Steps for setting up security
An initial IBM Cloud Provisioning and Management for z/OS environment includes a default domain and default tenant. This topic describes the steps for creating the security authorizations for the default domain and default tenant.
Before you begin
This procedure is performed by a legacy special user. For information, see Select the Legacy Special user ID.
About this task
Use this procedure to define an initial set of group and profile definitions for your IBM Cloud Provisioning and Management for z/OS environment. A summary of the authorizations is provided in Table 2.
- Activating the necessary RACF classes
- Creating the required SAF security groups
- Defining the required SAF resource profiles
- Granting the appropriate authorizations
- Refreshing the necessary RACF classes.
The examples in the section show the commands as they would be entered for a RACF installation. If your installation uses a security management product other than RACF, your security administrator can refer to the IZUSEC job for examples when creating equivalent commands for the security management product on your system.
This procedure is intended only for your initial security set-up. Later, after you complete this procedure, you can use the Software Services task and Resource Management task to maintain your security environment. Note, however, that managing the landlord IDs is a manual operation that you perform in your security product. Managing the landlord IDs involves connecting users to, or removing users from, the landlord group.
Procedure
What to do next
Each of the middleware products that you can provision in z/OSMF requires additional security setup. For example, CICS requires that you define a provisioning user ID (CICSPROV, by default) with access to specific resources. For more information, see the README file that accompanies each product.
- Designate users as domain administrators, resource administrators, and tenant consumers.
- Add or remove template approvers for the default domain. For any new domains that you create, you can use the Resource Management task to define the appropriate template approver profile for the domain when the domain is created.
- Add or remove WLM administrators and network administrators for the default domain. For any new domains that you create, you can use the Resource Management task to define the appropriate administrator profile for the domain when the domain is created.
These actions are described in the online help for the Resource Management task.
During regular operations with IBM Cloud Provisioning and Management for z/OS, user authorizations are created dynamically by the Resource Management task, using an IBM-supplied REXX exec called izu.provisioning.security.config.rexx. As part of configuration, your security administrator must tailor this exec with the appropriate values for your environment. If your installation uses a security product other than RACF, your security administrator can review this exec for examples when creating equivalent security commands.
The izu.provisioning.security.config.rexx exec is intended for use by security administrators only (user IDs in group IZUSECAD). During z/OSMF configuration, this exec is stored in the z/OSMF configuration directory on your system: /var/zosmf/configuration/workflow/izu.provisioning.security.config.rexx.
The exec is owned by the z/OSMF server user ID (by default, IZUSVR). The exec can be updated only by users in the security administrator group (IZUSECAD).