RACF z/OSMF 2.2 IZUSEC

Document ID : KB000016940
Last Modified Date : 15/10/2018
Show Technical Document Details
Introduction:

How to convert the RACF z/OSMF 2.2 IZUSEC job to CA Top Secret Commands.

Question:

How to convert the RACF z/OSMF 2.2 IZUSEC job to CA Top Secret Commands.

Answer:

//IZUCORE JOB MSGCLASS=C,MSGLEVEL=(1,1),USER=XXXXXXX,NOTIFY=XXXXXXX            
//********************************************************************         
//* PROPRIETARY STATEMENT:                                           *         
//*    Licensed Materials - Property of IBM                          *         
//*    5650-ZOS Copyright IBM Corp. 2015                             *         
//*                                                                  *         
//*    STATUS=HSMA220                                                *         
//*                                                                  *         
//* DESCRIPTIVE NAME:                                                *         
//*    z/OSMF SERVER default security setup                          *         
//*                                                                  *         
//*    The JCL contains the security setup for z/OSMF server.        *         
//*    You can customize this JCL to create a security setup         *         
//*    for the z/OSMF Server as you wish.                            *         
//*                                                                  *         
//*                                                                  *         
//********************************************************************         
//* Make sure that you run this job from a user with full access     *         
//* to your RACF database.                                           *         
//********************************************************************         
//*                                                                            
//* JOB CORE ses up z/OSMF core security settings.                             
//* Replace with your job card                                                 
//STEP1  EXEC PGM=IKJEFT01,DYNAMNBR=99                                         
//SYSPRINT DD SYSOUT=*                                                         
6
  //SYSTSPRT DD SYSOUT=*                                                         
//SYSTSIN  DD * 

 /* Begin "Core" Setup                                             */
 /*                                                                */
 /* This commented section contains the CLASS activation commands  */
 /* Insure the following classes are active before executing this  */
 /* script Or creating profiles in these classes.                  */
 
 /* Create the z/OSMF Administrators group                         */
 ADDGROUP IZUADMIN OMVS(GID(9003))

TSS CREATE(IZUAGRP) TYPE(GROUP) NAME(‘IZUGRP GROUP’) DEPT(dept)

TSS CREATE(IZUADMIN) TYPE(PROFILE) NAME(‘IZUADMIN PROFILE’) DEPT(dept)

TSS ADD(IZUAGRP) GID(9003)

TSS ADD(IZUADMIN) GROUP(IZUAGRP)

 /* Create the z/OSMF Users group                                  */
 ADDGROUP IZUUSER OMVS(GID(9004))

TSS CREATE(IZUUSER) TYPE(PROFILE) NAME(‘IZUUSER’) DEPT(dept)

TSS CREATE(IZUUGRP) TYPE(GROUP) NAME(‘IZUUSER GROUP’) DEPT(dept)

TSS ADD(IZUUGRP) GID(9004)

TSS ADD(IZUUSER) GROUP(IZUUGRP)


 /* Create the z/OSMF Unauthenticated group                        */ 
 ADDGROUP IZUUNGRP OMVS(GID(9012))

TSS CREATE(IZUUNGRP) TYPE(PROFILE) NAME(‘IZUUNGRP PROFILE’) DEPT(dept)

TSS CREATE(IZUUNGP) TYPE(GROUP) NAME(‘IZUUNGP GROUP’) DEPT(dept)


TSS ADD(IZUUNGP) GID(9012)

 

 /* Create the started task USERID for the z/OSMF Server           */
 /* Please note, the HOME directory should be created with         */
 /* utility IZUMKFS.                                               */
 ADDUSER IZUSVR DFLTGRP(IZUADMIN)  NOPASSWORD NOOIDCARD +
  OMVS(UID(9010)HOME(/var/zosmf/data/home/izusvr) PROGRAM(/bin/sh)) +
  NAME('zOSMF Started Task USERID')
 
TSS CRE(IZUSVR) NAME('zOSMF Started Task USERID') TYPE(USER) DEPT(dept) PASS(NOPW,0) FAC(STC)

TSS ADD(IZUSVR) DFLTGRP(IZUAGRP) UID(9010) 
HOME(/var/zosmf/data/home/izusvr) OMVSPGM(/bin/sh) GROUP(IZUAGRP)

 /* Change concurrent open file number for started task USERID     */
 ALTUSER IZUSVR OMVS(FILEPROC(10000))

TSS ADD(IZUSVR) OEFILEP(10000)
 
 /* Create the z/OSMF unauthenticated USERID                       */
 ADDUSER IZUGUEST RESTRICTED DFLTGRP(IZUUNGRP) NOPASSWORD NOOIDCARD +
  OMVS(UID(9011)) NAME('zOSMF Unauthenticated USERID')

TSS CRE(IZUGUEST) NAME(IZUGUEST) TYPE(USER) DEPT(dept) PASS(NOPW,0)
TSS ADD(IZUGUEST) UID(9011) OMVSPGM('/bin/sh') HOME('/u/izuguest')
DFLTGRP(IZUUNGP) GROUP(IZUUNGP)
 
 /* Define the STARTED profiles for the z/OSMF server              */
 RDEFINE STARTED IZUSVR1.* UACC(NONE) STDATA(USER(IZUSVR) GROUP(IZUADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
 RDEFINE STARTED IZUANG1.* UACC(NONE) STDATA(USER(IZUSVR) GROUP(IZUADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))

TSS ADD(STC) PROCNAME(IZUSVR1) ACID(IZUSVR)
TSS ADD(STC) PROCNAME(IZUANG1) ACID(IZUSVR)
TSS ADD(IZUSVR) PROFILE(IZUADMIN)
TSS ADD(IZUSVR) GROUP(IZUAGRP)
 
 /* Define the APPL profile for the z/OSMF server                  */
 RDEFINE APPL IZUDFLT UACC(NONE)
Not needed in TSS. Already defined by default.
 
 /* Define the SERVER profiles for the z/OSMF server               */
 RDEFINE SERVER BBG.SECPFX.IZUDFLT UACC(NONE)
 RDEFINE SERVER BBG.ANGEL UACC(NONE)
 RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE)
 RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE)
 RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.ZOSWLM UACC(NONE)
 RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.TXRRS UACC(NONE)
 RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.ZOSDUMP UACC(NONE)

TSS ADD(Owning_Dept) SERVER(BBG.)
 
 /* Permit the z/OSMF unauthenticated USERID access                */
 PERMIT IZUDFLT CLASS(APPL)    ID(IZUGUEST) ACCESS(READ)
TSS PER(IZUGUEST) APPL(IZUDFLT)

 
 /* Permit the started task USERID access                          */
 PERMIT BBG.SECPFX.IZUDFLT CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
 PERMIT BBG.ANGEL CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
 PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
 PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
 PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSWLM CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
 PERMIT BBG.AUTHMOD.BBGZSAFM.TXRRS CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
 PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSDUMP CLASS(SERVER) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) SERVER(BBG.SECPFX.IZUDFLT) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.ANGEL) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.SAFCRED) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.ZOSWLM) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.TXRRS) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.ZOSDUMP) ACCESS(READ)
 
 /* Define the BPX.CONSOLE profile to supress the BPXM023I message */
 /* prefix for console messages                                    */
 RDEFINE FACILITY BPX.CONSOLE UACC(NONE)
 
TSS ADD(Owning_Dept) IBMFAC(BPX.)

 /* Permit the started task USERID access                          */
 PERMIT  BPX.CONSOLE CLASS(FACILITY) ID(IZUSVR) ACCESS(READ)

TSS PER(IZUSVR) IBMFAC(BPX.CONSOLE)
 
 /* Define the Sync-to-OS-thread FACILITY profile                  */
 RDEFINE FACILITY BBG.SYNC.IZUDFLT UACC(NONE)

TSS ADD(Owning_Dept) IBMFAC(BBG.)
 
 /* Permit the started task USERID access                          */
 PERMIT  BBG.SYNC.IZUDFLT CLASS(FACILITY) ID(IZUSVR) ACCESS(CONTROL)

TSS PER(IZUSVR) IBMFAC(BBG.SYNC.IZUDFLT) ACCESS(CONTROL)
 
 /* Define the FACILITY profile for working with digital           */
 /* certificates                                                   */
 RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
 RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
TSS ADD(owning_acid) IBMFAC(IRR.)

 
 /* Allow users of the z/OSMF Configuration Workflow to extract    */
 /* profile information                                            */
 RDEFINE FACILITY IRR.RADMIN.LISTUSER
 RDEFINE FACILITY IRR.RADMIN.LISTGRP
 RDEFINE FACILITY IRR.RADMIN.RLIST
 RDEFINE FACILITY IRR.RADMIN.SETROPTS.LIST
TSS ADD(owning_acid) IBMFAC(IRR.) ?already done so not needed.

 /* Permit the started task USERID access                          */
 PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(IZUSVR) ACCESS(READ)
 PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(IZUSVR) ACCESS(READ)

TSS PER(IZUSVR) IBMFAC(IRR.DIGTCERT.LIST)
TSS PER(IZUSVR) IBMFAC(IRR.DIGTCERT.LISTRING)
 
 /* Create the CA certificate for the z/OSMF server                */
 RACDCERT CERTAUTH GENCERT +
  SUBJECTSDN(CN('z/OSMF CertAuth for Security Domain') OU('IZUDFLT')) +
  WITHLABEL('zOSMFCA') TRUST NOTAFTER(DATE(2023/05/17))
 RACDCERT ADDRING(IZUKeyring.IZUDFLT) ID(IZUSVR)
 
TSS GENCERT(CERTAUTH) DIGICERT(WEBSPRCA)
SUBJECTN('CN="z/OSMF CertAuth for Security Domain" OU="ZUDFLT"')
LABLCERT('zOSMFCA') NADATE(05/17/23)

TSS ADD(IZUSVR) KEYRING(IZUSVRKR) LABLRING(‘IZUKeyring.IZUDFLT’)

TSS ADD(IZUSVR) KEYRING(IZUSVRKR) RINGDATA(CERTAUTH,WEBSPRCA)

 /* Create the server certificate for the z/OSMF server            */
 /* Change HOST NAME in CN field into real local host name         */
 /* Usually the format of the host name is 'XXXX.XXX.XXX.XXX'      */
 RACDCERT ID( IZUSVR ) GENCERT SUBJECTSDN(CN('HOST NAME') O('IBM') OU('IZUDFLT')) WITHLABEL('DefaultzOSMFCert.IZUDFLT'),
             SIGNWITH(CERTAUTH LABEL('zOSMFCA')) NOTAFTER(DATE(2023/05/17))

 RACDCERT ALTER(LABEL('DefaultzOSMFCert.IZUDFLT')) ID(IZUSVR) TRUST

 RACDCERT ID( IZUSVR ) CONNECT (LABEL('DefaultzOSMFCert.IZUDFLT') RING(IZUKeyring.IZUDFLT) DEFAULT)

 RACDCERT ID( IZUSVR ) CONNECT (LABEL('zOSMFCA') RING(IZUKeyring.IZUDFLT) CERTAUTH)

TSS GENCERT(IZUSVR) DIGICERT(DFWAS70C) -",
SUBJECTN('CN="'HOST NAME'" OU="IZUDFLT" O="IBM"'),
LABLCERT('DefaultzOSMFCert.IZUDFLT')
SIGNWITH(CERTAUTH,zOSMFCA)
NADATE(05/17/23)

TSS ADD(IZUSVR) KEYRING(IZUSVRKR) RINGDATA(IZUSVR, DFWAS70C) DEFAULT
 
 /* Define the CEA resource profile required for z/OSMF server     */
 RDEFINE SERVAUTH CEA.CEATSO.* UACC(NONE)

TSS ADD(Owning_dept) SERVAUTH(CEA.)
 
 /* Define the Account Number resource profile for REST File API   */
 RDEFINE ACCTNUM IZUACCT UACC(NONE)

TSS ADD(owning_acid) TSOACCT(IZUACCT)
 
 /* Define the TSO Procedure resource profile for REST File API    */
 RDEFINE TSOPROC IZUFPROC UACC(NONE)

TSS ADD(owning_acid) TSOPROC(IZUFPROC)
 
  /* Create the z/OS Security Administrators group                  */
 ADDGROUP IZUSECAD OMVS(GID(9006))

TSS CREATE(IZUCGRP) TYPE(GROUP) NAME(‘IZUGRP GROUP’) DEPT(dept)

TSS CREATE(IZUSECAD) TYPE(PROFILE) NAME(‘IZUSECAD’) DEPT(dept)

TSS ADD(IZUCGRP) GID(9006)

TSS ADD(IZUSECAD) GROUP(IZUCGRP)
 
 /* Define the ZMFAPLA profile for the z/OSMF server               */
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF UACC(NONE)

TSS ADD(Owning_dept) ZMFAPLA(IZUDFLT)
 
 /* The EJBROLE definitions are case-sensitive in RACF.  Insure you*/
 /* preserve case for these commands                               */
 /* Assumption: EJBROLE is defined, activated, and raclisted.      */
 RDEFINE EJBROLE IZUDFLT.*.izuUsers UACC(NONE)

TSS ADD(Owning_dept) EJBROLE(IZUDFLT)
 
 /* Define the z/OSMF Server profile                               */
 RDEFINE SERVER BBG.SECCLASS.ZMFAPLA UACC(NONE)

TSS ADD(Owning_dept) SERVER(BBG)
 
 /* Permit the started task USERID access                          */
 PERMIT BBG.SECCLASS.ZMFAPLA CLASS(SERVER) ID(IZUSVR) ACCESS(READ)

TSS PER(IZUSVR) SERVER(BBG.SECCLASS.ZMFAPLA) ACCESS(READ)
 
 /* Roles processing will permit the z/OSMF Server groups to the   */
 /* Application Server resources                                   */
 /* Assumption: APPL class has been defined, activated, raclisted. */
 
 /* Permit the Administrators group to this profile                */
 PERMIT CEA.CEATSO.* CLASS(SERVAUTH) ID(IZUADMIN) ACCESS(READ)

TSS PER(IZUADMIN) SERVAUTH(CEA.CEATSO.) ACCESS(READ)
 
 /* Permit the Users group to this profile                         */
 PERMIT CEA.CEATSO.* CLASS(SERVAUTH) ID(IZUUSER) ACCESS(READ)

TSS PER(IZUUSER) SERVAUTH(CEA.CEATSO.) ACCESS(READ)
 
 /* Permit the started task USERID to this profile                 */
 PERMIT CEA.CEATSO.* CLASS(SERVAUTH) ID(IZUSVR) ACCESS(READ)

TSS PER(IZUSVR) SERVAUTH(CEA.CEATSO.) ACCESS(READ)
 
 /* Permit the Administrators group to these profiles              */
 PERMIT IZUACCT CLASS(ACCTNUM) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUFPROC CLASS(TSOPROC) ID(IZUADMIN) ACCESS(READ)

TSS ADD(IZUADMIN) TSOLACCT(acct#)
TSS ADD(IZUADMIN) TSOLPROC(IZUFPROC)
 
 /* Permit the Users group to these profiles                       */
 PERMIT IZUACCT CLASS(ACCTNUM) ID(IZUUSER) ACCESS(READ)
 PERMIT IZUFPROC CLASS(TSOPROC) ID(IZUUSER) ACCESS(READ)
 
TSS ADD(IZUUSER) TSOLACCT(acct#)
TSS ADD(IZUUSER) TSOLPROC(IZUFPROC)

 /*If your installation utilizes hardware crypto in combination    */
 /*with ICSF, various services like  CSFRNGL, CSFDSV, CSFOWH,      */
 /*CSFIQF ,etc.may be protected by profiles established in your    */
 /*security product.In certain cases, z/OSMF will utilize these    */
 /*services, and the z/OSMF started task USERID will need to be    */
 /*permitted to these profiles.If concrete profiles in the CSFSERV */
 /*class has been defined to protect these resources, then, the    */
 /*following commented commands would permit the started task      */
 /*userid to that profile which is used by associated ICSF service.*/
 PERMIT CSFIQF  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS ADD(owning_acid) CSFSERV(CSF)

TSS PER(IZUSVR) CSFSERV(CSFIQF) ACCESS(READ)

 /*encipher callable service                                       */
 PERMIT CSFENC  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFENF) ACCESS(READ)

 /*cryptographic variable encipher callable                        */
 PERMIT CSFCVE  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFCVE) ACCESS(READ)

 /*decipher callable service                                       */
 PERMIT CSFDEC  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)
TSS PER(IZUSVR) CSFSERV(CSFDEC) ACCESS(READ)

 /*symmetric algorithm encipher callable service                   */
 PERMIT CSFSAE  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFSAE) ACCESS(READ)

 /*symmetric algorithm decipher callable service                   */
 PERMIT CSFSAD  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFSAD) ACCESS(READ)

 /*one-way hash generate callable service                          */
 PERMIT CSFOWH  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFOWH) ACCESS(READ)

 /*random number generate callable service                         */
 PERMIT CSFRNG  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)
TSS PER(IZUSVR) CSFSERV(CSFRNG) ACCESS(READ)

 /*random number generate long callable service                    */
 PERMIT CSFRNGL CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)
TSS PER(IZUSVR) CSFSERV(CSFRNGL) ACCESS(READ)

 /*PKA key generate callable service                               */
 PERMIT CSFPKG  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)
TSS PER(IZUSVR) CSFSERV(CSFPKG) ACCESS(READ)

 /*digital signature generate service                              */
 PERMIT CSFDSG  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFDSG) ACCESS(READ)

 /*digital signature verify callable service                       */
 PERMIT CSFDSV  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFDSV) ACCESS(READ)

 /*PKA key token change callable service                           */
 PERMIT CSFPKT  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFPKT) ACCESS(READ)

 /*retained key list callable service                              */
 PERMIT CSFRKL  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFRKL) ACCESS(READ)

 /*PKA Public Key Extract callable service                         */
 PERMIT CSFPKX  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFPKX) ACCESS(READ)

 /*PKA encrypt callable service                                    */
 PERMIT CSFPKE  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFPKE) ACCESS(READ)

 /*PKA decrypt callable service                                    */
 PERMIT CSFPKD  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFPKD) ACCESS(READ)

 /*PKA key import callable service                                 */
 PERMIT CSFPKI  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFPKI) ACCESS(READ)

 /*multiple clear key import callable service                      */
 PERMIT CSFCKM  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFCKM) ACCESS(READ)

 /*key generate callable service                                   */
 PERMIT CSFKGN  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFKGN) ACCESS(READ)

 /*ECC Diffie-Hellman callable service                             */
 PERMIT CSFEDH  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFEDH) ACCESS(READ)

 

 /*key token build callable service                                */
 PERMIT CSFKTB  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)
TSS PER(IZUSVR) CSFSERV(CSFKTB) ACCESS(READ)

 

 
 /*   Profile Definitions for Core                                 */
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.APPLINKING UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.IMPORTMANAGER UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.LINKSTASK UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.LOGGER UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.UI_LOG_MANAGEMENT UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.LINK.** UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.MODIFY UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.SYSTEMS UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW UACC(NONE)
 RDEFINE ZMFAPLA ZMFAPLA.ZOSMF.SETTINGS.FTP_SERVERS.MODIFY UACC(NONE)
 
TSS ADD(Owning_Dept) ZMFAPLA(IZUDFLT)

 /*   Profile Definitions for "Workflow"                           */
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS UACC(NONE)

TSS ADD(Owning_Dept) ZMFAPLA(IZUDFLT) <-Previously done

 
 /*  End Core Setup                                                */
 /*                                                                */
 /*   Begin zOSMF User Role Setup                                  */
 /*                                                                */
 PERMIT IZUDFLT             CLASS(APPL)    ID(IZUUSER) ACCESS(READ)
 PERMIT IZUDFLT.*.izuUsers  CLASS(EJBROLE) ID(IZUUSER) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF       CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)

TSS PER(IZUUSER) APPL(IZUDFLT)
TSS PER(IZUUSER) EJBROLE(IZUDFLT.*.izuUsers)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF) ACCESS(READ)
 
 /*   Permit definitions for Core                                  */
 PERMIT IZUDFLT.ZOSMF.LINK.** CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)

TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.LINK.) ACCESS(READ)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW) ACCESS(READ)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS) ACCESS(READ)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS) ACCESS(READ)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW) ACCESS(READ)
 
 /*   Permit definitions for Workflow                              */
 PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)

TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) ACCESS(READ)
 
 /*                                                                */
 /*  End zOSMF User Role Setup                                     */
 /*                                                                */
 
 /*                                                                */
 /*   Begin zOSMF Administrator Role Setup                         */
 /*                                                                */
 PERMIT IZUDFLT             CLASS(APPL)    ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.*.izuUsers  CLASS(EJBROLE) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF       CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)

TSS PER(IZUADMIN) APPL(IZUDFLT)
TSS PER(IZUADMIN) EJBROLE(IZUDFLT.*.izuUsers)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF) ACCESS(READ)
 
 /*   Permit definitions for Core                                  */
 PERMIT IZUDFLT.ZOSMF.ADMINTASKS.APPLINKING CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.ADMINTASKS.IMPORTMANAGER   CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.ADMINTASKS.LINKSTASK  CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.ADMINTASKS.LOGGER   CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.ADMINTASKS.UI_LOG_MANAGEMENT  CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.LINK.** CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.MODIFY CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.MODIFY CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)

TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.APPLINKING) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.IMPORTMANAGER) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.LINKSTASK) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.LOGGER) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.UI_LOG_MANAGEMENT) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.LINK.) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.MODIFY) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW) ACC(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.MODIFY) ACCESS(READ)
 
 /*   Permit definitions for Workflow                              */
 PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)

TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) ACCESS(READ)
 
 /* Permit the z/OSMF administrator access                         */
 PERMIT IRR.RADMIN.LISTUSER CLASS(FACILITY) ID(IZUADMIN) ACCESS(READ)
 PERMIT IRR.RADMIN.LISTGRP CLASS(FACILITY) ID(IZUADMIN) ACCESS(READ)
 PERMIT IRR.RADMIN.RLIST CLASS(FACILITY) ID(IZUADMIN) ACCESS(READ)
 PERMIT IRR.RADMIN.SETROPTS.LIST CLASS(FACILITY) ID(IZUADMIN) ACCESS(READ)

TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.LISTUSER)
TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.LISTGRP)
TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.RLIST)
TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.SETROPTS.LIST)

 /*                                                                */
 /*  End zOSMF Administrator Role Setup                            */
 /*                                                                */
 /*                                                                */
 /*   Begin zOS Security Administrator Role Setup                  */
 /*                                                                */
 
 PERMIT IZUDFLT             CLASS(APPL)    ID(IZUSECAD) ACCESS(READ)
 PERMIT IZUDFLT.*.izuUsers  CLASS(EJBROLE) ID(IZUSECAD) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF       CLASS(ZMFAPLA) ID(IZUSECAD) ACCESS(READ)

TSS PER(IZUSECAD) APPL(IZUDFLT) ACCESS(READ)
TSS PER(IZUSECAD) EJBROLE(IZUDFLT.*.izuUsers) ACCESS(READ)
TSS PER(IZUSECAD) ZMFAPLA(IZUDFLT.ZOSMF) ACCESS(READ)

 /*   Permit definitions for Workflow                              */
 PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) ID(IZUSECAD) ACCESS(READ)

TSS PER(IZUSECAD) ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) ACCESS(READ)
 
 /*                                                                */
 /*  End zOS Security Administrator Role Setup                     */
 /*                                                                */
 
 /* Connect the started task USERID to the CIM USER group          */
 CONNECT (IZUSVR) GROUP(CFZUSRGP)

TSS ADD(ZUSVR) GROUP(CFZUSRGP)

/*

 


You need to create a FACILITY for the IZUSVR server.

Steps To Define An ZOSMF Facility to CA Top Secret

An example to define a new FACILITY for the RDZ address space.
TSS MODIFY FACILITY(USERn=NAME=ZOSMF) where n is an unused number in your system.
TSS MODIFY FACILITY(ZOSMF=MODE=FAIL)
TSS MODIFY FACILITY(ZOSMF=...)

where '...' is any other FACILITY control options that you want to override the default settings.

The TSS MODIFY command is only valid until the next recycle of TSS. To make the changes permanent, add the statements to the TSS parameter

file:
FACILITY(USERn=NAME=ZOSMF)      
FACILITY(ZOSMF=MODE=FAIL)
FACILITY(ZOSMF=...)

After you define the FACILITY in the CA Top Secret parmfile, issue a:

TSS ADD(IZUSVR) MASTFAC(ZOSMF)

to associate the FACILITY with the region.

All users using the FACILITY will need to be authorized to that FACILITY in order to signon. Example:

TSS ADD(acid) FAC(ZOSMF)

where 'acid' is the user acid, an attached profile, or the ALL record, if all users need access.

The started task will need to be recycled, after adding the MASTFAC in order for the changes to be picked up.
//IZUCORE JOB MSGCLASS=C,MSGLEVEL=(1,1),USER=XXXXXXX,NOTIFY=XXXXXXX            
//********************************************************************         
//* PROPRIETARY STATEMENT:                                           *         
//*    Licensed Materials - Property of IBM                          *         
//*    5650-ZOS Copyright IBM Corp. 2015                             *         
//*                                                                  *         
//*    STATUS=HSMA220                                                *         
//*                                                                  *         
//* DESCRIPTIVE NAME:                                                *         
//*    z/OSMF SERVER default security setup                          *         
//*                                                                  *         
//*    The JCL contains the security setup for z/OSMF server.        *         
//*    You can customize this JCL to create a security setup         *         
//*    for the z/OSMF Server as you wish.                            *         
//*                                                                  *         
//*                                                                  *         
//********************************************************************         
//* Make sure that you run this job from a user with full access     *         
//* to your RACF database.                                           *         
//********************************************************************         
//*                                                                            
//* JOB CORE ses up z/OSMF core security settings.                             
//* Replace with your job card                                                 
//STEP1  EXEC PGM=IKJEFT01,DYNAMNBR=99                                         
//SYSPRINT DD SYSOUT=*                                                         
6
  //SYSTSPRT DD SYSOUT=*                                                         
//SYSTSIN  DD * 

 /* Begin "Core" Setup                                             */
 /*                                                                */
 /* This commented section contains the CLASS activation commands  */
 /* Insure the following classes are active before executing this  */
 /* script Or creating profiles in these classes.                  */
 
 /* Create the z/OSMF Administrators group                         */
 ADDGROUP IZUADMIN OMVS(GID(9003))

TSS CREATE(IZUAGRP) TYPE(GROUP) NAME(‘IZUGRP GROUP’) DEPT(dept)

TSS CREATE(IZUADMIN) TYPE(PROFILE) NAME(‘IZUADMIN PROFILE’) DEPT(dept)

TSS ADD(IZUAGRP) GID(9003)

TSS ADD(IZUADMIN) GROUP(IZUAGRP)

 /* Create the z/OSMF Users group                                  */
 ADDGROUP IZUUSER OMVS(GID(9004))

TSS CREATE(IZUUSER) TYPE(PROFILE) NAME(‘IZUUSER’) DEPT(dept)

TSS CREATE(IZUUGRP) TYPE(GROUP) NAME(‘IZUUSER GROUP’) DEPT(dept)

TSS ADD(IZUUGRP) GID(9004)

TSS ADD(IZUUSER) GROUP(IZUUGRP)


 /* Create the z/OSMF Unauthenticated group                        */ 
 ADDGROUP IZUUNGRP OMVS(GID(9012))

TSS CREATE(IZUUNGRP) TYPE(PROFILE) NAME(‘IZUUNGRP PROFILE’) DEPT(dept)

TSS CREATE(IZUUNGP) TYPE(GROUP) NAME(‘IZUUNGP GROUP’) DEPT(dept)


TSS ADD(IZUUNGP) GID(9012)

 

 /* Create the started task USERID for the z/OSMF Server           */
 /* Please note, the HOME directory should be created with         */
 /* utility IZUMKFS.                                               */
 ADDUSER IZUSVR DFLTGRP(IZUADMIN)  NOPASSWORD NOOIDCARD +
  OMVS(UID(9010)HOME(/var/zosmf/data/home/izusvr) PROGRAM(/bin/sh)) +
  NAME('zOSMF Started Task USERID')
 
TSS CRE(IZUSVR) NAME('zOSMF Started Task USERID') TYPE(USER) DEPT(dept) PASS(NOPW,0) FAC(STC)

TSS ADD(IZUSVR) DFLTGRP(IZUAGRP) UID(9010) 
HOME(/var/zosmf/data/home/izusvr) OMVSPGM(/bin/sh) GROUP(IZUAGRP)

 /* Change concurrent open file number for started task USERID     */
 ALTUSER IZUSVR OMVS(FILEPROC(10000))

TSS ADD(IZUSVR) OEFILEP(10000)
 
 /* Create the z/OSMF unauthenticated USERID                       */
 ADDUSER IZUGUEST RESTRICTED DFLTGRP(IZUUNGRP) NOPASSWORD NOOIDCARD +
  OMVS(UID(9011)) NAME('zOSMF Unauthenticated USERID')

TSS CRE(IZUGUEST) NAME(IZUGUEST) TYPE(USER) DEPT(dept) PASS(NOPW,0)
TSS ADD(IZUGUEST) UID(9011) OMVSPGM('/bin/sh') HOME('/u/izuguest')
DFLTGRP(IZUUNGP) GROUP(IZUUNGP)
 
 /* Define the STARTED profiles for the z/OSMF server              */
 RDEFINE STARTED IZUSVR1.* UACC(NONE) STDATA(USER(IZUSVR) GROUP(IZUADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
 RDEFINE STARTED IZUANG1.* UACC(NONE) STDATA(USER(IZUSVR) GROUP(IZUADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))

TSS ADD(STC) PROCNAME(IZUSVR1) ACID(IZUSVR)
TSS ADD(STC) PROCNAME(IZUANG1) ACID(IZUSVR)
TSS ADD(IZUSVR) PROFILE(IZUADMIN)
TSS ADD(IZUSVR) GROUP(IZUAGRP)
 
 /* Define the APPL profile for the z/OSMF server                  */
 RDEFINE APPL IZUDFLT UACC(NONE)
Not needed in TSS. Already defined by default.
 
 /* Define the SERVER profiles for the z/OSMF server               */
 RDEFINE SERVER BBG.SECPFX.IZUDFLT UACC(NONE)
 RDEFINE SERVER BBG.ANGEL UACC(NONE)
 RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE)
 RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE)
 RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.ZOSWLM UACC(NONE)
 RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.TXRRS UACC(NONE)
 RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.ZOSDUMP UACC(NONE)

TSS ADD(Owning_Dept) SERVER(BBG.)
 
 /* Permit the z/OSMF unauthenticated USERID access                */
 PERMIT IZUDFLT CLASS(APPL)    ID(IZUGUEST) ACCESS(READ)
TSS PER(IZUGUEST) APPL(IZUDFLT)

 
 /* Permit the started task USERID access                          */
 PERMIT BBG.SECPFX.IZUDFLT CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
 PERMIT BBG.ANGEL CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
 PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
 PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
 PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSWLM CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
 PERMIT BBG.AUTHMOD.BBGZSAFM.TXRRS CLASS(SERVER) ACCESS(READ) ID(IZUSVR)
 PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSDUMP CLASS(SERVER) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) SERVER(BBG.SECPFX.IZUDFLT) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.ANGEL) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.SAFCRED) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.ZOSWLM) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.TXRRS) ACCESS(READ)
TSS PER(IZUSVR) SERVER(BBG.AUTHMOD.BBGZSAFM.ZOSDUMP) ACCESS(READ)
 
 /* Define the BPX.CONSOLE profile to supress the BPXM023I message */
 /* prefix for console messages                                    */
 RDEFINE FACILITY BPX.CONSOLE UACC(NONE)
 
TSS ADD(Owning_Dept) IBMFAC(BPX.)

 /* Permit the started task USERID access                          */
 PERMIT  BPX.CONSOLE CLASS(FACILITY) ID(IZUSVR) ACCESS(READ)

TSS PER(IZUSVR) IBMFAC(BPX.CONSOLE)
 
 /* Define the Sync-to-OS-thread FACILITY profile                  */
 RDEFINE FACILITY BBG.SYNC.IZUDFLT UACC(NONE)

TSS ADD(Owning_Dept) IBMFAC(BBG.)
 
 /* Permit the started task USERID access                          */
 PERMIT  BBG.SYNC.IZUDFLT CLASS(FACILITY) ID(IZUSVR) ACCESS(CONTROL)

TSS PER(IZUSVR) IBMFAC(BBG.SYNC.IZUDFLT) ACCESS(CONTROL)
 
 /* Define the FACILITY profile for working with digital           */
 /* certificates                                                   */
 RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
 RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
TSS ADD(owning_acid) IBMFAC(IRR.)

 
 /* Allow users of the z/OSMF Configuration Workflow to extract    */
 /* profile information                                            */
 RDEFINE FACILITY IRR.RADMIN.LISTUSER
 RDEFINE FACILITY IRR.RADMIN.LISTGRP
 RDEFINE FACILITY IRR.RADMIN.RLIST
 RDEFINE FACILITY IRR.RADMIN.SETROPTS.LIST
TSS ADD(owning_acid) IBMFAC(IRR.) ?already done so not needed.

 /* Permit the started task USERID access                          */
 PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(IZUSVR) ACCESS(READ)
 PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(IZUSVR) ACCESS(READ)

TSS PER(IZUSVR) IBMFAC(IRR.DIGTCERT.LIST)
TSS PER(IZUSVR) IBMFAC(IRR.DIGTCERT.LISTRING)
 
 /* Create the CA certificate for the z/OSMF server                */
 RACDCERT CERTAUTH GENCERT +
  SUBJECTSDN(CN('z/OSMF CertAuth for Security Domain') OU('IZUDFLT')) +
  WITHLABEL('zOSMFCA') TRUST NOTAFTER(DATE(2023/05/17))
 RACDCERT ADDRING(IZUKeyring.IZUDFLT) ID(IZUSVR)
 
TSS GENCERT(CERTAUTH) DIGICERT(WEBSPRCA)
SUBJECTN('CN="z/OSMF CertAuth for Security Domain" OU="ZUDFLT"')
LABLCERT('zOSMFCA') NADATE(05/17/23)

TSS ADD(IZUSVR) KEYRING(IZUSVRKR) LABLRING(‘IZUKeyring.IZUDFLT’)

TSS ADD(IZUSVR) KEYRING(IZUSVRKR) RINGDATA(CERTAUTH,WEBSPRCA)

 /* Create the server certificate for the z/OSMF server            */
 /* Change HOST NAME in CN field into real local host name         */
 /* Usually the format of the host name is 'XXXX.XXX.XXX.XXX'      */
 RACDCERT ID( IZUSVR ) GENCERT SUBJECTSDN(CN('HOST NAME') O('IBM') OU('IZUDFLT')) WITHLABEL('DefaultzOSMFCert.IZUDFLT'),
             SIGNWITH(CERTAUTH LABEL('zOSMFCA')) NOTAFTER(DATE(2023/05/17))

 RACDCERT ALTER(LABEL('DefaultzOSMFCert.IZUDFLT')) ID(IZUSVR) TRUST

 RACDCERT ID( IZUSVR ) CONNECT (LABEL('DefaultzOSMFCert.IZUDFLT') RING(IZUKeyring.IZUDFLT) DEFAULT)

 RACDCERT ID( IZUSVR ) CONNECT (LABEL('zOSMFCA') RING(IZUKeyring.IZUDFLT) CERTAUTH)

TSS GENCERT(IZUSVR) DIGICERT(DFWAS70C) -",
SUBJECTN('CN="'HOST NAME'" OU="IZUDFLT" O="IBM"'),
LABLCERT('DefaultzOSMFCert.IZUDFLT')
SIGNWITH(CERTAUTH,zOSMFCA)
NADATE(05/17/23)

TSS ADD(IZUSVR) KEYRING(IZUSVRKR) RINGDATA(IZUSVR, DFWAS70C) DEFAULT
 
 /* Define the CEA resource profile required for z/OSMF server     */
 RDEFINE SERVAUTH CEA.CEATSO.* UACC(NONE)

TSS ADD(Owning_dept) SERVAUTH(CEA.)
 
 /* Define the Account Number resource profile for REST File API   */
 RDEFINE ACCTNUM IZUACCT UACC(NONE)

TSS ADD(owning_acid) TSOACCT(IZUACCT)
 
 /* Define the TSO Procedure resource profile for REST File API    */
 RDEFINE TSOPROC IZUFPROC UACC(NONE)

TSS ADD(owning_acid) TSOPROC(IZUFPROC)
 
  /* Create the z/OS Security Administrators group                  */
 ADDGROUP IZUSECAD OMVS(GID(9006))

TSS CREATE(IZUCGRP) TYPE(GROUP) NAME(‘IZUGRP GROUP’) DEPT(dept)

TSS CREATE(IZUSECAD) TYPE(PROFILE) NAME(‘IZUSECAD’) DEPT(dept)

TSS ADD(IZUCGRP) GID(9006)

TSS ADD(IZUSECAD) GROUP(IZUCGRP)
 
 /* Define the ZMFAPLA profile for the z/OSMF server               */
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF UACC(NONE)

TSS ADD(Owning_dept) ZMFAPLA(IZUDFLT)
 
 /* The EJBROLE definitions are case-sensitive in RACF.  Insure you*/
 /* preserve case for these commands                               */
 /* Assumption: EJBROLE is defined, activated, and raclisted.      */
 RDEFINE EJBROLE IZUDFLT.*.izuUsers UACC(NONE)

TSS ADD(Owning_dept) EJBROLE(IZUDFLT)
 
 /* Define the z/OSMF Server profile                               */
 RDEFINE SERVER BBG.SECCLASS.ZMFAPLA UACC(NONE)

TSS ADD(Owning_dept) SERVER(BBG)
 
 /* Permit the started task USERID access                          */
 PERMIT BBG.SECCLASS.ZMFAPLA CLASS(SERVER) ID(IZUSVR) ACCESS(READ)

TSS PER(IZUSVR) SERVER(BBG.SECCLASS.ZMFAPLA) ACCESS(READ)
 
 /* Roles processing will permit the z/OSMF Server groups to the   */
 /* Application Server resources                                   */
 /* Assumption: APPL class has been defined, activated, raclisted. */
 
 /* Permit the Administrators group to this profile                */
 PERMIT CEA.CEATSO.* CLASS(SERVAUTH) ID(IZUADMIN) ACCESS(READ)

TSS PER(IZUADMIN) SERVAUTH(CEA.CEATSO.) ACCESS(READ)
 
 /* Permit the Users group to this profile                         */
 PERMIT CEA.CEATSO.* CLASS(SERVAUTH) ID(IZUUSER) ACCESS(READ)

TSS PER(IZUUSER) SERVAUTH(CEA.CEATSO.) ACCESS(READ)
 
 /* Permit the started task USERID to this profile                 */
 PERMIT CEA.CEATSO.* CLASS(SERVAUTH) ID(IZUSVR) ACCESS(READ)

TSS PER(IZUSVR) SERVAUTH(CEA.CEATSO.) ACCESS(READ)
 
 /* Permit the Administrators group to these profiles              */
 PERMIT IZUACCT CLASS(ACCTNUM) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUFPROC CLASS(TSOPROC) ID(IZUADMIN) ACCESS(READ)

TSS ADD(IZUADMIN) TSOLACCT(acct#)
TSS ADD(IZUADMIN) TSOLPROC(IZUFPROC)
 
 /* Permit the Users group to these profiles                       */
 PERMIT IZUACCT CLASS(ACCTNUM) ID(IZUUSER) ACCESS(READ)
 PERMIT IZUFPROC CLASS(TSOPROC) ID(IZUUSER) ACCESS(READ)
 
TSS ADD(IZUUSER) TSOLACCT(acct#)
TSS ADD(IZUUSER) TSOLPROC(IZUFPROC)

 /*If your installation utilizes hardware crypto in combination    */
 /*with ICSF, various services like  CSFRNGL, CSFDSV, CSFOWH,      */
 /*CSFIQF ,etc.may be protected by profiles established in your    */
 /*security product.In certain cases, z/OSMF will utilize these    */
 /*services, and the z/OSMF started task USERID will need to be    */
 /*permitted to these profiles.If concrete profiles in the CSFSERV */
 /*class has been defined to protect these resources, then, the    */
 /*following commented commands would permit the started task      */
 /*userid to that profile which is used by associated ICSF service.*/
 PERMIT CSFIQF  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS ADD(owning_acid) CSFSERV(CSF)

TSS PER(IZUSVR) CSFSERV(CSFIQF) ACCESS(READ)

 /*encipher callable service                                       */
 PERMIT CSFENC  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFENF) ACCESS(READ)

 /*cryptographic variable encipher callable                        */
 PERMIT CSFCVE  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFCVE) ACCESS(READ)

 /*decipher callable service                                       */
 PERMIT CSFDEC  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)
TSS PER(IZUSVR) CSFSERV(CSFDEC) ACCESS(READ)

 /*symmetric algorithm encipher callable service                   */
 PERMIT CSFSAE  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFSAE) ACCESS(READ)

 /*symmetric algorithm decipher callable service                   */
 PERMIT CSFSAD  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFSAD) ACCESS(READ)

 /*one-way hash generate callable service                          */
 PERMIT CSFOWH  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFOWH) ACCESS(READ)

 /*random number generate callable service                         */
 PERMIT CSFRNG  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)
TSS PER(IZUSVR) CSFSERV(CSFRNG) ACCESS(READ)

 /*random number generate long callable service                    */
 PERMIT CSFRNGL CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)
TSS PER(IZUSVR) CSFSERV(CSFRNGL) ACCESS(READ)

 /*PKA key generate callable service                               */
 PERMIT CSFPKG  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)
TSS PER(IZUSVR) CSFSERV(CSFPKG) ACCESS(READ)

 /*digital signature generate service                              */
 PERMIT CSFDSG  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFDSG) ACCESS(READ)

 /*digital signature verify callable service                       */
 PERMIT CSFDSV  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFDSV) ACCESS(READ)

 /*PKA key token change callable service                           */
 PERMIT CSFPKT  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFPKT) ACCESS(READ)

 /*retained key list callable service                              */
 PERMIT CSFRKL  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFRKL) ACCESS(READ)

 /*PKA Public Key Extract callable service                         */
 PERMIT CSFPKX  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFPKX) ACCESS(READ)

 /*PKA encrypt callable service                                    */
 PERMIT CSFPKE  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFPKE) ACCESS(READ)

 /*PKA decrypt callable service                                    */
 PERMIT CSFPKD  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFPKD) ACCESS(READ)

 /*PKA key import callable service                                 */
 PERMIT CSFPKI  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFPKI) ACCESS(READ)

 /*multiple clear key import callable service                      */
 PERMIT CSFCKM  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFCKM) ACCESS(READ)

 /*key generate callable service                                   */
 PERMIT CSFKGN  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFKGN) ACCESS(READ)

 /*ECC Diffie-Hellman callable service                             */
 PERMIT CSFEDH  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)

TSS PER(IZUSVR) CSFSERV(CSFEDH) ACCESS(READ)

 

 /*key token build callable service                                */
 PERMIT CSFKTB  CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR)
TSS PER(IZUSVR) CSFSERV(CSFKTB) ACCESS(READ)

 

 
 /*   Profile Definitions for Core                                 */
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.APPLINKING UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.IMPORTMANAGER UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.LINKSTASK UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.LOGGER UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.UI_LOG_MANAGEMENT UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.LINK.** UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.MODIFY UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.SYSTEMS UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS UACC(NONE)
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW UACC(NONE)
 RDEFINE ZMFAPLA ZMFAPLA.ZOSMF.SETTINGS.FTP_SERVERS.MODIFY UACC(NONE)
 
TSS ADD(Owning_Dept) ZMFAPLA(IZUDFLT)

 /*   Profile Definitions for "Workflow"                           */
 RDEFINE ZMFAPLA IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS UACC(NONE)

TSS ADD(Owning_Dept) ZMFAPLA(IZUDFLT) <-Previously done

 
 /*  End Core Setup                                                */
 /*                                                                */
 /*   Begin zOSMF User Role Setup                                  */
 /*                                                                */
 PERMIT IZUDFLT             CLASS(APPL)    ID(IZUUSER) ACCESS(READ)
 PERMIT IZUDFLT.*.izuUsers  CLASS(EJBROLE) ID(IZUUSER) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF       CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)

TSS PER(IZUUSER) APPL(IZUDFLT)
TSS PER(IZUUSER) EJBROLE(IZUDFLT.*.izuUsers)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF) ACCESS(READ)
 
 /*   Permit definitions for Core                                  */
 PERMIT IZUDFLT.ZOSMF.LINK.** CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)

TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.LINK.) ACCESS(READ)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW) ACCESS(READ)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS) ACCESS(READ)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS) ACCESS(READ)
TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW) ACCESS(READ)
 
 /*   Permit definitions for Workflow                              */
 PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)

TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) ACCESS(READ)
 
 /*                                                                */
 /*  End zOSMF User Role Setup                                     */
 /*                                                                */
 
 /*                                                                */
 /*   Begin zOSMF Administrator Role Setup                         */
 /*                                                                */
 PERMIT IZUDFLT             CLASS(APPL)    ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.*.izuUsers  CLASS(EJBROLE) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF       CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)

TSS PER(IZUADMIN) APPL(IZUDFLT)
TSS PER(IZUADMIN) EJBROLE(IZUDFLT.*.izuUsers)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF) ACCESS(READ)
 
 /*   Permit definitions for Core                                  */
 PERMIT IZUDFLT.ZOSMF.ADMINTASKS.APPLINKING CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.ADMINTASKS.IMPORTMANAGER   CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.ADMINTASKS.LINKSTASK  CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.ADMINTASKS.LOGGER   CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.ADMINTASKS.UI_LOG_MANAGEMENT  CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.LINK.** CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.MODIFY CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.MODIFY CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)

TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.APPLINKING) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.IMPORTMANAGER) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.LINKSTASK) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.LOGGER) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.ADMINTASKS.UI_LOG_MANAGEMENT) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.LINK.) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.MODIFY) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.SYSTEMS) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS) ACCESS(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW) ACC(READ)
TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.MODIFY) ACCESS(READ)
 
 /*   Permit definitions for Workflow                              */
 PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)

TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) ACCESS(READ)
 
 /* Permit the z/OSMF administrator access                         */
 PERMIT IRR.RADMIN.LISTUSER CLASS(FACILITY) ID(IZUADMIN) ACCESS(READ)
 PERMIT IRR.RADMIN.LISTGRP CLASS(FACILITY) ID(IZUADMIN) ACCESS(READ)
 PERMIT IRR.RADMIN.RLIST CLASS(FACILITY) ID(IZUADMIN) ACCESS(READ)
 PERMIT IRR.RADMIN.SETROPTS.LIST CLASS(FACILITY) ID(IZUADMIN) ACCESS(READ)

TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.LISTUSER)
TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.LISTGRP)
TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.RLIST)
TSS PER(IZUADMIN) IBMFAC(IRR.RADMIN.SETROPTS.LIST)

 /*                                                                */
 /*  End zOSMF Administrator Role Setup                            */
 /*                                                                */
 /*                                                                */
 /*   Begin zOS Security Administrator Role Setup                  */
 /*                                                                */
 
 PERMIT IZUDFLT             CLASS(APPL)    ID(IZUSECAD) ACCESS(READ)
 PERMIT IZUDFLT.*.izuUsers  CLASS(EJBROLE) ID(IZUSECAD) ACCESS(READ)
 PERMIT IZUDFLT.ZOSMF       CLASS(ZMFAPLA) ID(IZUSECAD) ACCESS(READ)

TSS PER(IZUSECAD) APPL(IZUDFLT) ACCESS(READ)
TSS PER(IZUSECAD) EJBROLE(IZUDFLT.*.izuUsers) ACCESS(READ)
TSS PER(IZUSECAD) ZMFAPLA(IZUDFLT.ZOSMF) ACCESS(READ)

 /*   Permit definitions for Workflow                              */
 PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) ID(IZUSECAD) ACCESS(READ)

TSS PER(IZUSECAD) ZMFAPLA(IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) ACCESS(READ)
 
 /*                                                                */
 /*  End zOS Security Administrator Role Setup                     */
 /*                                                                */
 
 /* Connect the started task USERID to the CIM USER group          */
 CONNECT (IZUSVR) GROUP(CFZUSRGP)

TSS ADD(ZUSVR) GROUP(CFZUSRGP)

/*

 


You need to create a FACILITY for the IZUSVR server.

Steps To Define An ZOSMF Facility to CA Top Secret

An example to define a new FACILITY for the RDZ address space.
TSS MODIFY FACILITY(USERn=NAME=ZOSMF) where n is an unused number in your system.
TSS MODIFY FACILITY(ZOSMF=MODE=FAIL)
TSS MODIFY FACILITY(ZOSMF=...)

where '...' is any other FACILITY control options that you want to override the default settings.

The TSS MODIFY command is only valid until the next recycle of TSS. To make the changes permanent, add the statements to the TSS parameter

file:
FACILITY(USERn=NAME=ZOSMF)      
FACILITY(ZOSMF=MODE=FAIL)
FACILITY(ZOSMF=...)

After you define the FACILITY in the CA Top Secret parmfile, issue a:

TSS ADD(IZUSVR) MASTFAC(ZOSMF)

to associate the FACILITY with the region.

All users using the FACILITY will need to be authorized to that FACILITY in order to signon. Example:

TSS ADD(acid) FAC(ZOSMF)

where 'acid' is the user acid, an attached profile, or the ALL record, if all users need access.

The started task will need to be recycled, after adding the MASTFAC in order for the changes to be picked up.