What Are the Top-Secret Commands to secure Z/OSMF?

Document ID : KB000048289
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Appendix H of IBM z/OSMF Configuration Guide contains figures about different RACF/ZOSMF implementations.

Solution:

This Knowledge Document has a .txt file attached.

It contains TSS command translations from RACF ones and represents what there is in Appendix H of the IBM zOSMF Configuration Guide.

There is one section per fig# of this appendix in the attached .txt file.

CAUTION:

Although the attached file contains the CA Top Secret equivalent commands of the RACF ones, some additional work has to be done.

  1. IZUADMIN and IZUUSER are defined to CA Top Secret as GROUPs. Because of that, TSS PERMIT commands cannot be issued for these acids. Either change the IZUADMIN/IZUUSER to ZOSMFAD (which is a user) to issue the permits directly to the ZOSMFAD user and to any other users that require those permits.

    Or create specific profile(s), e.g PIZUADM/PIZUUSER, and issue the permits to them.
    You will have to ADD those profiles to ZOSMFAD and to any other users requiring those permits.

  2. Some resources may already be owned/defined to CA Top Secret at your site. In those instances, the TSS ADD command(s) in the attached files will receive the following error message:

    TSS0351E SPECIFY "UNDERCUT" TO TRANSFER OWNERSHIP
    TSS0301I ADD FUNCTION FAILED, RETURN CODE = 8

  3. When you define a resource to CA Top Secret, in most cases you give ownership to a department acid. In the translated commands, the department acid is generic (ie #dept), so you must replace it with a valid department acid.

  4. You may see the same TSS command generated several times from different RDEFINE RACF commands. This is due to the maximum length to own a resource with CA Top Secret.

  5. To download the file, use LRECL=80 BLKSIZE=3200 RECFM=FB.
File Attachments:
TEC614247.zip