Setting up user security on a z/OS system by using RACF
Additional information you need for setting up user security on a z/OS system.
Before you begin
About this task
Repository permissions and role-based permissions for users are similar for servers running on z/OS and other platforms; however, on z/OS, when the Jazz® Team Server and the IBM Engineering Lifecycle Management applications are configured to use RACF for security, the WebSphere® Liberty server determines repository permissions based on RACF EJBROLE profiles for security control.
Define the Jazz Team Server and Engineering Lifecycle Management application repository permissions using the EJBROLE class by completing the following tasks:
- Define the EJBROLE profiles:
- JazzAdmins
- Jazz repository administrators with full read/write access.
- JazzProjectAdmins
- Jazz repository administrators with specific permissions to manipulate project areas, team areas, and process templates.
- JazzGuests
- Users with read-only access to the Jazz repository.
- JazzUsers
- Users with regular read/write access to the Jazz repository.
Example RACF commands:RDEFINE EJBROLE JazzAdmins UACC(NONE) RDEFINE EJBROLE JazzProjectAdmins UACC (NONE) RDEFINE EJBROLE JazzGuests UACC(READ) RDEFINE EJBROLE JazzUsers UACC(NONE)
- Permit the appropriate access to users or groups. Example RACF commands:
Permit JazzAdmins CLASS(EJBROLE) ID(jazAdmns) ACCESS(READ) Permit JazzProjectAdmins CLASS(EJBROLE) ID(jPradmns) ACCESS (READ) Permit JazzUsers CLASS(EJBROLE) ID(jazzgrp) ACCESS(READ)
- Activate the new definitions:After the RACF RDEFINE and PERMIT commands, you must issue the following command to take them into account:
SETROPTS RACLIST(EJBROLE) REFRESH
- After you configure Jazz Team Server, you
must log on as a Jazz Team Server
administrator to verify the configuration. Before attempting to verify the configuration, provide at
least one user ID or group with read authority to the JazzAdmins profile in the EJBROLE class. Notes:
- When you add user IDs to the Jazz repository, you must also give them read authority to the appropriate RACF profile in the EJBROLE class (JazzAdmins, JazzProjectAdmins, JazzGuests, JazzUsers).
- For IBM WebSphere Liberty:
- A System Authorization Facility (SAF) profile prefix is specified in the server.xml and jvm.options files that affects the way the EJBROLE profiles are referenced. For more information about using EJBROLE profiles, search the WebSphere Liberty Server for z/OS for the version that you are running for the System Authorization Facility for role-based authorization topic.
- You must grant READ access to the APPL profile for the Engineering Workflow Management users. Search the WebSphere Liberty server for z/OS for the version that you are running for more information.
- The value for
profilePrefix
in server.xml will be used as a prefix for the EJBROLEs in RACF.
Attention: When your password expires, you cannot connect to the Jazz Team Server, but you will not receive an error message that indicates your password has expired. If you cannot connect to the Jazz Team Server because of an expired password, you must change the password using TSO or IBM Developer for z/OS® .