
* RACF SETROPTS command has no Top Secret equivalent

/*
//* Step ENWLM Setup for WLM Providers
//*
//ENWLM EXEC PGM=IKJEFT01,DYNAMNBR=99
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *

SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY)
* RACF SETROPTS command has no Top Secret equivalent


RDEFINE FACILITY MVSADMIN.* UACC(NONE)
TSS ADDTO(owning-acid) IBMFAC(MVSADMIN.)

PERMIT MVSADMIN.* CLASS(FACILITY) ID(CFZUSRGP) ACCESS(UPDATE)
TSS PERMIT(CFZUSRGP) IBMFAC(MVSADMIN) ACCESS(UPDATE)

PERMIT MVSADMIN.* CLASS(FACILITY) ID(CFZADMGP) ACCESS(UPDATE)
TSS PERMIT(CFZADMGP) IBMFAC(MVSADMIN) ACCESS(UPDATE)

PERMIT MVSADMIN.WLM.* CLASS(FACILITY) ID(CFZUSRGP) ACCESS(UPDATE)
TSS PERMIT(CFZUSRGP) IBMFAC(MVSADMIN.WLM) ACCESS(UPDATE)

PERMIT MVSADMIN.WLM.* CLASS(FACILITY) ID(CFZADMGP) ACCESS(UPDATE)
TSS PERMIT(CFZADMGP) IBMFAC(MVSADMIN.WLM) ACCESS(UPDATE)

PERMIT MVSADMIN.WLM.POLICY CLASS(FACILITY) ID(CFZUSRGP) ACCESS(UPDATE)
TSS PERMIT(CFZUSRGP) IBMFAC(MVSADMIN.WLM.POLICY) ACCESS(UPDATE)

PERMIT MVSADMIN.WLM.POLICY CLASS(FACILITY) ID(CFZADMGP) ACCESS(UPDATE)
TSS PERMIT(CFZADMGP) IBMFAC(MVSADMIN.WLM.POLICY) ACCESS(UPDATE)


SETROPTS RACLIST(FACILITY) REFRESH
* RACF SETROPTS command has no Top Secret equivalent

/*
//* Step ENRMF creates profiles necessary to allow passtickets being
//*             generated for authentication with the DDS
//ENRMF EXEC PGM=IKJEFT01,DYNAMNBR=99
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *
SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA) GENERIC(PTKTDATA)
* RACF SETROPTS command has no Top Secret equivalent

RDEFINE PTKTDATA GPMSERVE SSIGNON(KEYMASKED(#rkeymask))
TSS ADDTO(NDT) PSTKAPPL(GPMSERVE) SESSKEY(#rkeymask)

RDEFINE PTKTDATA IRRPTAUTH.GPMSERVE.* UACC(NONE)
TSS ADDTO(owning-acid) PTKTDATA(IRRPTAUTH.)

PERMIT IRRPTAUTH.GPMSERVE.* CL(PTKTDATA) ID(CFZSRV) ACCESS(UPDATE)
TSS PERMIT(CFZSRV) PTKTDATA(IRRPTAUTH.GPMSERVE) ACCESS(UPDATE)

SETROPTS RACLIST(PTKTDATA) REFRESH
* RACF SETROPTS command has no Top Secret equivalent
/*