Convert z/OS 2.3 member IZUSEC from RACF to TSS commands.

Document ID : KB000095769
Last Modified Date : 13/11/2018
Show Technical Document Details
Introduction:
Convert z/OS 2.3 member IZUSEC from RACF to TSS commands.
Question:
Convert z/OS 2.3 member IZUSEC from RACF to TSS commands.
Answer:
//IZUCORE JOB MSGCLASS=C,MSGLEVEL=(1,1),USER=XXXXXXX,NOTIFY=XXXXXXX
//********************************************************************
//* PROPRIETARY STATEMENT:                                           *
//*    Licensed Materials - Property of IBM                          *
//*    5650-ZOS Copyright IBM Corp. 2015, 2017                       *
//*                                                                  *
//*    STATUS=HSMA230                                                *
//*                                                                  *
//* DESCRIPTIVE NAME:                                                *
//*    z/OSMF SERVER default security setup                          *
//*                                                                  *
//*    The JCL contains the security setup for z/OSMF server.        *
//*    You can customize this JCL to create a security setup         *
//*    for the z/OSMF Server as you wish.                            *
//*                                                                  *
//*    NOTE: there is a new step V2R3 in the job IZUSEC followed     *
//*    by step STEP1. The new step V2R3 contains the profiles        *
//*    which are added in release V2R3.                              *
//*                                                                  *
//*                                                                  *
//********************************************************************
//* Make sure that you run this job from a user with full access     *
//* to your RACF database.                                           *
//********************************************************************
//*
//* JOB CORE ses up z/OSMF core security settings.
//* Replace with your job card
//STEP1  EXEC PGM=IKJEFT01,DYNAMNBR=99
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *

 /* Begin "Core" Setup                                             */
 /*                                                                */
 /* This commented section contains the CLASS activation commands. */
 /* Ensure the following classes are active before executing this  */
 /* script or creating profiles in these classes.                  */
 /*                                                                */
 /* Activate the APPL class                                        */
 /*SETROPTS CLASSACT(APPL)                                         */
 /* Not needed. No equivalent in TSS                               */
 /*SETROPTS RACLIST(APPL) GENERIC(APPL)                            */
 /* Not needed. No equivalent in TSS                               */
 /*                                                                */
 /* Activate the EJBROLE class                                     */
 /*SETROPTS CLASSACT(EJBROLE)                                      */
 /* Not needed. No equivalent in TSS                               */
 /*SETROPTS RACLIST(EJBROLE) GENERIC(EJBROLE)                      */
 /* Not needed. No equivalent in TSS                               */
 /*                                                                */
 /* Activate the FACILITY class                                    */
 /*SETROPTS CLASSACT(FACILITY)                                     */
 /* Not needed. No equivalent in TSS                               */
 /*SETROPTS RACLIST(FACILITY)                                      */
 /* Not needed. No equivalent in TSS                               */
 /*                                                                */
 /* Activate the SERVER class                                      */
 /*SETROPTS CLASSACT(SERVER)                                       */
 /* Not needed. No equivalent in TSS                               */
 /*SETROPTS RACLIST(SERVER)                                        */
 /* Not needed. No equivalent in TSS                               */
 /*                                                                */
 /* Activate the SERVAUTH class                                    */
 /*SETROPTS CLASSACT(SERVAUTH)                                     */
 /* Not needed. No equivalent in TSS                               */
 /*SETROPTS RACLIST(SERVAUTH) GENERIC(SERVAUTH)                    */
 /* Not needed. No equivalent in TSS                               */
 /*                                                                */
 /* Activate the STARTED class                                     */
 /*SETROPTS CLASSACT(STARTED)                                      */
 /* Not needed. No equivalent in TSS                               */
 /*SETROPTS RACLIST(STARTED) GENERIC(STARTED)                      */
 /* Not needed. No equivalent in TSS                               */
 /*                                                                */
 /* Activate the ZMFAPLA class                                     */
 /*SETROPTS CLASSACT(ZMFAPLA)                                      */
 /* Not needed. No equivalent in TSS                               */
 /*SETROPTS RACLIST(ZMFAPLA) GENERIC(ZMFAPLA)                      */
 /* Not needed. No equivalent in TSS                               */
 /*                                                                */
 /* Activate the ACCTNUM class                                     */
 /*SETROPTS CLASSACT(ACCTNUM)                                      */
 /* Not needed. No equivalent in TSS                               */
 /* Activate the TSOPROC class                                     */
 /*SETROPTS CLASSACT(TSOPROC)                                      */
 /* Not needed. No equivalent in TSS                               */
 /* Refresh the ACCTNUM class                                      */
 /* SETROPTS RACLIST(ACCTNUM) REFRESH                              */
 /* Not needed. No equivalent in TSS                               */
 /* Refresh the TSOPROC class                                      */
 /* SETROPTS RACLIST(TSOPROC) REFRESH                              */
 /* Not needed. No equivalent in TSS                               */
 /*                                                                */
 /* Activate the TSOAUTH class                                     */
 SETROPTS CLASSACT(TSOAUTH)
 /* Not needed. No equivalent in TSS                               */
 /* Refresh the TSOAUTH class                                      */
 /* Not needed. No equivalent in TSS                               */
 SETROPTS RACLIST(TSOAUTH)
 /* Not needed. No equivalent in TSS                               */
 /*                                                                */
 /* Activate the OPERCMDS class                                    */
 SETROPTS CLASSACT(OPERCMDS)
 /* Not needed. No equivalent in TSS                               */
 /* Refresh the OPERCMDS class                                     */
 SETROPTS RACLIST(OPERCMDS)
 /* Not needed. No equivalent in TSS                               */
 /* Create the z/OSMF Administrators group                         */
 ADDGROUP IZUADMIN OMVS(GID(9003))
 TSS CRE(IZUADMGP) NAME('IZUADMIN GROUP') TYPE(GROUP) DEPT(dept)
 TSS ADD(IZUADMGP) GID(9003)
 TSS CRE(IZUADMIN) NAME('IZUADMIN PROFILE') TYPE(PROFILE) DEPT(dept)
 /* You cannot add GROUP to a PROFILE acid in TSS. When you add 
 /* IZUADMIN to an acid, you will also need to attach IZADMNGP also.
 /* Example: TSS ADD(acid) PROFILE(IZUADMIN) GROUP(IZADMNGP)

 /* Create the z/OSMF Users group                                  */
 ADDGROUP IZUUSER OMVS(GID(9004))
 TSS CRE(IZUUSRGP) NAME('IZUUSER GROUP') TYPE(GROUP) DEPT(dept)
 TSS ADD(IZUUSRGP) GID(9004)
 TSS CRE(IZUUSER) NAME('IZUUSER PROFILE') TYPE(PROFILE) DEPT(dept)
 /* You cannot add GROUP to a PROFILE acid in TSS. When you add 
 /* IZUADMIN to an acid, you will also need to attach IZADMNGP also.
 /* Example: TSS ADD(acid) PROFILE(IZUUSER) GROUP(IZUUSRGP)

 /* Create the z/OSMF Unauthenticated group                        */
 ADDGROUP IZUUNAGRP OMVS(GID(9012))
 TSS CRE(IZUUNAGP) NAME('zOSMF Unauthenticated USERID Group') TYPE(GROUP) DEPT(dept)
 TSS ADD(IZUUNAGP) GID(9012)
 TSS CRE(IZUUNGRP) NAME('IZUUNGRP PROFILE') TYPE(PROFILE) DEPT(dept)
 /* You cannot add GROUP to a PROFILE acid in TSS. When you add 
 /* IZUUNGRP to an acid, you will also need to attach IZADMNGP also.
 /* Example: TSS ADD(acid) PROFILE(IZUUNGRP) GROUP(IZUUNAGP)

 /* Create the started task USERID for the z/OSMF Server           */
 /* Please note, the HOME directory should be created with         */
 /* utility IZUMKFS.                                               */
 ADDUSER IZUSVR DFLTGRP(IZUADMIN) OMVS(UID(9010) +
   HOME(/var/zosmf/data/home/izusvr) +
   PROGRAM(/bin/sh)) NAME('zOSMF Started Task USERID')  +
   NOPASSWORD NOOIDCARD
 TSS CRE(IZUSVR) NAME('zOSMF Started Task USERID') TYPE(USER) - 
 DEPT(dept) PASS(NOPW,0) FAC(STC)
 TSS ADD(IZUSVR) GROUP(IZUADMGP) DFLTGRP(IZUADMGP) UID(9010) -  
 HOME(/var/zosmf/data/home/izusvr) OMVSPGM(/bin/sh) FAC(ZOSMF)

 /* Change concurrent open file number for started task USERID     */
 ALTUSER IZUSVR OMVS(FILEPROC(10000))
 TSS ADD(IZUSVR) OEFILEP(10000)
 
 /* Create the z/OSMF unauthenticated USERID                       */
 ADDUSER IZUGUEST RESTRICTED DFLTGRP(IZUUNAGP) OMVS(UID(9011)) +
   NAME('zOSMF Unauthenticated USERID') NOPASSWORD NOOIDCARD
 TSS CRE(IZUGUEST) NAME(IZUGUEST) TYPE(USER) DEPT(dept) PASS(NOPW,0)
 TSS ADD(IZUGUEST) UID(9011) OMVSPGM('/bin/sh') - 
 HOME('/u/izuguest') DFLTGRP(IZUUNAGP) GROUP(IZUUNAGP) FAC(ZOSMF)

 /* Define the STARTED profiles for the z/OSMF server              */
 RDEFINE STARTED IZUSVR1.* UACC(NONE) STDATA(USER(IZUSVR) +
   GROUP(IZUADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
  TSS ADD(STC) PROCNAME(IZUSVR1) ACID(IZUSVR)
 RDEFINE STARTED IZUANG1.* UACC(NONE) STDATA(USER(IZUSVR) +
   GROUP(IZUADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
 TSS ADD(STC) PROCNAME(IZUANG1) ACID(IZUSVR)

 /* Define the APPL profile for the z/OSMF server                  */
 RDEFINE APPL IZUDFLT UACC(NONE)
 TSS ADD(owngingacid) APPL(IZUDFLT)

 /* Define the SERVER profiles for the z/OSMF server               */
 RDEFINE SERVER BBG.SECPFX.IZUDFLT UACC(NONE)
 RDEFINE SERVER BBG.ANGEL UACC(NONE)
 RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE)
 RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE)
 RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.ZOSWLM UACC(NONE)
 RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.TXRRS UACC(NONE)
 RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.ZOSDUMP UACC(NONE)
 TSS ADD(ownginacid) SERVER(BBG)

 /* Permit the z/OSMF unauthenticated USERID access                */
 PERMIT IZUDFLT CLASS(APPL)    ID(IZUGUEST) ACCESS(READ)
 TSS PER(IZUGUEST) APPL(IZUDFLT) ACC(READ)

 /* Permit the started task USERID access                          */
 PERMIT BBG.SECPFX.IZUDFLT CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
 TSS PER(IZUSVR) SERVER(BBG.SECPFX.IZUDFLT) ACC(READ) 
 
 PERMIT BBG.ANGEL CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
 TSS PER(IZUSVR) SERVER(BBG.ANGEL) ACC(READ) 
 
 PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
 TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM) ACC(READ) 
 
 PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) ACCESS(READ) +
   ID(IZUSVR)
 TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.SAFCRED) ACC(READ) 
 
 PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSWLM CLASS(SERVER) ACCESS(READ) +
   ID(IZUSVR)
 TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.ZOSWLM) ACC(READ) 

 PERMIT BBG.AUTHMOD.BBGZSAFM.TXRRS CLASS(SERVER) ACCESS(READ) +
   ID(IZUSVR)
 TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.TXRRS) ACC(READ) 
 
 PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSDUMP CLASS(SERVER) ACCESS(READ) +
   ID(IZUSVR)
 TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.ZOSDUMPM) ACC(READ) 

 /* Define the BPX.CONSOLE profile to supress the BPXM023I message */
 /* prefix for console messages                                    */
 RDEFINE FACILITY BPX.CONSOLE UACC(NONE)
 TSS ADD(owningacid) IBMFAC(BPX.)
 /* Permit the started task USERID access                          */
 PERMIT  BPX.CONSOLE CLASS(FACILITY) ID(IZUSVR) ACCESS(READ)
 TSS PER(IZUSVR) IBMFAC(BPX.CONSOLE) ACC(READ)

 /* Define the Sync-to-OS-thread FACILITY profile                  */
 RDEFINE FACILITY BBG.SYNC.IZUDFLT UACC(NONE)
 TSS ADD(owningacid) IBMFAC(BBG.)

 /* Permit the started task USERID access                          */
 PERMIT  BBG.SYNC.IZUDFLT CLASS(FACILITY) ID(IZUSVR) ACCESS(CONTROL)
 TSS PER(IZUSVR) IBMFAC(BBG.SYNC.IZUDFLT) ACC(CONTROL)

 /* Define the FACILITY profile for working with digital           */
 /* certificates                                                   */
 RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
 RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
 TSS ADD(owngingacid) IBMFAC(IRR.)

 /* Allow users of the z/OSMF Configuration Workflow to extract    */
 /* profile information                                            */
 RDEFINE FACILITY IRR.RADMIN.LISTUSER
 RDEFINE FACILITY IRR.RADMIN.LISTGRP
 RDEFINE FACILITY IRR.RADMIN.RLIST
 RDEFINE FACILITY IRR.RADMIN.SETROPTS.LIST
 Not needed. Done in the prevsious step.

 /* Permit the started task USERID access                          */
 PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(IZUSVR) ACCESS(READ)
 PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(IZUSVR) +
   ACCESS(READ)
 TSS PER(ISUSVR) IBMFAC(IRR.DIGTCERT.LIST) ACC(READ)

 /* Create the CA certificate for the z/OSMF server                */
 RACDCERT CERTAUTH GENCERT +
   SUBJECTSDN(CN('z/OSMF CertAuth for Security Domain') +
   OU('IZUDFLT')) WITHLABEL('zOSMFCA')  +
   TRUST NOTAFTER(DATE(2023/05/17))

 TSS GENCERT(CERTAUTH) DIGICERT(ZOSMFCA) -
 SUBJECTN('CN="z/OSMF CertAuth for Security Domain" OU="ZUDFLT"') -
 LABLCERT('zOSMFCA') NADATE(05/17/23)

 RACDCERT ADDRING(IZUKeyring.IZUDFLT) ID(IZUSVR)
 TSS ADD(IZUSVR) KEYRING(IZUSVRKR) LABLRING(‘IZUKeyring.IZUDFLT’)

 /* Create the server certificate for the z/OSMF server            */
 /* Change HOST NAME in CN field into real local host name         */
 /* Usually the format of the host name is 'XXXX.XXX.XXX.XXX'      */
 RACDCERT ID( IZUSVR ) GENCERT SUBJECTSDN(CN('HOST NAME') +
   O('IBM') OU('IZUDFLT')) WITHLABEL('DefaultzOSMFCert.IZUDFLT'), +
   SIGNWITH(CERTAUTH LABEL('zOSMFCA')) NOTAFTER(DATE(2023/05/17))
 
 TSS GENCERT(IZUSVR) DIGICERT(DEFOSMFC) -",
 SUBJECTN('CN="'HOST NAME'" OU="IZUDFLT" O="IBM"'),
 LABLCERT('DefaultzOSMFCert.IZUDFLT')
 SIGNWITH(CERTAUTH,ZOSMFCA) 
 NADATE(05/17/23)

 RACDCERT ALTER(LABEL('DefaultzOSMFCert.IZUDFLT')) ID(IZUSVR) TRUST
 TSS ADD(IZUSVR) DIGICERT(DEFOSMFC) TRUST
 
 RACDCERT ID( IZUSVR ) CONNECT (LABEL('DefaultzOSMFCert.IZUDFLT') +
   RING(IZUKeyring.IZUDFLT) DEFAULT)
 TSS ADD(IZUSVR) KEYRING(IZUSVRKR) LABLRING('IZUKeyring.IZUDFLT')
 TSS ADD(IZUSVR) KEYRING(IZUSVRKR) RINGDATA(IZUSVR,DEFOSMFC) -
 USAGE(PERSONAL) DEFAULT

 RACDCERT ID( IZUSVR ) CONNECT (LABEL('zOSMFCA') +
   RING(IZUKeyring.IZUDFLT) CERTAUTH)
 TSS ADD(IZUSVR) KEYRING(IZUSVRKR) RINGDATA(CERTAUTH,ZOSMFCA) - 
 USAGE(CERTAUTH)

 /* Assumption: SERVAUTH class is active                           */
 /* SETROPTS GENERIC(SERVAUTH)                                     */
 /* Not needed. No equivalent in TSS                               */ 
 /* Define the CEA resource profile required for z/OSMF server     */
 RDEFINE SERVAUTH CEA.CEATSO.* UACC(NONE)
 TSS ADD(owningacid) SERVAUTH(CEA)

 /* Define the Account Number resource profile for REST File API   */
 RDEFINE ACCTNUM IZUACCT UACC(NONE)
 TSS ADD(owngingacid) TSOACCT(IZUACCT) 

 /* Define the TSO Procedure resource profile for REST File API    */
 RDEFINE TSOPROC IZUFPROC UACC(NONE)
 TSS ADD(owningacid) TSOPROC(IZUFPROC)

 /* List-of-groups authority checking supplements the normal RACF  */
 /* access authority checking by allowing all groups of which a    */
 /* user ID is amember to enter into the access list checking      */
 /* process.Un-comment the following line to activate this.        */
 /* SETROPTS GRPLIST                                               */
 /* Not needed. No equivalent in TSS                               */
 /* Create the z/OS Security Administrators group                  */
 ADDGROUP IZUSECAD OMVS(GID(9006))
 TSS CRE(IZUSECGP) NAME('z/OS Security Administrators group') - 
 TYPE(GROUP) DEPT(dept)
 TSS ADD(IZUSECGP) GID(9006)
 TSS CRE(IZUSECAD) NAME('z/OS Security Administrators PROFILE') -
 TYPE(PROFILE) DEPT(dept)
 /* You cannot add GROUP to a PROFILE acid in TSS. When you add 
 /* IZUSECAD to an acid, you will also need to attach IZUSECGP also.
 /* Example: TSS ADD(acid) PROFILE(IZUSECAD) GROUP(IZUSECGP)

 /* Define the ZMFAPLA profile for the z/OSMF server               */
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF UACC(NONE)
 TSS ADD(ownginacid) ZMFAPLA(IZUDFLT)

 /* The EJBROLE definitions are case-sensitive in RACF.  Insure you*/
 /* preserve case for these commands                               */
 /* Assumption: EJBROLE is defined, activated, and raclisted.      */
 RDEFINE EJBROLE IZUDFLT.*.izuUsers UACC(NONE)
 TSS ADD(ownginacid) EJBROLE(IZUDFLT)

 /* Define the z/OSMF Server profile                               */
 RDEFINE SERVER BBG.SECCLASS.ZMFAPLA UACC(NONE)
 RDEFINE SERVER BBG.SECCLASS.ZMFCLOUD UACC(NONE)
 TSS ADD(owningacid) SERVER(BBG)

 /* Permit the started task USERID access                          */
 PERMIT BBG.SECCLASS.ZMFAPLA CLASS(SERVER) ID(IZUSVR) ACCESS(READ)
 TSS PER(IZUSVR) SERVER(BBG.SECCLASS.ZMFAPLA) ACC(READ)
 PERMIT BBG.SECCLASS.ZMFCLOUD CLASS(SERVER) ID(IZUSVR) ACCESS(READ)
 TSS PER(IZUSVR) SERVER(BBG.SECCLASS.ZMFAPLA) ACC(READ)

 /* Roles processing will permit the z/OSMF Server groups to the   */
 /* Application Server resources                                   */
 /* Assumption: APPL class has been defined, activated, raclisted. */

 /* Permit the Administrators group to this profile                */
 PERMIT CEA.CEATSO.* CLASS(SERVAUTH) ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) SERVAUTH(CEA.CEATSO) ACC(READ)
 /* Permit the Users group to this profile                         */
 PERMIT CEA.CEATSO.* CLASS(SERVAUTH) ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) SERVAUTH(CEA.CEATSO) ACC(READ)
 /* Permit the started task USERID to this profile                 */
 PERMIT CEA.CEATSO.* CLASS(SERVAUTH) ID(IZUSVR) ACCESS(READ)
 TSS PER(IZUSVR) SERVAUTH(CEA.CEATSO) ACC(READ)
 /* Make changes effective                                         */
 SETROPTS RACLIST(SERVAUTH) REFRESH
 /* Not needed. No equivalent in TSS                               */
 /* Permit the Administrators group to these profiles              */
 PERMIT IZUACCT CLASS(ACCTNUM) ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) TSOACCT(IZUACCT) ACC(READ)
 PERMIT IZUFPROC CLASS(TSOPROC) ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) TSOPROC(IZUFPROC) ACC(READ)
 /* Permit the Users group to these profiles                       */
 PERMIT IZUACCT CLASS(ACCTNUM) ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) TSOACCT(IZUACCT) ACC(READ)
 PERMIT IZUFPROC CLASS(TSOPROC) ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) TSOPROC(IZUFPROC) ACC(READ)
 /* Define console profile in class TSOAUTH to issue MVS commands  */
 /* via EMCS consoles                                              */
 RDEFINE TSOAUTH CONSOLE UACC(NONE)
 TSS ADD(owningacid) TSOAUTH(CONSOLE)

 /* Permit the Administrators group to these profiles              */
 PERMIT CONSOLE CLASS(TSOAUTH) ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) TSOAUTH(CONSOLE) ACC(READ)

 /* Permit the Users group to these profiles                       */
 PERMIT CONSOLE CLASS(TSOAUTH) ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) TSOAUTH(CONSOLE) ACC(READ)
 /* Make changes effective                                         */
 SETROPTS RACLIST(TSOAUTH) REFRESH
 /* Not needed. No equivalent in TSS                               */
 /* Define MCS operator profile starting with prefix IZU@          */
 RDEFINE OPERCMDS MVS.MCSOPER.IZU@* UACC(NONE)
 TSS ADD(owningacid) OPERCMDS(MVS.)

 /* Permit the Administrators group to these profiles              */
 PERMIT MVS.MCSOPER.IZU@* CLASS(OPERCMDS) ID(IZUADMIN) ACCESS(READ)
 TSS ADD(IZUADMIN) OPERCMDS(MVS.MCSOPER.IZU) ACC(READ)

 /* Permit the Users group to these profiles                       */
 PERMIT MVS.MCSOPER.IZU@* CLASS(OPERCMDS) ID(IZUUSER) ACCESS(READ)
 TSS ADD(IZUUSER) OPERCMDS(MVS.MCSOPER.IZU) ACC(READ)
 /* Make changes effective                                         */
 SETROPTS RACLIST(OPERCMDS) REFRESH
 /* Not needed. No equivalent in TSS                               */
 /*If your installation utilizes hardware crypto in combination    */
 /*with ICSF, various services like  CSFRNGL, CSFDSV, CSFOWH,      */
 /*CSFIQF ,etc.may be protected by profiles established in your    */
 /*security product.In certain cases, z/OSMF will utilize these    */
 /*services, and the z/OSMF started task USERID will need to be    */
 /*permitted to these profiles.If concrete profiles in the CSFSERV */
 /*class has been defined to protect these resources, then, the    */
 /*following commented commands would permit the started task      */
 /*userid to that profile which is used by associated ICSF service.*/
 /*PERMIT CSFIQF  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFIQF) ACCESS(READ)                     */
 /*encipher callable service                                       */
 /*PERMIT CSFENC  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFENC) ACCESS(READ)                     */
 /*cryptographic variable encipher callable                        */
 /*PERMIT CSFCVE  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFCVE) ACCESS(READ)                     */
 /*decipher callable service                                       */
 /*PERMIT CSFDEC  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFDEC) ACCESS(READ)                     */
 /*symmetric algorithm encipher callable service                   */
 /*PERMIT CSFSAE  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFSAE) ACCESS(READ)                     */
 /*symmetric algorithm decipher callable service                   */
 /*PERMIT CSFSAD  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFSAD) ACCESS(READ)                     */
 /*one-way hash generate callable service                          */
 /*PERMIT CSFOWH  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFOWH) ACCESS(READ)                     */
 /*random number generate callable service                         */
 /*PERMIT CSFRNG  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFRNG) ACCESS(READ)                     */
 /*random number generate long callable service                    */
 /*PERMIT CSFRNGL CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFRNGL) ACCESS(READ)                    */ 
 /*PKA key generate callable service                               */
 /*PERMIT CSFPKG  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFPKG) ACCESS(READ)                     */
 /*digital signature generate service                              */
 /*PERMIT CSFDSG  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFDSG) ACCESS(READ)                     */
 /*digital signature verify callable service                       */
 /*PERMIT CSFDSV  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFDSV) ACCESS(READ)                     */
 /*PKA key token change callable service                           */
 /*PERMIT CSFPKT  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFPKT) ACCESS(READ)                     */
 /*retained key list callable service                              */
 /*PERMIT CSFRKL  CLASS(CSFSRKL) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFRKL) ACCESS(READ)                     */
 /*PKA Public Key Extract callable service                         */
 /*PERMIT CSFPKX  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFPKX) ACCESS(READ)                     */
 /*PKA encrypt callable service                                    */
 /*PERMIT CSFPKE  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFPKE) ACCESS(READ)                     */
 /*PKA decrypt callable service                                    */
 /*PERMIT CSFPKD  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFPKD) ACCESS(READ)                     */
 /*PKA key import callable service                                 */
 /*PERMIT CSFPKI  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFPKI) ACCESS(READ)                     */
 /*multiple clear key import callable service                      */
 /*PERMIT CSFCKM  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFCKM) ACCESS(READ)                     */
 /*key generate callable service                                   */
 /*PERMIT CSFKGN  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFKGN) ACCESS(READ)                     */
 /*ECC Diffie-Hellman callable service                             */
 /*PERMIT CSFEDH  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)           */
 /*TSS PER(IZUSVR) CSFERV(CSFEDH) ACCESS(READ)                     */
 /*SETROPTS RACLIST(CSFSERV) REFRESH                               */
 /* Not needed. No equivalent in TSS                               */
 /*                                                                */

 /*   Profile Definitions for Core                                 */
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.APPLINKING UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.IMPORTMANAGER UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.LINKSTASK UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.LOGGER UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.UI_LOG_MANAGEMENT +
   UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.USAGESTATISTICS +
   UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.LINK.** UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.MODIFY UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.SYSTEMS UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.MODIFY +
   UACC(NONE)
 TSS ADD(owningacid) ZMFAPLA(IZUDFLT)

 /*   Profile Definitions for "Workflow"                           */
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS UACC(NONE)
 /* Done in previous step                                          */
 /* Profile Definitions for "Workflow administrator role" */
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.WORKFLOW.ADMIN UACC(NONE)
 /* Done in previous step                                          */
 /* Profile Definitions for "z/OSMF notification" */
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS UACC(NONE)                                         */
 /* Done in previous step                                          */
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS.ADMIN UACC(NONE)
 /* Done in previous step                                          */
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.NOTIFICATION.MODIFY UACC(NONE)
 /* Done in previous step                                          */

 /*  End Core Setup                                                */
 /*                                                                */
 /*   Begin zOSMF User Role Setup                                  */
 /*                                                                */
 PERMIT IZUDFLT             CLASS(APPL)    ID(IZUUSER) ACCESS(READ)
 PERMIT IZUDFLT.*.izuUsers  CLASS(EJBROLE) ID(IZUUSER) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF       CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) APPL(IZUDFLT) ACC(READ)
 TSS PER(IZUUSER) EJBROLE(IZUDFLT.*.izUsers) ACC(READ)
 TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF) ACC(READ)
 /*   Permit definitions for Core                                  */
 PERMIT IZUDFLT.ZOSMF.LINK.** CLASS(ZMFAPLA) ID(IZUUSER) +
   ACCESS(READ)
 TSS PER(IZUUSER) ZMFAPLA(PERMIT IZUDFLT.ZOSMF.LINK) ACC(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW CLASS(ZMFAPLA) +
   ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW) - 
 ACC(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS CLASS(ZMFAPLA) ID(IZUUSER) +
   ACCESS(READ)
 TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS) - 
 ACC(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS CLASS(ZMFAPLA) +
   ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS) - 
 ACC(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW CLASS(ZMFAPLA) +
   ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW) - 
 ACC(READ)

 /*   Permit definitions for Workflow                              */
 PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) +
   ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) - 
 ACC(READ)
 /*   Permit definitions for notification                          */
 PERMIT IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS CLASS(ZMFAPLA) +
   ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS) - 
 ACC(READ)
 PERMIT IZUDFLT.ZOSMF.NOTIFICATION.MODIFY CLASS(ZMFAPLA) +
   ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.NOTIFICATION.MODIFY) - 
 ACC(READ)

 /*                                                                */
 /*  End zOSMF User Role Setup                                     */
 /*                                                                */

 /*                                                                */
 /*   Begin zOSMF Administrator Role Setup                         */
 /*                                                                */
 PERMIT IZUDFLT             CLASS(APPL)    ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.*.izuUsers  CLASS(EJBROLE) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF       CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) APPL(IZUDFLT) ACC(READ)
 TSS PER(IZUADMIN) EJBROLE(IZUDFLT.*.izuUsers) ACC(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF) ACC(READ)
 /*   Permit definitions for Core                                  */
 PERMIT IZUDFLT.ZOSMF.ADMINTASKS.APPLINKING CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.APPLINKING) - 
 ACC(READ)
 PERMIT IZUDFLT.ZOSMF.ADMINTASKS.IMPORTMANAGER   CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) - 
 ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.IMPORTMANAGER) - 
 ACC(READ)
 PERMIT IZUDFLT.ZOSMF.ADMINTASKS.LINKSTASK  CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.LINKSTASK) - 
 ACC(READ)
 PERMIT IZUDFLT.ZOSMF.ADMINTASKS.LOGGER   CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.LOGGER) - 
 ACC(READ)
 PERMIT IZUDFLT.ZOSMF.ADMINTASKS.UI_LOG_MANAGEMENT  CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) - 
 ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.UI_LOG_MANAGEMENT) - 
 ACC(READ)
 PERMIT IZUDFLT.ZOSMF.ADMINTASKS.USAGESTATISTICS   +
   CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) - 
 ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.USAGESTATISTICS) - 
 ACC(READ)
 PERMIT IZUDFLT.ZOSMF.LINK.** CLASS(ZMFAPLA) ID(IZUADMIN) +
   ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.LINK) - 
 ACC(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW) - 
 ACC(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.MODIFY CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.MODIFY) - 
 ACC(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS CLASS(ZMFAPLA) ID(IZUADMIN) +
   ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS) - 
 ACC(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS) - 
 ACC(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) -
 ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW) - 
 ACC(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.MODIFY CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) - 
 ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.MODIFY) - 
 ACC(READ)
 /*   Permit definitions for Workflow                              */
 PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) - 
 ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) ACC(READ)
 /* Permit definitions for "Workflow administrator role"  */
 PERMIT IZUDFLT.ZOSMF.WORKFLOW.ADMIN CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.ADMIN) - 
 ACC(READ)
 /* Permit definitions for "z/OSMF notification"  */
 PERMIT IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS) - 
 ACC(READ)
 PERMIT IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS.ADMIN CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) -
 ZMFAPLA(IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS.ADMIN) - 
 ACC(READ)
 PERMIT IZUDFLT.ZOSMF.NOTIFICATION.MODIFY CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.NOTIFICATION.MODIFY) - 
 ACC(READ)
 /* Permit the z/OSMF administrator access                         */
 PERMIT IRR.RADMIN.LISTUSER CLASS(FACILITY) ID(IZUADMIN) +
   ACCESS(READ)
 TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.LISTUSER) ACC(READ)
 PERMIT IRR.RADMIN.LISTGRP CLASS(FACILITY) ID(IZUADMIN) +
   ACCESS(READ)
 TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.LISTGRP) ACC(READ)
 PERMIT IRR.RADMIN.RLIST CLASS(FACILITY) ID(IZUADMIN) +
   ACCESS(READ)
 TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.RLIST) ACC(READ)
 PERMIT IRR.RADMIN.SETROPTS.LIST CLASS(FACILITY) ID(IZUADMIN) +
   ACCESS(READ)
 TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.SETROPTS.LIST) ACC(READ)

 /*                                                                */
 /*  End zOSMF Administrator Role Setup                            */
 /*                                                                */
 /*                                                                */
 /*   Begin zOS Security Administrator Role Setup                  */
 /*                                                                */

 PERMIT IZUDFLT             CLASS(APPL)    ID(IZUSECAD) ACCESS(READ)
 PERMIT IZUDFLT.*.izuUsers  CLASS(EJBROLE) ID(IZUSECAD) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF       CLASS(ZMFAPLA) ID(IZUSECAD) ACCESS(READ)
 TSS PER(IZUSECAD) APPL(IZUDFLT) ACC(READ)
 TSS PER(IZUSECAD) EJBROLE(IZUDFLT.*.izuUsers) ACC(READ)
 TSS PER(IZUSECAD) ZMFAPLA(IZUDFLT.ZOSMF) ACC(READ)
 /*   Permit definitions for Workflow                              */
 PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) +
   ID(IZUSECAD) ACCESS(READ)
 TSS PER(IZUSECAD) ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) - 
 ACC(READ)
 /*                                                                */
 /*  End zOS Security Administrator Role Setup                     */
 /*                                                                */


 /*----------------------------------------------------------------*/
 /* Begin Cloud Provisioning Setup                                 */
 /*                                                                */
 /* Generally, all resource profiles related to Cloud Provisioning */
 /* are in the ZMFCLOUD class.  The exceptions are the navigation  */
 /* task resource profiles, which are in the ZMFAPLA class.        */
 /*                                                                */
 /* The basic authorization approach used in Cloud Provisioning is */
 /* straight forward.                                              */
 /* - Authority to perform an action associated with a specific    */
 /*   user role is controlled by having READ access to the         */
 /*   RESOURCE PROFILE for that role.                              */
 /* - Access to the resource profile for a given role is given to  */
 /*   a GROUP defined for that role.  That group is granted READ   */
 /*   access to the RESOURCE PROFILE for that role.                */
 /* - Specific users are assigned roles by connecting their IDs to */
 /*   the GROUP associated with that role.                         */
 /*                                                                */
 /*   For example:                                                 */
 /*   Cloud Provisioning specifies that only domain administrators */
 /*   or landlords can perform certain actions, such as assigning  */
 /*   Network/WLM Administrators and domain template approvers for */
 /*   the domain they administer.                                  */
 /*                                                                */
 /*   - Domain administrators for the default domain are users     */
 /*     with READ access to the ZMFCLOUD class profile:            */
 /*        IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU0     */
 /*     This profile is defined with the IYU0 group having READ    */
 /*     access.                                                    */
 /*   - The IYU0 group is used as a convenience.  All domain       */
 /*     administrators for the default domain will be connected    */
 /*     to the IYU0 group.                                         */
 /*   - Every Cloud Provisioning Resource Management operation     */
 /*     performed against the default domain and requiring a       */
 /*     domain administrator checks if the requesting  user has    */
 /*     READ access to the ZMFCLOUD class profile:                 */
 /*        IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU0     */
 /*   - When a landlord assigns domain administrators to the       */
 /*     default domain, the IDs are connected to the IYU0 group.   */
 /*                                                                */
 /* By default, Cloud Provisioning will automatically manage the   */
 /* security environment when performing operations requiring      */
 /* security changes.                                              */
 /*                                                                */
 /* Part of the security setup that follows is for the purpose     */
 /* of establishing the security environment for the default       */
 /* domain and tenant that will be created when z/OSMF starts for  */
 /* the first time.  Existing default domain and tenant settings   */
 /* will remain unchanged during subsequent restarts.              */
 /*----------------------------------------------------------------*/

 /* Activate the ZMFCLOUD class                                    */
 SETROPTS CLASSACT(ZMFCLOUD)
 /* Not needed. No equivalent in TSS                               */
 SETROPTS RACLIST(ZMFCLOUD) GENERIC(ZMFCLOUD)
 /* Not needed. No equivalent in TSS                               */

 /* Setup the Cloud Provisioning landlord role.                    */
 /* Connect users with landlord authority to the IYU group.        */
 /* This is a manual operation to be performed outside of z/OSMF.  */
 ADDGROUP IYU
 TSS CRE(IYU) TYPE(PROFILE) NAME('IYU PROFILE') DEPT(dept)
 RDEFINE ZMFCLOUD +
   (IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU) +
   UACC(NONE)
 TSS ADD(owngingacid) ZMFCLOUD(IZUDFLT)
 PERMIT IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU +
   CLASS(ZMFCLOUD) ID(IYU) ACCESS(READ)
 TSS PER(IYU) - 
 ZMFCLOUD(IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU) -
 ACC(READ)
 /* Setup the domain administrator role for the default domain.    */
 /* Subsequent Resource Management operations through the user     */
 /* interface will automatically update the default domain         */
 /* security environment when administrators are added/removed.    */
 /*                                                                */
 /* The IYU group should generally not be included in the access   */
 /* list for the default domain's domain administrator role        */
 /* profile.  It is here for compatibility purposes.               */
 ADDGROUP IYU0 SUPGROUP(IYU)
 TSS CRE(IYU0) TYPE(PROFILE) NAME('IYU0 PROFILE') DEPT(dept)
 /* TSS doesnt allow for PROFILE nesting. So when you add IYU to a 
 /* user, you will also need to add IYU0 to that user.

 RDEFINE ZMFCLOUD +
   (IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU0) +
   UACC(NONE)
 Done in a previous step.
 PERMIT IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU0 +
   CLASS(ZMFCLOUD) ID(IYU IYU0) ACCESS(READ)
 TSS PER(IYU) - 
 ZMFCLOUD(IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU0) -
 ACC(READ)
 TSS PER(IYU0) - 
 ZMFCLOUD(IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU0) -
 ACC(READ)
 /* Setup the network and WLM administrator roles for the default  */
 /* domain.                                                        */
 ADDGROUP IYU0RPAW SUPGROUP(IYU)
 TSS CRE(IYU0RPAW) TYPE(PROFILE) NAME('IYU0RPAW PROFILE') DEPT(dept)
 /* TSS doesnt allow for PROFILE nesting. So when you add IYU to a 
 /* user, you will also need to add IYU0RPAW to that user. 
 RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.RESOURCE_POOL.WLM.IYU0) UACC(NONE)
 Done is previous step.
 PERMIT IZUDFLT.ZOSMF.RESOURCE_POOL.WLM.IYU0 CLASS(ZMFCLOUD) +
   ID(IYU0RPAW) ACCESS(READ)
 TSS PER(IYU0RPAW) - 
 ZMFCLOUD(IZUDFLT.ZOSMF.RESOURCE_POOL.WLM.IYU0) -
 ACC(READ)

 ADDGROUP IYU0RPAN SUPGROUP(IYU)
 TSS CRE(IYU0RPAN) TYPE(PROFILE) NAME('IYU0RPAN PROFILE') DEPT(dept)
 /* TSS doesnt allow for PROFILE nesting. So when you add IYU to a 
 /* user, you will also need to add IYU0RPAN to that user. 
 RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.RESOURCE_POOL.NETWORK.IYU0) +
   UACC(NONE)
 Done in previous step.
 PERMIT IZUDFLT.ZOSMF.RESOURCE_POOL.NETWORK.IYU0 CLASS(ZMFCLOUD) +
   ID(IYU0RPAN) ACCESS(READ)
 TSS PER(IYU0RPAN) - 
 ZMFCLOUD(IZUDFLT.ZOSMF.RESOURCE_POOL.NETWORK.IYU0) -
 ACC(READ)
 /* Setup the domain template approver role for the default domain */
 RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.TEMPLATE.APPROVERS.IYU0) UACC(NONE)
 Done in previos step.
 /* Setup the consumer role for the default tenant.                */
 ADDGROUP IYU000 SUPGROUP(IYU0)
 TSS CRE(IYU000) TYPE(PROFILE) NAME('IYU000 PROFILE') DEPT(dept) 
 /* TSS doesnt allow for PROFILE nesting. So when you add IYU to a 
 /* user, you will also need to add IYU000 to that user. 
 RDEFINE ZMFCLOUD +
   (IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU000) +
   UACC(NONE)
 Done in previous step.
 PERMIT IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU000 +
   CLASS(ZMFCLOUD) ID(IYU000) ACCESS(READ)
 TSS PER(IYU000) - 
 ZMFCLOUD(IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU000) -
 ACC(READ)
 /* Define the ZMFAPLA profiles for the following resources:       */
 /*   - Cloud Provisioning's Software Services task                */
 /*   - Cloud Provisioning's Resource Management task              */
 /*   - The Workflow Editor task                                   */
 /*   - System Variables administrator resource                    */
 RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES) +
   UACC(NONE)
 TSS ADD(owningacid) ZMFAPLA(IZUDFLT)
 RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT) +
   UACC(NONE)
 Done in previous step
 RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.WORKFLOW.EDITOR) UACC(NONE)
 Done in previous step
 RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.VARIABLES.SYSTEM.ADMIN) UACC(NONE)
 Done in previous step
 /* Grant access to z/OSMF to the landlord, default domain         */
 /* administrator and the default tenant consumer groups.  The     */
 /* IYU0RPAN and IYU0RPAW groups do not need explicit access       */
 /* because users connected to them are required to be Networking  */
 /* and Workload Manager administrators, who will already be in    */
 /* the IZUUSER group.                                             */
  PERMIT IZUDFLT.ZOSMF CLASS(ZMFAPLA) ID(IYU IYU0 IYU000) +
    ACCESS(READ)
 TSS PER(IYU) ZMFAPLA(IZUDFLT.ZOSMF) ACC(READ)
 TSS PER(IYU0) ZMFAPLA(IZUDFLT.ZOSMF) ACC(READ)
 TSS PER(IYU000) ZMFAPLA(IZUDFLT.ZOSMF) ACC(READ)


 /* Setup access so Cloud Provisioning users (landlords, default   */
 /* domain's domain administrators and default tenant's consumers) */
 /* can access the Software Services, Workflows and Workflow Editor*/
 /* tasks.                                                         */
 PERMIT IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES CLASS(ZMFAPLA) +
   ID(IYU IYU0 IYU000) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) +
   ID(IYU IYU0 IYU000) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.WORKFLOW.EDITOR CLASS(ZMFAPLA) +
   ID(IYU IYU0) ACCESS(READ)
 TSS PER(IYU) -
 ZMFAPLA(IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES) ACC(READ)
 TSS PER(IYU0) - 
 ZMFAPLA(IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES) ACC(READ)
 TSS PER(IYU000) -
 ZMFAPLA(IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES) ACC(READ)
 TSS PER(IYU) - 
 ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) ACC(READ)
 TSS PER(IYU0) - 
 ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWSF) ACC(READ)
 TSS PER(IYU000) - 
 ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) ACC(READ)
 TSS PER(IYU) - 
 ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.EDITOR) ACC(READ)
 TSS PER(IYU0) - 
 ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.EDITOR) ACC(READ)
 TSS PER(IYU000) -
 ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.EDITOR) ACC(READ)

 /* Setup access so Cloud Provisioning administrative users        */
 /* (landlords, default domain's administrators) can access the    */
 /* Resource Management task.                                      */
 PERMIT IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT +
   CLASS(ZMFAPLA) ID(IYU IYU0) ACCESS(READ)
 TSS PER(IYU) - 
 ZMFAPLA(IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT) ACC(READ)
 TSS PER(IYU0) - 
 ZMFAPLA(IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT) ACC(READ)

 /* Setup access so Cloud Provisioning resource administrators can */
 /* login and access the Workflows and Software Services tasks.    */
 PERMIT IZUDFLT.ZOSMF CLASS(ZMFAPLA) ID(IYU0RPAN IYU0RPAW) +
   ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES +
   CLASS(ZMFAPLA) ID(IYU0RPAN IYU0RPAW) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) +
   ID(IYU0RPAN IYU0RPAW) ACCESS(READ)
 TSS PER(IYU0RPAN) - 
 ZMFAPLA(IZUDFLT.ZOSMF) ACC(READ)
 TSS PER(IYU0RPAN) - 
 ZMFAPLA(IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES) -
 ACC(READ)
 TSS PER(IYU0RPAN) - 
 ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) ACC(READ)
 TSS PER(IYU0RPAW) - 
 ZMFAPLA(IZUDFLT.ZOSMF) ACC(READ)
 TSS PER(IYU0RPAW) - 
 ZMFAPLA(IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES) -
 ACC(READ)
 TSS PER(IYU0RPAW) - 
 ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) ACC(READ)
 
 /* Grant authority to the z/OSMF Administrator group to modify and*/
 /* delete System Variables via the Systems task or the REST API.  */
 PERMIT IZUDFLT.ZOSMF.VARIABLES.SYSTEM.ADMIN CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) - 
 ZMFAPLA(IZUDFLT.ZOSMF.VARIABLES.SYSTEM.ADMIN) ACC(READ)

 /* Setup the security administrator profile used to determine if  */
 /* an ID being specified as the security administrator of a domain*/
 /* is permitted to be assigned as such.                           */
 /*                                                                */
 /* Define the ZMFCLOUD class IZUDFLT.ZOSMF.SECURITY.ADMIN profile */
 /* and grant read access to the IZUSECAD z/OSMF security          */
 /* administrator group.
 /*
 /* Landlords can only specify the IDs of security administrators  */
 /* that have read access to the IZUDFLT.ZOSMF.SECURITY.ADMIN      */
 /* ZMFCLOUD class profile.
 /*
 /* --- Only security administrator IDs that are approved          */
 /* --- beforehand should be added to the IZUSECAD group.  IDs     */
 /* --- assigned as security administrator in a domain will have   */
 /* --- that ID used to perform Resource Management dynamic        */
 /* --- security updates.                                          */
 RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.SECURITY.ADMIN) UACC(NONE)
 Done in a previous step
 PERMIT IZUDFLT.ZOSMF.SECURITY.ADMIN CLASS(ZMFCLOUD) +
   ID(IZUSECAD) ACCESS(READ)
 TSS PER(IZUSECAD) ZMFCLOUD(IZUDFLT.ZOSMF.SECURITY.ADMIN) - 
 ACC(READ)

 /* Connect the server ID IZUSVR to the IZUSECAD group.  This is   */
 /* necessary so the server can change the group ownership of the  */
 /* dynamic security REXX exec to IZUSECAD in order to secure it   */
 /* from updates by anyone other than authorized security admins.  */
 /* This izu.provisioning.security.config.rexx exec resides in the */
 /* configuration/workflow of the USERDIR specified in the server  */
 /* PROC.  The permissions are set to 570 and ownership set to     */
 /* IZUSVR:IZUSECAD.                                               */
 /*                                                                */
 /* This operation only occurs during server startup when the      */
 /* the REXX exec is not yet present.  If the exec already exists, */
 /* then the server will not make any changes to it.               */
 CONNECT (IZUSVR) GROUP(IZUSECAD)

 /*----------------------------------------------------------------*/
 /* End "Cloud" Setup                                              */
 /*----------------------------------------------------------------*/

 /* Need to REFRESH these classes for Roles                        */
 SETROPTS RACLIST(APPL) REFRESH
 /* Not needed. No equivalent in TSS                               */
 SETROPTS RACLIST(EJBROLE) REFRESH
 /* Not needed. No equivalent in TSS                               */
 SETROPTS RACLIST(ZMFAPLA) REFRESH
 /* Not needed. No equivalent in TSS                               */
 SETROPTS RACLIST(SERVER) REFRESH
 /* Not needed. No equivalent in TSS                               */
 SETROPTS RACLIST(STARTED) REFRESH
 /* Not needed. No equivalent in TSS                                */
 SETROPTS RACLIST(FACILITY) REFRESH
 /* Not needed. No equivalent in TSS                               */
 SETROPTS RACLIST(ZMFCLOUD) REFRESH
 /* Not needed. No equivalent in TSS                               */

 /* Connect the started task USERID to the CIM USER group          */
 CONNECT (IZUSVR) GROUP(CFZUSRGP)
 TSS ADD(IZUSVR) PROFILE(CFZUSRGP)
/*
//V2R3   EXEC PGM=IKJEFT01,DYNAMNBR=99
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *
 /*                                                                */
 /*  The V2R3 step contains the profiles which are added in V2R3   */
 /*  release                                                       */

 /* Define the STARTED profiles for auto start function            */
 RDEFINE STARTED IZUINSTP.* UACC(NONE) STDATA(USER(IZUSVR) +
   GROUP(IZUADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
 TSS ADD(STC) PROCN(IZUINSTP) ACID(IZUSVR)

 /* Define the CEA resource profile required for auto start        */
 /* function                                                       */
 RDEFINE SERVAUTH CEA.SIGNAL.* UACC(NONE)
 TSS ADD(owningacid) SERVAUTH(CEA)

 /* Permit the started task USERID to this profile                 */
 PERMIT CEA.SIGNAL.* CLASS(SERVAUTH) ID(IZUSVR) ACCESS(READ)
 TSS PER(IZUSVR) SERVAUTH(CEA.SIGNAL) ACC(READ)

 /* Profile for general setting                                    */
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.GENERAL.SETTINGS UACC(NONE)
 Done is previous step.

 /* Permit the Administrators group to this profile                */
 PERMIT IZUDFLT.ZOSMF.GENERAL.SETTINGS CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.GENERAL.SETTINGS) - 
 ACCESS(READ)

 /* Profile Definitions for "z/OSMF email function" */
 RDEFINE FACILITY IRR.RUSERMAP UACC(NONE)
 Done in previous step.

 /* Permit the started task USERID to this profile                 */
 PERMIT IRR.RUSERMAP CLASS(FACILITY) ID(IZUSVR) ACC(READ)
 TSS PER(IZUSVR) IBMFAC(IRR.RUSERMAP) ACC(READ)
 /*----------------------------------------------------------------*/
 /* Begin Setup for Discovery CPC function in Systems task         */
 /*----------------------------------------------------------------*/
 /* Replace the <netid.nau> with the 3-17 character SNA name of    */
 /* the particular CPC.                                            */
 /* Replace the <uppercasecommunityname> with the SNMP community   */
 /* name that is associated with the CPC.                          */
 /* Replace the <imagename> with the 1-8 character which           */
 /* represents LPAR name.                                          */
 /*                                                                */
 /* RDEFINE FACILITY HWI.APPLNAME.HWISERV UACC(NONE)               */
 /* TSS ADD(owningacid) IBMFAC(HWI)                                */
 /* PERMIT HWI.APPLNAME.HWISERV CLASS(FACILITY) ID(IZUADMIN) +     */
 /*   ACCESS(READ)                                                 */
 /* TSS PER(IZUADMIN) IBMFAC(HWI.APPLNAME.HWISERV) ACC(READ)       */
 /* RDEFINE FACILITY HWI.APPLNAME.HWISERV UACC(NONE)               */
 /*   APPLDATA('<uppercasecommunityname>')                         */
 /* Done in previous step                                          */
 /* RDEFINE FACILITY HWI.TARGET.<netid.nau>.<imagename> UACC(NONE) */
 /* Done in previous step                                          */
 /* PERMIT HWI.TARGET.<netid.nau> CLASS(FACILITY) ID(IZUADMIN) +   */
 /*   ACCESS(READ)                                                 */
 /* TSS PER(IZUADMIN) IBMFAC(HWI.APPLNAME.HWISERV) -               */
 /* APPLDATA('<uppercasecommunityname>') ACC(READ)                 */
 /* PERMIT HWI.TARGET.<netid.nau>.<imagename> CLASS(FACILITY) +    */
 /*   ID(IZUADMIN) ACCESS(READ)                                    */
 /* TSS PER(IZUADMIN) IBMFAC(HWI.TARGET.<netid.nau>.<imagename>) - */
 /* ACC(READ)                                                      */
 /*----------------------------------------------------------------*/
 /* End Setup for Discovery CPC function in Systems task           */
 /*----------------------------------------------------------------*/

 /* If AT_TLS is enable, z/OSMF started task userid needs to be    */
 /* permitted on resource EZB.INITSTACK.sysname.tcpname            */
 /*                                                                */
 /* PERMIT EZB.INITSTACK.sysname.tcpname CLASS(SERVAUTH)  +        */
 /*   ID(IZUSVR) ACCESS(READ)                                      */
 /* TSS PER(IZUSVR) SERVAUTH(EZB.INITSTACK.sysname.tcpname) -      */
 /* ACC(READ)                                                      */

 /* Profile Definitions for "zOS Operator Consoles" task */
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.CONSOLES.ZOSOPER UACC(NONE)
 /* Done in a previous step.                             */
 /* Permit definitions for "zOS Operator Consoles" task */
 PERMIT IZUDFLT.ZOSMF.CONSOLES.ZOSOPER CLASS(ZMFAPLA) +
   ID(IZUUSER) ACCESS(READ)
 TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.CONSOLES.ZOSOPER) -
 ACC(READ)
 /* Permit definitions for "zOS Operator Consoles" task */
 PERMIT IZUDFLT.ZOSMF.CONSOLES.ZOSOPER CLASS(ZMFAPLA) +
   ID(IZUADMIN) ACCESS(READ)
 TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.CONSOLES.ZOSOPER) -
 ACC(READ)

 /* Profile definitions for Named Angel Support                    */
 RDEFINE SERVER BBG.ANGEL.IZUANG1 UACC(NONE)
 Done in a previous step.
 PERMIT BBG.ANGEL.IZUANG1 CLASS(SERVER) ID(IZUSVR) ACCESS(READ)
 TSS PER(IZUSVR) SERVER(BBG.ANGEL.IZUANG1) ACC(READ)
 /* Define security setup to permit Authorized WLM Service(ZOSWLM )*/
 RDEFINE FACILITY BPX.WLMSERVER UACC(NONE)
 Done in a previous step
 PERMIT BPX.WLMSERVER CLASS(FACILITY) ID(IZUSVR) ACCESS(READ)
 TSS PER(IZUSVR) IBMFaC(BPX.WLMSERVER) ACC(READ)
 
 /* Make changes effective                                         */
 SETROPTS RACLIST(SERVER) REFRESH
 /* Not needed. No equivalent in TSS                               */
 SETROPTS RACLIST(SERVAUTH) REFRESH
 /* Not needed. No equivalent in TSS                               */
 SETROPTS RACLIST(ZMFAPLA) REFRESH
 /* Not needed. No equivalent in TSS                               */
 SETROPTS RACLIST(FACILITY) REFRESH
 /* Not needed. No equivalent in TSS                               */
 /*                                                                */
 /*  End V2R3 step Setup                                           */
 /*                                                                */

/*
File Attachments:
zOS23IZUSEC.txt