Steps for setting up security

An initial IBM Cloud Provisioning and Management for z/OS environment includes a default domain and default tenant. This topic describes the steps for creating the security authorizations for the default domain and default tenant.

Before you begin

This procedure is performed by a legacy special user. For information, see Select the Legacy Special user ID.

About this task

Use this procedure to define an initial set of group and profile definitions for your IBM Cloud Provisioning and Management for z/OS environment. A summary of the authorizations is provided in Table 2.

This procedure involves the following changes to your security database:

Activating the necessary RACF classes
Creating the required SAF security groups
Defining the required SAF resource profiles
Granting the appropriate authorizations
Refreshing the necessary RACF classes.

The examples in the section show the commands as they would be entered for a RACF installation. If your installation uses a security management product other than RACF, your security administrator can refer to the IZUSEC job for examples when creating equivalent commands for the security management product on your system.

This procedure is intended only for your initial security set-up. Later, after you complete this procedure, you can use the Software Services task and Resource Management task to maintain your security environment. Note, however, that managing the landlord IDs is a manual operation that you perform in your security product. Managing the landlord IDs involves connecting users to, or removing users from, the landlord group.

Procedure

Activate the ZMFCLOUD resource class and enable the RACLIST and GENERIC profiles.
```
SETROPTS CLASSACT(ZMFCLOUD) GENERIC(ZMFCLOUD) RACLIST(ZMFCLOUD)
```
Create the landlord identity.
1. Define the landlord group to which landlord user IDs are to be connected.
```
ADDGROUP IYU
```
  where IYU is the default group name prefix for the landlord group. If your installation specified a different group prefix in IZUPRMxx, substitute that value in the examples in this procedure.
2. Define the SAF profile for the Cloud Provisioning resources.
```
RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU) UACC(NONE)
```
  where IZUDFLT is the z/OSMF SAF profile prefix. If your installation specified a different SAF profile prefix in IZUPRMxx, substitute that value in the examples in this procedure.
3. Grant the landlord group read access to the landlord profile.
```
PERMIT IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU +
CLASS(ZMFCLOUD) ID(IYU) + 
ACCESS(READ)
```
After you perform this step, you are the owner of the landlord group, and are considered to be a landlord. You do not need to explicitly connect your user ID to the landlord group. To authorize more landlord users, you can connect each user ID to the landlord group, using TSO/E or ISPF.
Set up security for the default domain.
1. Define the domain administrator group for the default domain.
```
ADDGROUP IYU0 SUPGROUP(IYU)
```
  where IYU0 is the group name for domain administrators; it is defined under the Cloud Provisioning group (IYU), which will be its RACF superior group.
2. Define the profile for the default domain administrators.
```
RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU0) UACC(NONE)   
```
3. Grant the landlord group (IYU) and domain administrator group for the default domain (IYU0) read access to the domain administrator profile.
```
PERMIT IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU0 + 
CLASS(ZMFCLOUD) ID(IYU IYU0) ACCESS(READ)
```
4. Define the resource pool administrator group for networking for the default domain.
```
ADDGROUP IYU0RPAN SUPGROUP(IYU)
```
  where IYU0RPAN is the group name for networking administrators; it is defined as a subgroup of the Cloud Provisioning group.
5. Define the resource pool administrator group for WLM for the default domain.
```
ADDGROUP IYU0RPAW SUPGROUP(IYU)
```
  where IYU0RPAW is the group name for WLM administrators; it is defined as a subgroup of the Cloud Provisioning group.
Set up security for the default tenant.
1. Define the tenant consumer group for the default tenant.
```
ADDGROUP IYU000 SUPGROUP(IYU0)
```
  where IYU000 is the group name for tenant consumers; it is defined as a subgroup of the domain administrator group.
2. Define the profile for the tenant consumer group for the default tenant.
```
RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU000) + 
UACC(NONE)
```
3. Grant the tenant consumer group read access to the tenant consumer profile for the default tenant.
```
PERMIT IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU000 + 
CLASS(ZMFCLOUD) ID(IYU000) ACCESS(READ)
```
Define the profile for the template approvers for the default domain.
```
RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.TEMPLATE.APPROVERS.IYU0) UACC(NONE)
```
Define the profile for the WLM administrators for the default domain.
1. Define the profile for the resource pool administrator group for WLM.
```
RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.RESOURCE_POOL.WLM.IYU0) UACC(NONE)
```
2. Grant the WLM administrator group read access to the WLM administrator profile.
```
PERMIT IZUDFLT.ZOSMF.RESOURCE_POOL.WLM.IYU0 +
CLASS(ZMFCLOUD) ID(IYU0RPAW) ACCESS(READ)
```
Define the profile for the network administrators for the default domain.
1. Define the profile for the resource pool administrator group for network administrators.
```
RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.RESOURCE_POOL.NETWORK.IYU0) UACC(NONE)
```
2. Grant the network administrator group read access to the network administrator profile.
```
PERMIT IZUDFLT.ZOSMF.RESOURCE_POOL.NETWORK.IYU0 +
CLASS(ZMFCLOUD) ID(IYU0RPAN) ACCESS(READ)
```
Define the ZMFAPLA profiles for the Cloud Provisioning resources.
1. Define the profile for the Software Services task.
```
RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES) UACC(NONE)
```
2. Define the profile for the Resource Management task.
```
RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT) UACC(NONE)
```
3. If the profile for the Workflows task is not already defined, you must define the profile.
```
RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) UACC(NONE)
```
4. Define the profile for the Workflow Editor task.
```
RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.WORKFLOW.EDITOR) UACC(NONE)
```
5. Define the profile for the System Variables administrator resource.
```
RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.VARIABLES.SYSTEM.ADMIN) UACC(NONE)
```
Grant z/OSMF access to the landlord, default domain administrator, and the default tenant consumer groups.
```
PERMIT IZUDFLT.ZOSMF CLASS(ZMFAPLA) +
ID(IYU IYU0 IYU000) ACC(READ)
```

Grant z/OSMF access to the resource administrator groups.

PERMIT IZUDFLT.ZOSMF CLASS(ZMFAPLA) + 
ID(IYU0RPAN IYU0RPAW) ACCESS(READ)

Grant the user groups access to the Software Services, Workflows, and Workflow Editor tasks.

PERMIT IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES +  
CLASS(ZMFAPLA) ID(IYU IYU0 IYU000) ACCESS(READ)

PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS + 
CLASS(ZMFAPLA) ID(IYU IYU0 IYU000) ACCESS(READ)

PERMIT IZUDFLT.ZOSMF.WORKFLOW.EDITOR + 
CLASS(ZMFAPLA) ID(IYU IYU0 IYU000) ACCESS(READ)

Grant administrators access to the Resource Management task.

PERMIT IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT + 
CLASS(ZMFAPLA) ID(IYU IYU0) ACCESS(READ)

Grant the resource administrator groups access to the Workflows task and Software Services task.

PERMIT IZUDFLT.ZOSMF CLASS(ZMFAPLA) ID(IYU0RPAN IYU0RPAW) ACCESS(READ)

PERMIT IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES + 
CLASS(ZMFAPLA) ID(IYU0RPAN IYU0RPAW) ACCESS(READ)

PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS + 
CLASS(ZMFAPLA) ID(IYU0RPAN IYU0RPAW) ACCESS(READ)

Grant the z/OSMF Administrator group authority to modify or delete system variables by using the Systems task or through a z/OSMF REST service.
```
PERMIT IZUDFLT.ZOSMF.VARIABLES.SYSTEM.ADMIN + 
CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
```
Create the z/OSMF security administrator role (if it does not exist already). These users can perform dynamic security updates in the Resource Management task.
1. Define the z/OSMF security administrator group.
```
ADDGROUP IZUSECAD
```
  where IZUSECAD is the default group name.
2. Define the SAF profile for z/OSMF security administrators.
```
RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.SECURITY.ADMIN) UACC(NONE)
```
  where IZUDFLT is the z/OSMF SAF profile prefix.
3. Grant the security administrator group read access to the security administrator profile.
```
PERMIT IZUDFLT.ZOSMF.SECURITY.ADMIN CLASS(ZMFCLOUD) +
ID(IZUSECAD) ACCESS(READ)
```
Only users with read access to this profile can be selected as domain security administrators by the landlord.
Enable the z/OSMF server to perform authorization checks.
1. Create the SERVER class profile.
```
RDEFINE SERVER (BBG.SECCLASS.ZMFCLOUD) UACC(NONE)
```
2. Grant the z/OSMF server user ID access to the SERVER class profile.
```
PERMIT BBG.SECCLASS.ZMFCLOUD CLASS(SERVER) ID(IZUSVR) + 
ACCESS(READ)
```
  where IZUSVR is the default user ID for the z/OSMF server, which in turn has a default name of IZUSVR1. If you assigned a different user ID to the z/OSMF server started task, specify that user ID instead.
3. Connect the z/OSMF started task user ID to the z/OSMF security administrator group (by default, IZUSECAD).
```
CONNECT IZUSVR GROUP(IZUSECAD)
```
Refresh the RACF classes to make the preceding changes effective.
```
SETROPTS RACLIST(ZMFAPLA ZMFCLOUD SERVER) REFRESH
```

What to do next

Start of change Each of the middleware products that you can provision in z/OSMF requires additional security setup. For example, CICS requires that you define a provisioning user ID (CICSPROV, by default) with access to specific resources. For more information, see the README file that accompanies each product. End of change

You can use the Resource Management task to manage user roles and create additional security authorizations for your environment. For example, you can use the Resource Management task to do the following:

Designate users as domain administrators, resource administrators, and tenant consumers.
Add or remove template approvers for the default domain. For any new domains that you create, you can use the Resource Management task to define the appropriate template approver profile for the domain when the domain is created.
Add or remove WLM administrators and network administrators for the default domain. For any new domains that you create, you can use the Resource Management task to define the appropriate administrator profile for the domain when the domain is created.

These actions are described in the online help for the Resource Management task.

Start of change During regular operations with IBM Cloud Provisioning and Management for z/OS, user authorizations are created dynamically by the Resource Management task, using an IBM-supplied REXX exec called izu.provisioning.security.config.rexx. As part of configuration, your security administrator must tailor this exec with the appropriate values for your environment. If your installation uses a security product other than RACF, your security administrator can review this exec for examples when creating equivalent security commands. End of change

Start of change The izu.provisioning.security.config.rexx exec is intended for use by security administrators only (user IDs in group IZUSECAD). During z/OSMF configuration, this exec is stored in the z/OSMF configuration directory on your system: /var/zosmf/configuration/workflow/izu.provisioning.security.config.rexx. End of change

Start of change The exec is owned by the z/OSMF server user ID (by default, IZUSVR). The exec can be updated only by users in the security administrator group (IZUSECAD). End of change