RACF z/OSMF 2.2 IZUSEC

Document ID : KB000011629
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

How to convert the RACF z/OSMF 2.2 IZUSEC job to Top Secret Commands.

Environment:
z/OSMF 2.2
Answer:
//IZUCORE JOB MSGCLASS=C,MSGLEVEL=(1,1),USER=XXXXXXX,NOTIFY=XXXXXXX             
//********************************************************************          
//* PROPRIETARY STATEMENT:                                           *          
//*    Licensed Materials - Property of IBM                          *          
//*    5650-ZOS Copyright IBM Corp. 2015                             *          
//*                                                                  *          
//*    STATUS=HSMA220                                                *          
//*                                                                  *          
//* DESCRIPTIVE NAME:                                                *          
//*    z/OSMF SERVER default security setup                          *          
//*                                                                  *          
//*    The JCL contains the security setup for z/OSMF server.        *          
//*    You can customize this JCL to create a security setup         *          
//*    for the z/OSMF Server as you wish.                            *          
//*                                                                  *          
//*                                                                  *          
//********************************************************************          
//* Make sure that you run this job from a user with full access     *          
//* to your RACF database.                                           *          
//********************************************************************          
//*                                                                             
//* JOB CORE ses up z/OSMF core security settings.                              
//* Replace with your job card                                                  
//STEP1  EXEC PGM=IKJEFT01,DYNAMNBR=99                                          
//SYSPRINT DD SYSOUT=*                                                          
//SYSTSPRT DD SYSOUT=*                                                          
//SYSTSIN  DD *  

/* Begin "Core" Setup */ /* */ /* This commented section contains the CLASS activation commands */ /* Insure the following classes are active before executing this */ /* script Or creating profiles in these classes. */ /* Create the z/OSMF Administrators group */ ADDGROUP IZUADMIN OMVS(GID(9003)) TSS CREATE(IZUADMIN) TYPE(GROUP) NAME(‘ZOSMF GROUP’) DEPT(dept) FAC(STC) TSS ADD(ZOSMFGRP) GID(9003) TSS MODI OMVSTABS /* Create the z/OSMF Users group */ ADDGROUP IZUUSER OMVS(GID(9004)) TSS CREATE(IZUUSER) TYPE(GROUP) NAME(‘ZOSMF GROUP’) DEPT(dept) FAC(STC) TSS ADD(ZOSMFGRP) GID(9004) TSS MODI OMVSTABS /* Create the z/OSMF Unauthenticated group */ ADDGROUP IZUUNGRP OMVS(GID(9012)) TSS CREATE(IZUUNGRP) TYPE(GROUP) NAME(‘ZOSMF GROUP’) DEPT(dept) FAC(STC) TSS ADD(ZOSMFGRP) GID(9012) TSS MODI OMVSTABS /* Create the started task USERID for the z/OSMF Server */ /* Please note, the HOME directory should be created with */ /* utility IZUMKFS. */ ADDUSER IZUSVR DFLTGRP(IZUADMIN) NOPASSWORD NOOIDCARD + OMVS(UID(9010)HOME(/var/zosmf/data/home/izusvr) PROGRAM(/bin/sh)) + NAME('zOSMF Started Task USERID') TSS CRE(IZUSVR) NAME('zOSMF Started Task USERID') TYPE(USER) DEPT(dept) PASS(NOPW,0) TSS ADD(IZUSVR) DFLTGRP(IZUADMIN) UID(9010) HOME(/var/zosmf/data/home/izusvr) OMVSPGM(/bin/sh) GROUP(IZUADMIN) /* Change concurrent open file number for started task USERID */ ALTUSER IZUSVR OMVS(FILEPROC(10000)) TSS ADD(IZUSVR) OEFILEP(10000) /* Create the z/OSMF unauthenticated USERID */ ADDUSER IZUGUEST RESTRICTED DFLTGRP(IZUUNGRP) NOPASSWORD NOOIDCARD + OMVS(UID(9011)) NAME('zOSMF Unauthenticated USERID') TSS CRE(IZUGUEST) NAME(CFZSRV) DEPT(dept) PASS(NOPW,0) TSS ADD(IZUGUEST) UID(9011) OMVSPGM('/bin/sh') HOME('/u/izuguest') TSS ADD DFLTGRP(IZUUNGRP) /* Define the STARTED profiles for the z/OSMF server */ RDEFINE STARTED IZUSVR1.* UACC(NONE) STDATA(USER(IZUSVR) GROUP(IZUADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES)) RDEFINE STARTED IZUANG1.* UACC(NONE) STDATA(USER(IZUSVR) GROUP(IZUADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES)) TSS ADD(STC) PROCNAME(IZUSVR1) ACID(IZUSVR) TSS ADD(STC) PROCNAME(IZUANG1) ACID(IZUSVR) /* Define the APPL profile for the z/OSMF server */ RDEFINE APPL IZUDFLT UACC(NONE) /* Define the SERVER profiles for the z/OSMF server */ RDEFINE SERVER BBG.SECPFX.IZUDFLT UACC(NONE) RDEFINE SERVER BBG.ANGEL UACC(NONE) RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE) RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE) RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.ZOSWLM UACC(NONE) RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.TXRRS UACC(NONE) RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.ZOSDUMP UACC(NONE) TSS ADD(Owning_Dept) SERVER(BBG.) /* Permit the z/OSMF unauthenticated USERID access */ PERMIT IZUDFLT CLASS(APPL) ID(IZUGUEST) ACCESS(READ) /* Permit the started task USERID access */ PERMIT BBG.SECPFX.IZUDFLT CLASS(SERVER) ACCESS(READ) ID(IZUSVR) PERMIT BBG.ANGEL CLASS(SERVER) ACCESS(READ) ID(IZUSVR) PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) ACCESS(READ) ID(IZUSVR) PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) ACCESS(READ) ID(IZUSVR) PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSWLM CLASS(SERVER) ACCESS(READ) ID(IZUSVR) PERMIT BBG.AUTHMOD.BBGZSAFM.TXRRS CLASS(SERVER) ACCESS(READ) ID(IZUSVR) PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSDUMP CLASS(SERVER) ACCESS(READ) ID(IZUSVR) TSS PER(IZUSVR) SERVER(BBG.SECPFX.IZUDFLT) ACCESS(READ) TSS PER(IZUSVR) SERVER(BBG.ANGEL) ACCESS(READ) TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM) ACCESS(READ) TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.SAFCRED) ACCESS(READ) TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.ZOSWLM) ACCESS(READ) TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.TXRRS) ACCESS(READ) TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.ZOSDUMP) ACCESS(READ) /* Define the BPX.CONSOLE profile to supress the BPXM023I message */ /* prefix for console messages */ RDEFINE FACILITY BPX.CONSOLE UACC(NONE) TSS ADD(Owning_Dept) IBMFAC(BPX.) /* Permit the started task USERID access */ PERMIT BPX.CONSOLE CLASS(FACILITY) ID(IZUSVR) ACCESS(READ) TSS PER(IZUSVR) IBMFAC(BPX.CONSOLE) /* Define the Sync-to-OS-thread FACILITY profile */ RDEFINE FACILITY BBG.SYNC.IZUDFLT UACC(NONE) TSS ADD(Owning_Dept) IBMFAC(BBG.) /* Permit the started task USERID access */ PERMIT BBG.SYNC.IZUDFLT CLASS(FACILITY) ID(IZUSVR) ACCESS(CONTROL) TSS PER(IZUSVR) IBMFAC(BBG.SYNC.IZUDFLT) ACCESS(CONTROL) /* Define the FACILITY profile for working with digital */ /* certificates */ RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE) RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE) /* Allow users of the z/OSMF Configuration Workflow to extract */ /* profile information */ RDEFINE FACILITY IRR.RADMIN.LISTUSER RDEFINE FACILITY IRR.RADMIN.LISTGRP RDEFINE FACILITY IRR.RADMIN.RLIST RDEFINE FACILITY IRR.RADMIN.SETROPTS.LIST TSS ADD(Owning_Dept) IBMFAC(IRR.) /* Permit the started task USERID access */ PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(IZUSVR) ACCESS(READ) PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(IZUSVR) ACCESS(READ) TSS PER(IZUSVR) IBMFAC(IRR.DIGTCERT.LIST) TSS PER(IZUSVR) IBMFAC(IRR.DIGTCERT.LISTRING) /* Create the CA certificate for the z/OSMF server */ RACDCERT CERTAUTH GENCERT + SUBJECTSDN(CN('z/OSMF CertAuth for Security Domain') OU('IZUDFLT')) + WITHLABEL('zOSMFCA') TRUST NOTAFTER(DATE(2023/05/17)) RACDCERT ADDRING(IZUKeyring.IZUDFLT) ID(IZUSVR) TSS GENCERT(CERTAUTH) DIGICERT(WEBSPRCA) SUBJECTN('CN="z/OSMF CertAuth for Security Domain" OU="ZUDFLT"') LABLCERT('zOSMFCA') NADATE(05/17/23) TSS ADD(IZUSVR) KEYRING(IZUSVRKR) RINGDATA(CERTAUTH,WEBSPRCA) /* Create the server certificate for the z/OSMF server */ /* Change HOST NAME in CN field into real local host name */ /* Usually the format of the host name is 'XXXX.XXX.XXX.XXX' */ RACDCERT ID( IZUSVR ) GENCERT SUBJECTSDN(CN('HOST NAME') O('IBM') OU('IZUDFLT')) WITHLABEL('DefaultzOSMFCert.IZUDFLT'), SIGNWITH(CERTAUTH LABEL('zOSMFCA')) NOTAFTER(DATE(2023/05/17)) RACDCERT ALTER(LABEL('DefaultzOSMFCert.IZUDFLT')) ID(IZUSVR) TRUST RACDCERT ID( IZUSVR ) CONNECT (LABEL('DefaultzOSMFCert.IZUDFLT') RING(IZUKeyring.IZUDFLT) DEFAULT) RACDCERT ID( IZUSVR ) CONNECT (LABEL('zOSMFCA') RING(IZUKeyring.IZUDFLT) CERTAUTH) TSS GENCERT(IZUSVR) DIGICERT(DFWAS70C) -", SUBJECTN('CN="'HOST NAME'" OU="IZUDFLT" O="IBM"'), LABLCERT('DefaultzOSMFCert.IZUDFLT'), SIGNWITH(CERTAUTH,zOSMFCA) NADATE(05/17/23)” /* Define the CEA resource profile required for z/OSMF server */ RDEFINE SERVAUTH CEA.CEATSO.* UACC(NONE) TSS ADD(Owning_dept) SERVAUTH(CEA.) /* Define the Account Number resource profile for REST File API */ RDEFINE ACCTNUM IZUACCT UACC(NONE) /* Define the TSO Procedure resource profile for REST File API */ RDEFINE TSOPROC IZUFPROC UACC(NONE) /* Create the z/OS Security Administrators group */ ADDGROUP IZUSECAD OMVS(GID(9006)) /* Define the ZMFAPLA profile for the z/OSMF server */ RDEFINE ZMFAPLA IZUDFLT.ZOSMF UACC(NONE) TSS ADD(Owning_dept) ZMFAPLA(IZUDFLT) /* The EJBROLE definitions are case-sensitive in RACF. Insure you*/ /* preserve case for these commands */ /* Assumption: EJBROLE is defined, activated, and raclisted. */ RDEFINE EJBROLE IZUDFLT.*.izuUsers UACC(NONE) TSS ADD(Owning_dept) EJBROLE(IZUDFLT) /* Define the z/OSMF Server profile */ RDEFINE SERVER BBG.SECCLASS.ZMFAPLA UACC(NONE) TSS ADD(Owning_dept) SERVER(BBG) /* Permit the started task USERID access */ PERMIT BBG.SECCLASS.ZMFAPLA CLASS(SERVER) ID(IZUSVR) ACCESS(READ) TSS PER(IZUSVR) SERVER(BBG.SECCLASS.ZMFAPLA) ACCESS(READ) /* Roles processing will permit the z/OSMF Server groups to the */ /* Application Server resources */ /* Assumption: APPL class has been defined, activated, raclisted. */ /* Permit the Administrators group to this profile */ PERMIT CEA.CEATSO.* CLASS(SERVAUTH) ID(IZUADMIN) ACCESS(READ) TSS PER(IZUADMIN) SERVAUTH(CEA.CEATSO.) ACCESS(READ) /* Permit the Users group to this profile */ PERMIT CEA.CEATSO.* CLASS(SERVAUTH) ID(IZUUSER) ACCESS(READ) TSS PER(IZUUSER) SERVAUTH(CEA.CEATSO.) ACCESS(READ) /* Permit the started task USERID to this profile */ PERMIT CEA.CEATSO.* CLASS(SERVAUTH) ID(IZUSVR) ACCESS(READ) TSS PER(IZUSVR) SERVAUTH(CEA.CEATSO.) ACCESS(READ) /* Permit the Administrators group to these profiles */ PERMIT IZUACCT CLASS(ACCTNUM) ID(IZUADMIN) ACCESS(READ) PERMIT IZUFPROC CLASS(TSOPROC) ID(IZUADMIN) ACCESS(READ) TSS ADD(IZUADMIN) TSOLACCT(acct#) TSS ADD(IZUADMIN) TSOLPROC(IZUFPROC) /* Permit the Users group to these profiles */ PERMIT IZUACCT CLASS(ACCTNUM) ID(IZUUSER) ACCESS(READ) PERMIT IZUFPROC CLASS(TSOPROC) ID(IZUUSER) ACCESS(READ) TSS ADD(IZUUSER) TSOLACCT(acct#) TSS ADD(IZUUSER) TSOLPROC(IZUFPROC) /*If your installation utilizes hardware crypto in combination */ /*with ICSF, various services like CSFRNGL, CSFDSV, CSFOWH, */ /*CSFIQF ,etc.may be protected by profiles established in your */ /*security product.In certain cases, z/OSMF will utilize these */ /*services, and the z/OSMF started task USERID will need to be */ /*permitted to these profiles.If concrete profiles in the CSFSERV */ /*class has been defined to protect these resources, then, the */ /*following commented commands would permit the started task */ /*userid to that profile which is used by associated ICSF service.*/ PERMIT CSFIQF CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) /*encipher callable service */ PERMIT CSFENC CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) /*cryptographic variable encipher callable */ PERMIT CSFCVE CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) /*decipher callable service */ PERMIT CSFDEC CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) /*symmetric algorithm encipher callable service */ PERMIT CSFSAE CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) /*symmetric algorithm decipher callable service */ PERMIT CSFSAD CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) /*one-way hash generate callable service */ PERMIT CSFOWH CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) /*random number generate callable service */ PERMIT CSFRNG CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) /*random number generate long callable service */ PERMIT CSFRNGL CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) /*PKA key generate callable service */ PERMIT CSFPKG CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) /*digital signature generate service */ PERMIT CSFDSG CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) /*digital signature verify callable service */ PERMIT CSFDSV CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) /*PKA key token change callable service */ PERMIT CSFPKT CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) /*retained key list callable service */ PERMIT CSFRKL CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) /*PKA Public Key Extract callable service */ PERMIT CSFPKX CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) /*PKA encrypt callable service */ PERMIT CSFPKE CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) /*PKA decrypt callable service */ PERMIT CSFPKD CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) /*PKA key import callable service */ PERMIT CSFPKI CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) /*multiple clear key import callable service */ PERMIT CSFCKM CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) /*key generate callable service */ PERMIT CSFKGN CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) /*ECC Diffie-Hellman callable service */ PERMIT CSFEDH CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) /*key token build callable service */ PERMIT CSFKTB CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) TSS ADD(Owning Dept) CSFSERV(CSFIQF) TSS ADD(Owning Dept) CSFSERV(CSFENC) TSS ADD(Owning Dept) CSFSERV(CSFCVE) TSS ADD(Owning Dept) CSFSERV(CSFSAD) TSS ADD(Owning Dept) CSFSERV(CSFOWH) TSS ADD(Owning Dept) CSFSERV(CSFRNG) TSS ADD(Owning Dept) CSFSERV(CSFPKG) TSS ADD(Owning Dept) CSFSERV(CSFDSG) TSS ADD(Owning Dept) CSFSERV(CSFDSV) TSS ADD(Owning Dept) CSFSERV(CSFPKT) TSS ADD(Owning Dept) CSFSERV(CSFRKL) TSS ADD(Owning Dept) CSFSERV(CSFPKX) TSS ADD(Owning Dept) CSFSERV(CSFPKE) TSS ADD(Owning Dept) CSFSERV(CSFPKD) TSS ADD(Owning Dept) CSFSERV(CSFPKI) TSS ADD(Owning Dept) CSFSERV(CSFCKM) TSS ADD(Owning Dept) CSFSERV(CSFKGN) TSS ADD(Owning Dept) CSFSERV(CSFEDH) TSS ADD(Owning Dept) CSFSERV(CSFKTB) TSS PER(Owning Dept) CSFSERV(CSFIQF) TSS PER(Owning Dept) CSFSERV(CSFENC) TSS ADD(Owning Dept) CSFSERV(CSFCVE) TSS ADD(Owning Dept) CSFSERV(CSFSAD) TSS ADD(Owning Dept) CSFSERV(CSFOWH) TSS ADD(Owning Dept) CSFSERV(CSFRNG) TSS ADD(Owning Dept) CSFSERV(CSFPKG) TSS ADD(Owning Dept) CSFSERV(CSFDSG) TSS ADD(Owning Dept) CSFSERV(CSFDSV) TSS ADD(Owning Dept) CSFSERV(CSFPKT) TSS ADD(Owning Dept) CSFSERV(CSFRKL) TSS ADD(Owning Dept) CSFSERV(CSFPKX) TSS ADD(Owning Dept) CSFSERV(CSFPKE) TSS ADD(Owning Dept) CSFSERV(CSFPKD) TSS ADD(Owning Dept) CSFSERV(CSFPKI) TSS ADD(Owning Dept) CSFSERV(CSFCKM) TSS ADD(Owning Dept) CSFSERV(CSFKGN) TSS ADD(Owning Dept) CSFSERV(CSFEDH) TSS ADD(Owning Dept) CSFSERV(CSFKTB) /* Profile Definitions for Core */ RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.APPLINKING UACC(NONE) RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.IMPORTMANAGER UACC(NONE) RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.LINKSTASK UACC(NONE) RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.LOGGER UACC(NONE) RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.UI_LOG_MANAGEMENT UACC(NONE) RDEFINE ZMFAPLA IZUDFLT.ZOSMF.LINK.** UACC(NONE) RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW UACC(NONE) RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.MODIFY UACC(NONE) RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.SYSTEMS UACC(NONE) RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS UACC(NONE) RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW UACC(NONE) RDEFINE ZMFAPLA ZMFAPLA.ZOSMF.SETTINGS.FTP_SERVERS.MODIFY UACC(NONE) TSS ADD(Owning_Dept) ZMFAPLA(ZMFAPLA) if not already defined /* Profile Definitions for "Workflow" */ RDEFINE ZMFAPLA IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS UACC(NONE) /* End Core Setup */ /* */ /* Begin zOSMF User Role Setup */ /* */ PERMIT IZUDFLT CLASS(APPL) ID(IZUUSER) ACCESS(READ) PERMIT IZUDFLT.*.izuUsers CLASS(EJBROLE) ID(IZUUSER) ACCESS(READ) PERMIT IZUDFLT.ZOSMF CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ) TSS PER(IZUUSER) APPL(IZUDFLT) ACCESS(READ) TSS PER(IZUUSER) EJBROLE(IZUDFLT.*.izuUsers) ACCESS(READ) TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF) ACCESS(READ) /* Permit definitions for Core */ PERMIT IZUDFLT.ZOSMF.LINK.** CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ) TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.LINK.) ACCESS(READ) TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW) ACCESS(READ) TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS) ACCESS(READ) TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS) ACCESS(READ) TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW) ACCESS(READ) /* Permit definitions for Workflow */ PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ) TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) ACCESS(READ) /* */ /* End zOSMF User Role Setup */ /* */ /* */ /* Begin zOSMF Administrator Role Setup */ /* */ PERMIT IZUDFLT CLASS(APPL) ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.*.izuUsers CLASS(EJBROLE) ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ) TSS PER(IZUADMIN) APPL(IZUDFLT) ACCESS(READ) TSS PER(IZUADMIN) EJBROLE(IZUDFLT.*.izuUsers) ACCESS(READ) TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF) ACCESS(READ) /* Permit definitions for Core */ PERMIT IZUDFLT.ZOSMF.ADMINTASKS.APPLINKING CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.ADMINTASKS.IMPORTMANAGER CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.ADMINTASKS.LINKSTASK CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.ADMINTASKS.LOGGER CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.ADMINTASKS.UI_LOG_MANAGEMENT CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.LINK.** CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.MODIFY CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.MODIFY CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ) TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.APPLINKING) ACCESS(READ) TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.IMPORTMANAGER) ACCESS(READ) TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.LINKSTASK) ACCESS(READ) TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.LOGGER) ACCESS(READ) TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.UI_LOG_MANAGEMENT) ACCESS(READ) TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.LINK.) ACCESS(READ) TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW) ACCESS(READ) TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.MODIFY) ACCESS(READ) TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS) ACCESS(READ) TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS) ACCESS(READ) TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW) TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.MODIFY) ACCESS(READ) /* Permit definitions for Workflow */ PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ) TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) ACCESS(READ) /* Permit the z/OSMF administrator access */ PERMIT IRR.RADMIN.LISTUSER CLASS(FACILITY) ID(IZUADMIN) ACCESS(READ) PERMIT IRR.RADMIN.LISTGRP CLASS(FACILITY) ID(IZUADMIN) ACCESS(READ) PERMIT IRR.RADMIN.RLIST CLASS(FACILITY) ID(IZUADMIN) ACCESS(READ) PERMIT IRR.RADMIN.SETROPTS.LIST CLASS(FACILITY) ID(IZUADMIN) ACCESS(READ) TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.LISTUSER) TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.LISTGRP) TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.RLIST) TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.SETROPTS.LIST) /* */ /* End zOSMF Administrator Role Setup */ /* */ /* */ /* Begin zOS Security Administrator Role Setup */ /* */ PERMIT IZUDFLT CLASS(APPL) ID(IZUSECAD) ACCESS(READ) PERMIT IZUDFLT.*.izuUsers CLASS(EJBROLE) ID(IZUSECAD) ACCESS(READ) PERMIT IZUDFLT.ZOSMF CLASS(ZMFAPLA) ID(IZUSECAD) ACCESS(READ) TSS PER(IZUSECAD) APPL(IZUDFLT) ACCESS(READ) TSS PER(IZUSECAD) EJBROLE(IZUDFLT.*.izuUsers) ACCESS(READ) TSS PER(IZUSECAD) ZMFAPLA(IZUDFLT.ZOSMF) ACCESS(READ) /* Permit definitions for Workflow */ PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) ID(IZUSECAD) ACCESS(READ) TSS PER(IZUSECAD) ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) ACCESS(READ) /* */ /* End zOS Security Administrator Role Setup */ /* */ /* Connect the started task USERID to the CIM USER group */ CONNECT (IZUSVR) GROUP(CFZUSRGP) TSS ADD(ZUSVR) GROUP(CFZUSRGP)

/*