z/OSMF 2.2 IZUILSEC

Document ID : KB000011590
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

How to convert the RACF z/OSMF 2.2 IZUILSEC job to Top Secret Commands.

Environment:
z/OSMF 2.2
Answer:
//IZUILSEC JOB MSGCLASS=C,MSGLEVEL=(1,1),USER=XXXXXXX,NOTIFY=XXXXXXX            
//STEP1  EXEC PGM=IKJEFT01,DYNAMNBR=99                                          
//SYSPRINT DD SYSOUT=*                                                          
//SYSTSPRT DD SYSOUT=*                                                          
//SYSTSIN  DD *    
/* */ /* Begin "Incident Log" Setup */ /* */ /* Define the CEA resource profiles required to perform/retrieve */ /* properties for JES. */ RDEFINE SERVAUTH CEA.CEAGETPS UACC(NONE) RDEFINE SERVAUTH CEA.CEADOCMD UACC(NONE) TSS ADD(Owning-Dept) SERVAUTH(CEA.) /* Grant the z/OSMF groups, authority to the following and to */ /* grant access to perform JES operations and obtain job */ /*properties. */ PERMIT CEA.CEAGETPS CLASS(SERVAUTH) ID(IZUADMIN) ACCESS(UPDATE) PERMIT CEA.CEAGETPS CLASS(SERVAUTH) ID(IZUUSER) ACCESS(UPDATE) PERMIT CEA.CEADOCMD CLASS(SERVAUTH) ID(IZUADMIN) ACCESS(UPDATE) PERMIT CEA.CEADOCMD CLASS(SERVAUTH) ID(IZUUSER) ACCESS(UPDATE) TSS PER(IZUADMIN) SERVAUTH(CEA.CEAGETPS) ACCESS(UPDATE) TSS PER(IZUUSER) SERVAUTH(CEA.CEAGETPS) ACCESS(UPDATE) TSS PER(IZUADMIN) SERVAUTH(CEA.CEADOCMD) ACCESS(UPDATE) TSS PER(IZUUSER) SERVAUTH(CEA.CEADOCMD) ACCESS(UPDATE) /* Permit z/OSMF groups to Incident Log */ RDEFINE SERVAUTH CEA.CEAPDWB* UACC(NONE) PERMIT CEA.CEAPDWB* CLASS(SERVAUTH) ID(IZUADMIN) ACCESS(UPDATE) PERMIT CEA.CEAPDWB* CLASS(SERVAUTH) ID(IZUUSER) ACCESS(UPDATE) TSS PER(IZUADMIN) SERVAUTH(CEA.CEAPDWB) ACCESS(UPDATE) TSS PER(IZUUSER) SERVAUTH(CEA.CEAPDWB) ACCESS(UPDATE) RDEFINE SERVAUTH CEA.CEADOCONSOLECMD UACC(NONE) PERMIT CEA.CEADOCONSOLECMD CLASS(SERVAUTH) ID(IZUADMIN) ACCESS(UPDATE) PERMIT CEA.CEADOCONSOLECMD CLASS(SERVAUTH) ID(IZUUSER) ACCESS(UPDATE) TSS PER(IZUADMIN) SERVAUTH(CEA.CEADOCONSOLECMD) ACCESS(UPDATE) TSS PER(IZUUSER) SERVAUTH(CEA.CEADOCONSOLECMD) ACCESS(UPDATE) /* If your installation sets up PROTECT-ALL (RACF exit to protect */ /* all datasets) you will need to setup a CEA.* RACF profile and */ /* permit user identity. The HLQ CEA is the CEA HLQ provided */ /* during the configuration prompts. */ /* Please ensure the commands are appropriate for your */ /* environment. You may want to consider assigning an owner or */ /* group to the data set profile. */ /* The commands is: */ /* ADDSD 'CEA.*' OWNER(userid or group-name) UACC(NONE) */ ADDSD 'CEA.*' UACC(NONE) PERMIT 'CEA.*' ID(IZUADMIN) ACCESS(ALTER) PERMIT 'CEA.*' ID(IZUUSER) ACCESS(ALTER) SETROPTS GENERIC(DATASET) REFRESH TSS PER(IZUADMIN) SERVAUTH(CEA.) ACCESS(ALTER) TSS PER(IZUUSER) SERVAUTH(CEA.) ACCESS(ALTER) /* Additional considerations */ /* If your installation has user catalog setup instead of using */ /* the master catalog, you may need to define CEA alias to the */ /* user catalog. */ /* DEFINE ALIAS(NAME(CEA) RELATE('your_catalog_name')) */ /* If your installation has master catalog setup you may need to */ /* permit the user to the master catalog dataset class. */ /* PERMIT 'your_master_catalog' CLASS(DATASET) ID(your_cim_admin_name) ACCESS(UPDATE) */ /* If your installation is using SYSLOG for the Operations Log, */ /* you may need to define and permit the CEA user id to JESSPOOL */ /* class below. */ /* REDEFINE JESSPOOL 'your_system_name'.+MASTER+.SYSLOG.*.* UACC(NONE) */ /* PERMIT 'your_system_name'.+MASTER+.SYSLOG.*.* CLASS(JESSPOOL) ID('your_cea_user_id') ACC(READ) */ /* If your installation protects MVS commands with RACF class */ /* OPERCMDS. you need to give the CIM Admin identity permission. */ /* This is required for the incident log verify step. */ /* This template does not have RDEFINES for these resources. */ /* If your installation doesn't define these, you will need to */ /* either define them first */ /* or change the PERMIT to a higher level qualifier. */ /* PERMIT MVS.DISPLAY.** CLASS(OPERCMDS) ID(your_cim_admin_name) ACCESS(READ) */ /* PERMIT MVS.DUMP CLASS(OPERCMDS) ID(your_cim_admin_name) ACCESS(CONTROL) */ /* PERMIT MVS.MODIFY.JOB.CEA CLASS(OPERCMDS) ID(your_cim_admin_name) ACCESS(UPDATE) */ TSS PER(acid) OPERCMDS( MVS.DISPLAY.) ACCESS(READ) TSS PER(acid) OPERCMDS( MVS.DUMP.) ACCESS(CONTROL) TSS PER(acid) OPERCMDS( MVS.MODIFY.JOB.CEA) ACCESS(UPDATE) /* Profile Definitions for Incident Log */ RDEFINE ZMFAPLA IZUDFLT.ZOSMF.INCIDENT_LOG.INCIDENT_LOG UACC(NONE) /* */ /* Begin zOSMF User Role Setup */ /* */ /* Permit definitions for Incident Log */ PERMIT IZUDFLT.ZOSMF.INCIDENT_LOG.INCIDENT_LOG CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ) TSS PER(IZUUSER) ZMFAPLA(IZUDFLT.ZOSMF.INCIDENT_LOG.INCIDENT_LOG) ACCESS(READ) /* */ /* End zOSMF User Role Setup */ /* */ /* */ /* Begin zOSMF Administrator Role Setup */ /* */ /* Permit definitions for Incident Log */ PERMIT IZUDFLT.ZOSMF.INCIDENT_LOG.INCIDENT_LOG CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ) TSS PER(IZUADMIN) ZMFAPLA(IZUDFLT.ZOSMF.INCIDENT_LOG.INCIDENT_LOG) ACCESS(READ) /* */ /* End zOSMF Administrator Role Setup */ /* */