What is required for ACF2 for setup of zOSEM(Operating System Environment Manager)?

Document ID : KB000044057
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:  

What is required for ACF2 for setup of zOSEM(Operating System Environment Manager)? 

Answer:  

This sample job consists of the zOSEM security definitions converted for ACF2 environments. 

The original external security commands used for the conversion come from the Trident Services

zOSEM Operating System Environment Manager For z/OS Appendix B. zOSEM External Security 

Profiles(SC31-6908-02).

 

Requirements:

Before running any of these sample ACFBATCH jobs, you must identify your site specific values for the
userids, ACF2 resource type codes, and the UID string values for the logonids that are to be allowed 
access, and update the members accordingly.

//ACFZOSEM JOB your standard job card information

//* 

//* ACFZOSEM   Sample zOSEM ACF2 External Security Setup

//*

//* This sample job consists of the zOSEM security definitions 

//* converted for ACF2 environments. The original external security 

//* commands used for the conversion come from the Trident Services

//* zOSEM Operating System Environment Manager For z/OS Appendix B. 

//* zOSEM External Security Profiles(SC31-6908-02).

//*

//STEP1  EXEC PGM=ACFBATCH

//SYSPRINT DD  SYSOUT=*

//SYSIN    DD  *

* Sample zOSEM ACF2 External Security Setup

*

* ISPF Admin Dialog Security

* Resource class: FACILITY

* Resource name: OSEM.sysid.ADMIN.function

* Access: ALLOW

* For Valid 'function' values see Appendix B. zOSEM External Security Profiles 

* Summary section 'ISPF Admin Dialog Security'.

* Example:

SET RESOURCE(FAC)

RECKEY OSEM ADD( sysid.ADMIN.function uid(UID string) ALLOW)

* zOSEM JES2 Command Security Resources 

* Resource class: OPERCMD      

* ** Note This Resource class defaults to SAF. If your site uses a CLASMAP

* **      to map Resource class OPERCMDS to a unique TYPE code be sure to

* **      change the TYPE specified in the SET RESOURCE(SAF) command below.

* Resource name: jesx.commandresource

* Access: See “zOSEM JES2 Command Checking” on page B-2 for required access

* SERVICE(xxxx) for the zOSEM JES2 jesx.commandresource resources

* jesx is the JES2 subsystem name.

* See “zOSEM JES2 Command Checking” on page B-2 for a list of zOSEM JES2 

* jesx.commandresource resources.

* Example:

SET RESOURCE(SAF)

RECKEY jesx ADD( commandresource uid(UID string) SERVICE(xxxx) ALLOW)

* Operating System and JES2 Command Checking

* Resource class: FACILITY

* Resource name: COMMAND.*

* Resource name: COMMAND.cmd

* Resource name: JES2.*

* Resource name: JES2.$cmd

* Access: ALLOW

* Example:

SET RESOURCE(FAC)

RECKEY COMMAND ADD( * uid(UID string) ALLOW)

RECKEY COMMAND ADD( cmd uid(UID string) ALLOW)

RECKEY JES2 ADD( * uid(UID string) ALLOW)

RECKEY JES2 ADD( $cmd uid(UID string) ALLOW)

*

* JCL & SYSOUT Parameter Checking

* Resource class: FACILITY

* Resource name: JCL.parm.value

* Access: ALLOW

* For valid 'command' values see Appendix B. zOSEM External Security Profiles 

* Summary section 'JCL & SYSOUT Parameter Checking'.

* Example:

SET RESOURCE(FAC)

RECKEY JCL ADD( parm.value uid(UID string) ALLOW)

* FEMCNTL Command Security

* Resource class: FACILITY

* Resource name: FEMCNTL.sysid.command

* Access: ALLOW

* For valid 'parm' values Appendix B. zOSEM External Security Profiles 

* Summary section 'FEMCNTL Command Security'.

* Example:

SET RESOURCE(FAC)

RECKEY FEMCNTL ADD( sysid.command uid(UID string) ALLOW)

* Job Class Checking

* Resource class: FACILITY

* Resource name: JOBCLASS.class

* Acess: READ

* where class is the job class for which checking is to be performed.

* Users must have at least READ access to the resource.

SET RESOURCE(FAC)

RECKEY JOBCLASS ADD( class uid(UID string) ALLOW)

* User Defined Resources

* Resource class: FACILITY

* Resource name: BYPASS.JOB.LIMITS

* Resource name: EXTEND.SYSOUT

* Resource name: EXTEND.JOBCPU

* Resource name: EXTEND.STEPCPU

* Resource name: EXTEND.WAIT

* Resource name: USERID.BYPASS

* Access: READ

SET RESOURCE(FAC)

RECKEY BYPASS ADD( JOB.LIMITS uid(UID string) ALLOW)

RECKEY EXTEND ADD( SYSOUT uid(UID string) ALLOW)

RECKEY EXTEND ADD( JOBCPU uid(UID string) ALLOW)

RECKEY EXTEND ADD( STEPCPU uid(UID string) ALLOW)

RECKEY EXTEND ADD( WAIT uid(UID string) ALLOW)

RECKEY USERID ADD( BYPASS uid(UID string) ALLOW)

//*