Setting up Wily z/OS without UID(0)

Document ID : KB000011666
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

Attempting to run Wily zOS without using UID(0).

The manual describes the following actions that need to take place in TopSecret in order to make this happen.

What are the actual changes (commands) in TopSecret to make this happen?


"If superuser rights are not assigned, you require the following permissions:
*You have permission to mount a USS file system.
*You have READ access to the SAF resource SUPERUSER.FILESYS.MOUNT in the UNIXPRIV class.
*You have the permission to update and create directories and files in the mount point for the installation.
*If the user ID of the WILYZOS procedure (WILYZOS user ID) cannot be in the same group ID (GID) as you (the installer), you require CONTROL access to the SAF resource SUPERUSER.FILESYS in the UNIXPRIV class.

Before you run CA Cross-Enterprise APM, verify that the WILYZOS user ID meets these security requirements:

•The user ID can run batch JCL streams.
•The user ID has READ access to the data set prefix or high-level qualifier that is used for the installation.
•The user ID has an OMVS segment and UID assigned.
•The user ID has READ access to the SAF resource BPX.CONSOLE in the FACILITY class. Otherwise, the agent issues WTO messages that are prefixed with message ID BPXM023I.
"

Answer:

If superuser rights are not assigned, you require the following permissions:

TSS ADD(acid) UID(0) or TSS PER(acid) IBMFAC(BPX.SUPERUSER) to give superuser authority.

*You have permission to mount a USS file system.

TSS PERMIT(acid) UNIXPRIV(SUPERUSER.FILESYS.MOUNT) ACC(ALL)


*You have READ access to the SAF resource SUPERUSER.FILESYS.MOUNT in the UNIXPRIV class.

TSS PERMIT(acid) UNIXPRIV(SUPERUSER.FILESYS.MOUNT) ACC(READ)

*You have the permission to update and create directories and files in the mount point for the installation.

If you are security directories using CA Top Secret to authorize them to the directory:
TSS PER(acid) HFSSEC(directory) ACC(ALL)

If you are using native USS security to protect your directory, please contact your USS security administrator.

*If the user ID of the WILYZOS procedure (WILYZOS user ID) cannot be in the same group ID (GID) as you (the installer), you require CONTROL access to the SAF resource SUPERUSER.FILESYS in the UNIXPRIV class.

TSS PERMIT(acid) UNIXPRIV(SUPERUSER.FILESYS) ACC(CONTROL)

Before you run CA Cross-Enterprise APM, verify that the WILYZOS user ID meets these security requirements:

*The user ID can run batch JCL streams.

TSS ADD(acid) FACILITY(BATCH)

*The user ID has READ access to the data set prefix or high-level qualifier that is used for the installation.

TSS PERMIT(acid) DSN(dataset) ACC(READ)

*The user ID has an OMVS segment and UID assigned.

TSS ADD(acid) UID(nn)
TSS ADD(acid) GROUP(groupacid) DFLTGRP(groupacid)
TSS ADD(acid) HOME(xxxxxx)


*The user ID has READ access to the SAF resource BPX.CONSOLE in the FACILITY class. Otherwise, the agent issues WTO messages that are prefixed with message ID BPXM023I.

TSS PERMIT(acid) IBMFAC(BPX.CONSOLE) ACC(READ)