/* Begin "Core" Setup */ /* */ /* This commented section contains the CLASS activation commands. */ /* Ensure the following classes are active before executing this */ /* script or creating profiles in these classes. */ /* */ /* Activate the APPL class */ /*SETROPTS CLASSACT(APPL) */ /*SETROPTS RACLIST(APPL) GENERIC(APPL) */ /* */ /* Activate the EJBROLE class */ /*SETROPTS CLASSACT(EJBROLE) */ /*SETROPTS RACLIST(EJBROLE) GENERIC(EJBROLE) */ /* */ /* Activate the FACILITY class */ /*SETROPTS CLASSACT(FACILITY) */ /*SETROPTS RACLIST(FACILITY) */ /* */ /* Activate the SERVER class */ /*SETROPTS CLASSACT(SERVER) */ /*SETROPTS RACLIST(SERVER) */ /* */ /* Activate the SERVAUTH class */ /*SETROPTS CLASSACT(SERVAUTH) */ /*SETROPTS RACLIST(SERVAUTH) GENERIC(SERVAUTH) */ /* */ /* Activate the STARTED class */ /*SETROPTS CLASSACT(STARTED) */ /*SETROPTS RACLIST(STARTED) GENERIC(STARTED) */ /* */ /* Activate the ZMFAPLA class */ /*SETROPTS CLASSACT(ZMFAPLA) */ /*SETROPTS RACLIST(ZMFAPLA) GENERIC(ZMFAPLA) */ /* */ /* Activate the ACCTNUM class */ /*SETROPTS CLASSACT(ACCTNUM) */ /* Activate the TSOPROC class */ /*SETROPTS CLASSACT(TSOPROC) */ /* Refresh the ACCTNUM class */ /* SETROPTS RACLIST(ACCTNUM) REFRESH */ /* Refresh the TSOPROC class */ /* SETROPTS RACLIST(TSOPROC) REFRESH */ /* */ /* Activate the TSOAUTH class */ SETROPTS CLASSACT(TSOAUTH) /* Refresh the TSOAUTH class */ SETROPTS RACLIST(TSOAUTH) /* */ /* Activate the OPERCMDS class */ SETROPTS CLASSACT(OPERCMDS) /* Refresh the OPERCMDS class */ SETROPTS RACLIST(OPERCMDS) /* Create the z/OSMF Administrators group */ ADDGROUP IZUADMIN OMVS(GID(9003)) TSS ADD(IZUADMIN) GID(9003) /* Create the z/OSMF Users group */ ADDGROUP IZUUSER OMVS(GID(9004)) TSS ADD(IZUUSER) GID(9004) /* Create the z/OSMF Unauthenticated group */ ADDGROUP IZUUNGRP OMVS(GID(9012)) TSS ADD(IZUUNGRP) GID(9012) /* Create the started task USERID for the z/OSMF Server */ /* Please note, the HOME directory should be created with */ /* utility IZUMKFS. */ ADDUSER IZUSVR DFLTGRP(IZUADMIN) OMVS(UID(9010) + HOME(/var/zosmf/data/home/izusvr) + PROGRAM(/bin/sh)) NAME('zOSMF Started Task USERID') + NOPASSWORD NOOIDCARD TSS CREATE(ISUZER) TYPE(USER) DEPARTMENT(xxxxxx) /* Change concurrent open file number for started task USERID */ ALTUSER IZUSVR OMVS(FILEPROC(10000)) /* Create the z/OSMF unauthenticated USERID */ ADDUSER IZUGUEST RESTRICTED DFLTGRP(IZUUNGRP) OMVS(UID(9011)) + NAME('zOSMF Unauthenticated USERID') NOPASSWORD NOOIDCARD /* Define the STARTED profiles for the z/OSMF server */ RDEFINE STARTED IZUSVR1.* UACC(NONE) STDATA(USER(IZUSVR) + GROUP(IZUADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES)) RDEFINE STARTED IZUANG1.* UACC(NONE) STDATA(USER(IZUSVR) + GROUP(IZUADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES)) /* Define the APPL profile for the z/OSMF server */ RDEFINE APPL IZUDFLT UACC(NONE) /* Define the SERVER profiles for the z/OSMF server */ RDEFINE SERVER BBG.SECPFX.IZUDFLT UACC(NONE) RDEFINE SERVER BBG.ANGEL UACC(NONE) RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE) RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE) RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.ZOSWLM UACC(NONE) RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.TXRRS UACC(NONE) RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.ZOSDUMP UACC(NONE) /* Permit the z/OSMF unauthenticated USERID access */ PERMIT IZUDFLT CLASS(APPL) ID(IZUGUEST) ACCESS(READ) /* Permit the started task USERID access */ PERMIT BBG.SECPFX.IZUDFLT CLASS(SERVER) ACCESS(READ) ID(IZUSVR) PERMIT BBG.ANGEL CLASS(SERVER) ACCESS(READ) ID(IZUSVR) PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) ACCESS(READ) ID(IZUSVR) PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) ACCESS(READ) + ID(IZUSVR) PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSWLM CLASS(SERVER) ACCESS(READ) + ID(IZUSVR) PERMIT BBG.AUTHMOD.BBGZSAFM.TXRRS CLASS(SERVER) ACCESS(READ) + ID(IZUSVR) PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSDUMP CLASS(SERVER) ACCESS(READ) + ID(IZUSVR) /* Define the BPX.CONSOLE profile to supress the BPXM023I message */ /* prefix for console messages */ RDEFINE FACILITY BPX.CONSOLE UACC(NONE) /* Permit the started task USERID access */ PERMIT BPX.CONSOLE CLASS(FACILITY) ID(IZUSVR) ACCESS(READ) /* Define the Sync-to-OS-thread FACILITY profile */ RDEFINE FACILITY BBG.SYNC.IZUDFLT UACC(NONE) /* Permit the started task USERID access */ PERMIT BBG.SYNC.IZUDFLT CLASS(FACILITY) ID(IZUSVR) ACCESS(CONTROL) /* Define the FACILITY profile for working with digital */ /* certificates */ RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE) RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE) /* Allow users of the z/OSMF Configuration Workflow to extract */ /* profile information */ RDEFINE FACILITY IRR.RADMIN.LISTUSER RDEFINE FACILITY IRR.RADMIN.LISTGRP RDEFINE FACILITY IRR.RADMIN.RLIST RDEFINE FACILITY IRR.RADMIN.SETROPTS.LIST /* Permit the started task USERID access */ PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(IZUSVR) ACCESS(READ) PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(IZUSVR) + ACCESS(READ) /* Create the CA certificate for the z/OSMF server */ RACDCERT CERTAUTH GENCERT + SUBJECTSDN(CN('z/OSMF CertAuth for Security Domain') + OU('IZUDFLT')) WITHLABEL('zOSMFCA') + TRUST NOTAFTER(DATE(2023/05/17)) RACDCERT ADDRING(IZUKeyring.IZUDFLT) ID(IZUSVR) /* Create the server certificate for the z/OSMF server */ /* Change HOST NAME in CN field into real local host name */ /* Usually the format of the host name is 'XXXX.XXX.XXX.XXX' */ RACDCERT ID( IZUSVR ) GENCERT SUBJECTSDN(CN('HOST NAME') + O('IBM') OU('IZUDFLT')) WITHLABEL('DefaultzOSMFCert.IZUDFLT'), + SIGNWITH(CERTAUTH LABEL('zOSMFCA')) NOTAFTER(DATE(2023/05/17)) RACDCERT ALTER(LABEL('DefaultzOSMFCert.IZUDFLT')) ID(IZUSVR) TRUST RACDCERT ID( IZUSVR ) CONNECT (LABEL('DefaultzOSMFCert.IZUDFLT') + RING(IZUKeyring.IZUDFLT) DEFAULT) RACDCERT ID( IZUSVR ) CONNECT (LABEL('zOSMFCA') + RING(IZUKeyring.IZUDFLT) CERTAUTH) /* Assumption: SERVAUTH class is active */ /* SETROPTS GENERIC(SERVAUTH) */ /* Define the CEA resource profile required for z/OSMF server */ RDEFINE SERVAUTH CEA.CEATSO.* UACC(NONE) /* Define the Account Number resource profile for REST File API */ RDEFINE ACCTNUM IZUACCT UACC(NONE) /* Define the TSO Procedure resource profile for REST File API */ RDEFINE TSOPROC IZUFPROC UACC(NONE) /* List-of-groups authority checking supplements the normal RACF */ /* access authority checking by allowing all groups of which a */ /* user ID is amember to enter into the access list checking */ /* process.Un-comment the following line to activate this. */ /* SETROPTS GRPLIST */ /* Create the z/OS Security Administrators group */ ADDGROUP IZUSECAD OMVS(GID(9006)) /* Define the ZMFAPLA profile for the z/OSMF server */ RDEFINE ZMFAPLA IZUDFLT.ZOSMF UACC(NONE) /* The EJBROLE definitions are case-sensitive in RACF. Insure you*/ /* preserve case for these commands */ /* Assumption: EJBROLE is defined, activated, and raclisted. */ RDEFINE EJBROLE IZUDFLT.*.izuUsers UACC(NONE) /* Define the z/OSMF Server profile */ RDEFINE SERVER BBG.SECCLASS.ZMFAPLA UACC(NONE) /* Permit the started task USERID access */ PERMIT BBG.SECCLASS.ZMFAPLA CLASS(SERVER) ID(IZUSVR) ACCESS(READ) /* Roles processing will permit the z/OSMF Server groups to the */ /* Application Server resources */ /* Assumption: APPL class has been defined, activated, raclisted. */ /* Permit the Administrators group to this profile */ PERMIT CEA.CEATSO.* CLASS(SERVAUTH) ID(IZUADMIN) ACCESS(READ) /* Permit the Users group to this profile */ PERMIT CEA.CEATSO.* CLASS(SERVAUTH) ID(IZUUSER) ACCESS(READ) /* Permit the started task USERID to this profile */ PERMIT CEA.CEATSO.* CLASS(SERVAUTH) ID(IZUSVR) ACCESS(READ) /* Make changes effective */ SETROPTS RACLIST(SERVAUTH) REFRESH /* Permit the Administrators group to these profiles */ PERMIT IZUACCT CLASS(ACCTNUM) ID(IZUADMIN) ACCESS(READ) PERMIT IZUFPROC CLASS(TSOPROC) ID(IZUADMIN) ACCESS(READ) /* Permit the Users group to these profiles */ PERMIT IZUACCT CLASS(ACCTNUM) ID(IZUUSER) ACCESS(READ) PERMIT IZUFPROC CLASS(TSOPROC) ID(IZUUSER) ACCESS(READ) /* Define console profile in class TSOAUTH to issue MVS commands */ /* via EMCS consoles */ RDEFINE TSOAUTH CONSOLE UACC(NONE) /* Permit the Administrators group to these profiles */ PERMIT CONSOLE CLASS(TSOAUTH) ID(IZUADMIN) ACCESS(READ) /* Permit the Users group to these profiles */ PERMIT CONSOLE CLASS(TSOAUTH) ID(IZUUSER) ACCESS(READ) /* Make changes effective */ SETROPTS RACLIST(TSOAUTH) REFRESH /* Define MCS operator profile starting with prefix IZU@ */ RDEFINE OPERCMDS MVS.MCSOPER.IZU@* UACC(NONE) /* Permit the Administrators group to these profiles */ PERMIT MVS.MCSOPER.IZU@* CLASS(OPERCMDS) ID(IZUADMIN) ACCESS(READ) /* Permit the Users group to these profiles */ PERMIT MVS.MCSOPER.IZU@* CLASS(OPERCMDS) ID(IZUUSER) ACCESS(READ) /* Make changes effective */ SETROPTS RACLIST(OPERCMDS) REFRESH /*If your installation utilizes hardware crypto in combination */ /*with ICSF, various services like CSFRNGL, CSFDSV, CSFOWH, */ /*CSFIQF ,etc.may be protected by profiles established in your */ /*security product.In certain cases, z/OSMF will utilize these */ /*services, and the z/OSMF started task USERID will need to be */ /*permitted to these profiles.If concrete profiles in the CSFSERV */ /*class has been defined to protect these resources, then, the */ /*following commented commands would permit the started task */ /*userid to that profile which is used by associated ICSF service.*/ /*PERMIT CSFIQF CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */ /*encipher callable service */ /*PERMIT CSFENC CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */ /*cryptographic variable encipher callable */ /*PERMIT CSFCVE CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */ /*decipher callable service */ /*PERMIT CSFDEC CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */ /*symmetric algorithm encipher callable service */ /*PERMIT CSFSAE CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */ /*symmetric algorithm decipher callable service */ /*PERMIT CSFSAD CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */ /*one-way hash generate callable service */ /*PERMIT CSFOWH CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */ /*random number generate callable service */ /*PERMIT CSFRNG CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */ /*random number generate long callable service */ /*PERMIT CSFRNGL CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */ /*PKA key generate callable service */ /*PERMIT CSFPKG CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */ /*digital signature generate service */ /*PERMIT CSFDSG CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */ /*digital signature verify callable service */ /*PERMIT CSFDSV CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */ /*PKA key token change callable service */ /*PERMIT CSFPKT CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */ /*retained key list callable service */ /*PERMIT CSFRKL CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */ /*PKA Public Key Extract callable service */ /*PERMIT CSFPKX CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */ /*PKA encrypt callable service */ /*PERMIT CSFPKE CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */ /*PKA decrypt callable service */ /*PERMIT CSFPKD CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */ /*PKA key import callable service */ /*PERMIT CSFPKI CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */ /*multiple clear key import callable service */ /*PERMIT CSFCKM CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */ /*key generate callable service */ /*PERMIT CSFKGN CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */ /*ECC Diffie-Hellman callable service */ /*PERMIT CSFEDH CLASS(CSFSERV) ACCESS(READ) ID(IZUSVR) */ /*SETROPTS RACLIST(CSFSERV) REFRESH */ /* */ /* Profile Definitions for Core */ RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.APPLINKING UACC(NONE) RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.IMPORTMANAGER UACC(NONE) RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.LINKSTASK UACC(NONE) RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.LOGGER UACC(NONE) RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.UI_LOG_MANAGEMENT + UACC(NONE) RDEFINE ZMFAPLA IZUDFLT.ZOSMF.ADMINTASKS.USAGESTATISTICS + UACC(NONE) RDEFINE ZMFAPLA IZUDFLT.ZOSMF.LINK.** UACC(NONE) RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW UACC(NONE) RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.MODIFY UACC(NONE) RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.SYSTEMS UACC(NONE) RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS UACC(NONE) RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW UACC(NONE) RDEFINE ZMFAPLA IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.MODIFY + UACC(NONE) /* Profile Definitions for "Workflow" */ RDEFINE ZMFAPLA IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS UACC(NONE) /* Profile Definitions for "Workflow administrator role" */ RDEFINE ZMFAPLA IZUDFLT.ZOSMF.WORKFLOW.ADMIN UACC(NONE) /* Profile Definitions for "z/OSMF notification" */ RDEFINE ZMFAPLA IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS UACC(NONE) RDEFINE ZMFAPLA IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS.ADMIN UACC(NONE) RDEFINE ZMFAPLA IZUDFLT.ZOSMF.NOTIFICATION.MODIFY UACC(NONE) /* End Core Setup */ /* */ /* Begin zOSMF User Role Setup */ /* */ PERMIT IZUDFLT CLASS(APPL) ID(IZUUSER) ACCESS(READ) PERMIT IZUDFLT.*.izuUsers CLASS(EJBROLE) ID(IZUUSER) ACCESS(READ) PERMIT IZUDFLT.ZOSMF CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ) /* Permit definitions for Core */ PERMIT IZUDFLT.ZOSMF.LINK.** CLASS(ZMFAPLA) ID(IZUUSER) + ACCESS(READ) PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW CLASS(ZMFAPLA) + ID(IZUUSER) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS CLASS(ZMFAPLA) ID(IZUUSER) + ACCESS(READ) PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS CLASS(ZMFAPLA) + ID(IZUUSER) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW CLASS(ZMFAPLA) + ID(IZUUSER) ACCESS(READ) /* Permit definitions for Workflow */ PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) + ID(IZUUSER) ACCESS(READ) /* Permit definitions for notification */ PERMIT IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS CLASS(ZMFAPLA) + ID(IZUUSER) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.NOTIFICATION.MODIFY CLASS(ZMFAPLA) + ID(IZUUSER) ACCESS(READ) /* */ /* End zOSMF User Role Setup */ /* */ /* */ /* Begin zOSMF Administrator Role Setup */ /* */ PERMIT IZUDFLT CLASS(APPL) ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.*.izuUsers CLASS(EJBROLE) ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ) /* Permit definitions for Core */ PERMIT IZUDFLT.ZOSMF.ADMINTASKS.APPLINKING CLASS(ZMFAPLA) + ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.ADMINTASKS.IMPORTMANAGER CLASS(ZMFAPLA) + ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.ADMINTASKS.LINKSTASK CLASS(ZMFAPLA) + ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.ADMINTASKS.LOGGER CLASS(ZMFAPLA) + ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.ADMINTASKS.UI_LOG_MANAGEMENT CLASS(ZMFAPLA) + ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.ADMINTASKS.USAGESTATISTICS + CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.LINK.** CLASS(ZMFAPLA) ID(IZUADMIN) + ACCESS(READ) PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.VIEW CLASS(ZMFAPLA) + ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS.MODIFY CLASS(ZMFAPLA) + ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.SETTINGS.SYSTEMS CLASS(ZMFAPLA) ID(IZUADMIN) + ACCESS(READ) PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS CLASS(ZMFAPLA) + ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.VIEW CLASS(ZMFAPLA) + ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.SETTINGS.FTP_SERVERS.MODIFY CLASS(ZMFAPLA) + ID(IZUADMIN) ACCESS(READ) /* Permit definitions for Workflow */ PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) + ID(IZUADMIN) ACCESS(READ) /* Permit definitions for "Workflow administrator role" */ PERMIT IZUDFLT.ZOSMF.WORKFLOW.ADMIN CLASS(ZMFAPLA) + ID(IZUADMIN) ACCESS(READ) /* Permit definitions for "z/OSMF notification" */ PERMIT IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS CLASS(ZMFAPLA) + ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.NOTIFICATION.SETTINGS.ADMIN CLASS(ZMFAPLA) + ID(IZUADMIN) ACCESS(READ) PERMIT IZUDFLT.ZOSMF.NOTIFICATION.MODIFY CLASS(ZMFAPLA) + ID(IZUADMIN) ACCESS(READ) /* Permit the z/OSMF administrator access */ PERMIT IRR.RADMIN.LISTUSER CLASS(FACILITY) ID(IZUADMIN) + ACCESS(READ) PERMIT IRR.RADMIN.LISTGRP CLASS(FACILITY) ID(IZUADMIN) + ACCESS(READ) PERMIT IRR.RADMIN.RLIST CLASS(FACILITY) ID(IZUADMIN) + ACCESS(READ) PERMIT IRR.RADMIN.SETROPTS.LIST CLASS(FACILITY) ID(IZUADMIN) + ACCESS(READ) /* */ /* End zOSMF Administrator Role Setup */ /* */ /* */ /* Begin zOS Security Administrator Role Setup */ /* */ PERMIT IZUDFLT CLASS(APPL) ID(IZUSECAD) ACCESS(READ) PERMIT IZUDFLT.*.izuUsers CLASS(EJBROLE) ID(IZUSECAD) ACCESS(READ) PERMIT IZUDFLT.ZOSMF CLASS(ZMFAPLA) ID(IZUSECAD) ACCESS(READ) /* Permit definitions for Workflow */ PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS CLASS(ZMFAPLA) + ID(IZUSECAD) ACCESS(READ) /* */ /* End zOS Security Administrator Role Setup */ /* */ /*----------------------------------------------------------------*/ /* Begin Setup for API Discovery Swagger User Interface */ /*----------------------------------------------------------------*/ /* The API Discovery feature lets you view z/OSMF REST APIs in */ /* a Swagger User Interface. That feature uses the Liberty REST */ /* handler framework, which requires the following RACF resource */ /* permissions to allow all z/OSMF users to access the Swagger */ /* User Interface. */ RDEFINE EJBROLE + IZUDFLT.com.ibm.ws.management.security.resource.+ allAuthenticatedUsers UACC(NONE) PERMIT IZUDFLT.com.ibm.ws.management.security.resource.+ allAuthenticatedUsers CLASS(EJBROLE) ID(IZUUSER) ACCESS(READ) PERMIT IZUDFLT.com.ibm.ws.management.security.resource.+ allAuthenticatedUsers CLASS(EJBROLE) ID(IZUADMIN) ACCESS(READ) /*----------------------------------------------------------------*/ /* End Setup for API Discovery Swagger User Interface */ /*----------------------------------------------------------------*/ /* Need to REFRESH these classes for Roles */ SETROPTS RACLIST(APPL) REFRESH SETROPTS RACLIST(EJBROLE) REFRESH SETROPTS RACLIST(ZMFAPLA) REFRESH SETROPTS RACLIST(SERVER) REFRESH SETROPTS RACLIST(STARTED) REFRESH SETROPTS RACLIST(FACILITY) REFRESH /* Connect the started task USERID to the CIM USER group */ CONNECT (IZUSVR) GROUP(CFZUSRGP) /* //V2R2S EXEC PGM=IKJEFT01,DYNAMNBR=99 //SYSPRINT DD SYSOUT=* //SYSTSPRT DD SYSOUT=* //SYSTSIN DD * /* */ /* Profile for general setting */ RDEFINE ZMFAPLA IZUDFLT.ZOSMF.GENERAL.SETTINGS UACC(NONE) /* Permit the Administrators group to this profile */ PERMIT IZUDFLT.ZOSMF.GENERAL.SETTINGS CLASS(ZMFAPLA) + ID(IZUADMIN) ACCESS(READ) /* Profile Definitions for "z/OSMF email function" */ RDEFINE FACILITY IRR.RUSERMAP UACC(NONE) /* Permit the started task USERID to this profile */ PERMIT IRR.RUSERMAP CLASS(FACILITY) ID(IZUSVR) ACC(READ) /*----------------------------------------------------------------*/ /* Begin Setup for Discovery CPC function in Systems task */ /*----------------------------------------------------------------*/ /* Replace the with the 3-17 character SNA name of */ /* the particular CPC. */ /* Replace the with the SNMP community */ /* name that is associated with the CPC. */ /* Replace the with the 1-8 character which */ /* represents LPAR name. */ /* */ /* RDEFINE FACILITY HWI.APPLNAME.HWISERV UACC(NONE) */ /* PERMIT HWI.APPLNAME.HWISERV CLASS(FACILITY) ID(IZUADMIN) + */ /* ACCESS(READ) */ /* RDEFINE FACILITY HWI.TARGET. UACC(NONE) + */ /* APPLDATA('') */ /* RDEFINE FACILITY HWI.TARGET.. UACC(NONE) */ /* PERMIT HWI.TARGET. CLASS(FACILITY) ID(IZUADMIN) + */ /* ACCESS(READ) */ /* PERMIT HWI.TARGET.. CLASS(FACILITY) + */ /* ID(IZUADMIN) ACCESS(READ) */ /*----------------------------------------------------------------*/ /* End Setup for Discovery CPC function in Systems task */ /*----------------------------------------------------------------*/ /* If AT_TLS is enable, z/OSMF started task userid needs to be */ /* permitted on resource EZB.INITSTACK.sysname.tcpname */ /* */ /* PERMIT EZB.INITSTACK.sysname.tcpname CLASS(SERVAUTH) + */ /* ID(IZUSVR) ACCESS(READ) */ /* Profile Definitions for "zOS Operator Consoles" task */ RDEFINE ZMFAPLA IZUDFLT.ZOSMF.CONSOLES.ZOSOPER UACC(NONE) /* Permit definitions for "zOS Operator Consoles" task */ PERMIT IZUDFLT.ZOSMF.CONSOLES.ZOSOPER CLASS(ZMFAPLA) + ID(IZUUSER) ACCESS(READ) /* Permit definitions for "zOS Operator Consoles" task */ PERMIT IZUDFLT.ZOSMF.CONSOLES.ZOSOPER CLASS(ZMFAPLA) + ID(IZUADMIN) ACCESS(READ) /* Profile definitions for Named Angel Support */ RDEFINE SERVER BBG.ANGEL.IZUANG1 UACC(NONE) PERMIT BBG.ANGEL.IZUANG1 CLASS(SERVER) ID(IZUSVR) ACCESS(READ) /* Define security setup to permit Authorized WLM Service(ZOSWLM )*/ RDEFINE FACILITY BPX.WLMSERVER UACC(NONE) PERMIT BPX.WLMSERVER CLASS(FACILITY) ID(IZUSVR) ACCESS(READ) /* Make changes effective */ SETROPTS RACLIST(SERVER) REFRESH SETROPTS RACLIST(SERVAUTH) REFRESH SETROPTS RACLIST(ZMFAPLA) REFRESH SETROPTS RACLIST(FACILITY) REFRESH /* */ /* End V2R2S step Setup */ /* */ /*