What is required for ACF2 for setup of DFHSM(DFSMShsm)?

Document ID : KB000016485
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

What is required for ACF2 for setup of DFHSM(DFSMShsm)?     

Answer:

This File consists of the DFSMShsm security configuration commands converted for ACF2 environments.

Before running this sample ACFBATCH job, you must identify your site specific values for the userids, ACF2 resource type codes, and the UID string values for the logonids that are to be allowed access, and update the members accordingly.

Sample JOB

//*** your standard job card information
//*                                                                 

//*-------------------------------------------------------------------
//* DESCRIPTION:                                                     
//* ACF command equivalents for RACF commands for DFHSM setup.       
//*                                                                  
//* NOTE: the RACF statements are commented for reference, and     

//*       are noted if there no ACF2 equivalent commands.          
//*       RDEFINE and CONNECT statements have no ACF2 equivalents.
//*       The original IBM permit statements reference group names.
//*       The converted commands for ACF2 specify UID strings, so
//*       there may instances where a site may need to add multiple
//*       rule lines to account for the allowed users/administrators.
//*-------------------------------------------------------------------
//*
//* 1.) Create a  group for the storage  administration  / STC  user’s
//*    ownership:
//*    NOTE: This is already established on HESC. Shown for your
//*          information.
//*
//*    ADDGROUP (OFTSTADM)  SUPGROUP(** your racf admin group **)  
//*      OWNER (** your racf admin group or admin ID **) 
//*
//* 2.) Create  HSM (production LPAR)  userid:
//*
//*    ADDUSER HSM NAME(‘HSM STC USERID’) OWNER(OFTSTADM)
//*     DFLTGRP(OFTSTADM) OPERATIONS PROTECTED NOPASSWORD
//*-------------------------------------------------------------------
//STEP01  EXEC PGM=ACFBATCH    
//SYSPRINT DD  SYSOUT=*         
//SYSIN    DD  *                

SET LID                                          
INSERT HSM NAME(HSM STC USERID) STC NON-CNCL

* 3.) Create HSMTT (test LPAR) userid:
*     ADDUSER  HSMTT NAME(‘HSMTT STC TEST USERID’) OWNER(OFTSTADM)
*       DFLTGRP(OFTSTADM) OPERATIONS PROTECTED  NOPASSWORD

 
SET LID                                                  
INSERT HSMTT NAME(HSMTT STC TEST USERID) STC NON-CNCL   
 
* 4.) Create HSMTP (test lpar with prod) userid:
*     ADDUSER  HSMTP NAME(‘HSMTP’)  OWNER(OFTSTADM) DFTLGRP(OFTSTADM)
*     OPERATIONS PROTECTED NOPASSWORD 

SET LID                              
INSERT HSMTP NAME(HSMTP) STC NON-CNCL 
 
* 5.) Connect STC user id to  OFTSTADM group:
* *** Your RACF ADMN  group etc  should be used for the Superior
*         group and owner. **  etc.
*     CONNECT  HSM  GROUP(OFTSTADM) UACC(NONE)  AUTHORITY(USE)
*     CONNECT  HSMTT GROUP(OFTSTADM) UACC(NONE) AUTHORITY(USE)
*     CONNECT HSMTP GROUP(OFTSTADM) UACC(NONE) AUTHORITY(USE)
*      5A.)    Connect ITS STG Administrators to OFTSTADM group.
*         NOTE: This is already established within the existing
*         OFTSTADM group on HESC. Shown for your information.
*     CONNECT  CSYPJB   GROUP(OFTSTADM) UACC(NONE)  AUTHORITY(USE)
*     CONNECT  CSYMFR   GROUP (OFTSTADM) UACC(NONE)  AUTHORITY(USE)
*     CONNECT  CSYSMC   GROUP(OFTSTADM) UACC(NONE)  AUTHORITY(USE)
*
* ** ACF2 NOTE **
* This assumes that LOGONIDs CSYPJB, CSYSMC and CSYMFR exist in the
* ACF2 LOGONID database. ACF2 does not have GROUPs like RACF, any
* logonid connected to a GROUP would need access to any dataset or
* resource rule based on UID, the following UID strings are
* associated with GROUP OFTSTADM so ACF2 rules would need to include
* rule entries for the following UID values associated with RACF
* GROUP OFTSTADM:
* UID(uid string for HSM)
* UID(uid string for HSMTT)
* UID(uid string for HSMTP)
* UID(uid string for CSYPJB)
* UID(uid string for CSYMFR)
* UID(uid string for CSYSMC)
* ** End ACF2 NOTE **
*
* 6.) Define started tasks:
*    RDEFINE STARTED (HSM.*)  UACC(NONE) STDATA(USER(HSM)
*       GROUP(STC) TRUSTED(YES))
*    RDEFINE STARTED (HSMTT.*)  UACC(NONE) STDATA(USER(HSMTT)
*       GROUP(STC) TRUSTED(YES))
*    RDEFINE STARTED (HSMTP.*)  UACC(NONE) STDATA(USER(HSMTP)
*       GROUP(STC) TRUSTED(YES))
 
SET CONTROL(GSO)                                         
INSERT STC.HSM LOGONID(HSM) STCID(HSM-)   
INSERT STC.HSMTT LOGONID(HSMTT) STCID(HSMTT-) 
INSERT STC.HSMTP LOGONID(HSMTP) STCID(HSMTP-)   
F ACF2,REFRESH(STC)   
 
* 7.) Define Group ARCCATGP to allow  only auth users  to Uncatalog,
*     Recatalog, or Delete noscratch against mig’ed dataets without
*     recalling:
*    ADDGROUP  (ARCCATGP)     SUPGROUP(OFTSTADM)  OWNER(OFTSTADM)
*    CONNECT  CSYPJB   GROUP(ARCCATGP) UACC(NONE)  AUTHORITY(USE)
*    CONNECT  CSYSMC   GROUP(ARCCATGP) UACC(NONE)  AUTHORITY(USE)
*    CONNECT  CSYMFR GROUP(ARCCATGP) UACC(NONE)  AUTHORITY(USE)
 
SET RESOURCE(TGR) 
RECKEY ARCCATGP ADD( UID(uid string for CSYPJB) SERVICE(READ) ALLOW)
RECKEY ARCCATGP ADD( UID(uid string for CSYMFR) SERVICE(READ) ALLOW)
RECKEY ARCCATGP ADD( UID(uid string for CSYSMC) SERVICE(READ) ALLOW)
F ACF2,REBUILD(TGR)
 
* ** ACF2 NOTE **
* LOGONIDs CSYPJB, CSYSMC and CSYMFR would need to signon to TSO
* specifying GROUP(ARCCATGP) or put GROUP=ARCCATGP in BATCH JCL
* or change the three logonids default GROUP to ARCCATGP
* for example:
*   SET LID
*   CHANGE CSYPJB GROUP(ARCCATGP)
* ** End ACF2 NOTE **
*   
* 8.) Create data set profiles to protect access to CDSs, Journals,
*     logs, and backed up version data sets:  
*     PROD:
*       ADDSD ‘ ESYS.HESC.DFHSM.** ‘  UACC(NONE) 
*       Permit storage administrators:
*       PERMIT ‘ESYS.HESC.DFHSM.**’ ID(OFTSTADM)  ACC(ALTER)
 
SET RULE
RECKEY ESYS ADD( HESC.DFHSM.- UID(uid string for HSM) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY ESYS ADD( HESC.DFHSM.- UID(uid string for HSMTT) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY ESYS ADD( HESC.DFHSM.- UID(uid string for HSMTP) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY ESYS ADD( HESC.DFHSM.- UID(uid string for CSYPJB) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY ESYS ADD( HESC.DFHSM.- UID(uid string for CSYMFR) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY ESYS ADD( HESC.DFHSM.- UID(uid string for CSYSMC) READ(A) -
 WRITE(A) ALLOC(A)

*      TEST:
*        ADDSD ‘ ESYS.HESCTEST.DFHSM.** ‘  UACC(NONE) 
*        Permit storage administrators:
*        PERMIT ‘ESYS.HESCTEST.DFHSM.**’ ID(OFTSTADM)  ACC(ALTER)
 
SET RULE
RECKEY ESYS ADD( HESCTEST.DFHSM.- UID(uid string for HSM) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY ESYS ADD( HESCTEST.DFHSM.- UID(uid string for HSMTT) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY ESYS ADD( HESCTEST.DFHSM.- UID(uid string for HSMTP) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY ESYS ADD( HESCTEST.DFHSM.- UID(uid string for CSYPJB) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY ESYS ADD( HESCTEST.DFHSM.- UID(uid string for CSYMFR) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY ESYS ADD( HESCTEST.DFHSM.- UID(uid string for CSYSMC) READ(A) -
 WRITE(A) ALLOC(A))

* 9.) Create HSMACT group for HSMACT data set profile
*     ADDGROUP (HSMACT)  SUPGROUP(SY01) OWNER(SY01)
*     9A.)   Create data set profiles to protect access to HSM
*            activity logs:
*        ADDSD  ‘ HSMACT.** ‘  UACC(READ) 
*        Permit storage administrators:
*        PERMIT   ‘HSMACT.**’  ID(OFTSTADM) UACC(ALTER)
 
SET RULE
RECKEY HSMACT ADD( - UID(uid string for HSM) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY HSMACT ADD( - UID(uid string for HSMTT) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY HSMACT ADD( - UID(uid string for HSMTP) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY HSMACT ADD( - UID(uid string for CSYPJB) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY HSMACT ADD( - UID(uid string for CSYMFR) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY HSMACT ADD( - UID(uid string for CSYSMC) READ(A) -
 WRITE(A) ALLOC(A))

* 10.) Define end user command permission:
*      RDEFINE FACILITY STGADMIN.ARC.ENDUSER.*  UACC(READ)
*
* ** ACF2 NOTE **
*    There is no ACF2 equivalent to RACF DEFINE
* ** End ACF2 NOTE **
*
* 11.) Define authorized commands for stgadmn’s:
*      RDEFINE FACILITY STGADMIN.ARC.* UACC(NONE)
*    PERMIT STGADMIN.ARC.* CLASS(FACILITY) ID(OFTSTADM) ACCESS(READ)
 
SET RESOURCE(FAC)
RECKEY STGADMIN ADD( ARC.- UID(uid string for HSM) -
 SERVICE(READ) ALLOW)
RECKEY STGADMIN ADD( ARC.- UID(uid string for HSMTT) -
 SERVICE(READ) ALLOW)
RECKEY STGADMIN ADD( ARC.- UID(uid string for HSMTP) -
 SERVICE(READ) ALLOW)
RECKEY STGADMIN ADD( ARC.- UID(uid string for CSYPJBM) -
 SERVICE(READ) ALLOW)
RECKEY STGADMIN ADD( ARC.- UID(uid string for CSYMFR) -
 SERVICE(READ) ALLOW)
RECKEY STGADMIN ADD( ARC.- UID(uid string for CSYSMC) -
 SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)
 
* 12.) Create data set profile for HSM mig data sets,
*      backup data sets prod:
*      ADDSD ‘HSM.**’  UACC(NONE)
*      PERMIT  ‘HSM.**’ ID(OFTSTADM)  ACC(ALTER)
 
SET RULE
RECKEY HSM ADD( - UID(uid string for HSM) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY HSM ADD( - UID(uid string for HSMTT) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY HSM ADD( - UID(uid string for HSMTP) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY HSM ADD( - UID(uid string for CSYPJB) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY HSM ADD( - UID(uid string for CSYMFR) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY HSM ADD( - UID(uid string for CSYSMC) READ(A) -
 WRITE(A) ALLOC(A))
 
* 13.) Create Group HSMT for data set HSMT.** profile.
*      ADDGROUP (HSMT)  SUPGROUP(SY01) OWNER(SY01)
*   13A.) Create data set profile for HSM mig data sets,
*         backup data sets test:
*           ADDSD ‘HSMT.**’  UACC(NONE)
*           PERMIT  ‘HSM.**’ ID(OFTSTADM)  ACC(ALTER)
 
SET RULE
RECKEY HSMT ADD( - UID(uid string for HSM) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY HSMT ADD( - UID(uid string for HSMTT) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY HSMT ADD( - UID(uid string for HSMTP) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY HSMT ADD( - UID(uid string for CSYPJB) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY HSMT ADD( - UID(uid string for CSYMFR) READ(A) -
 WRITE(A) ALLOC(A))
RECKEY HSMT ADD( - UID(uid string for CSYSMC) READ(A) -
 WRITE(A) ALLOC(A))
//*