Setting up user security on a z/OS system by using RACF

Edit online

Additional information you need for setting up user security on a z/OS system.

Before you begin

Review the information in Permissions.

About this task

Repository permissions and role-based permissions for users are similar for servers running on z/OS and other platforms; however, on z/OS, when the Jazz® Team Server and the IBM Engineering Lifecycle Management applications are configured to use RACF for security, the WebSphere® Liberty server determines repository permissions based on RACF EJBROLE profiles for security control.

Define the Jazz Team Server and Engineering Lifecycle Management application repository permissions using the EJBROLE class by completing the following tasks:

  1. Define the EJBROLE profiles:
    JazzAdmins
    Jazz repository administrators with full read/write access.
    JazzProjectAdmins
    Jazz repository administrators with specific permissions to manipulate project areas, team areas, and process templates.
    JazzGuests
    Users with read-only access to the Jazz repository.
    JazzUsers
    Users with regular read/write access to the Jazz repository.
    Example RACF commands: 
    RDEFINE EJBROLE JazzAdmins UACC(NONE)
RDEFINE EJBROLE JazzProjectAdmins UACC (NONE)
RDEFINE EJBROLE JazzGuests UACC(READ)
RDEFINE EJBROLE JazzUsers UACC(NONE)
  2. Permit the appropriate access to users or groups.
    Example RACF commands: 
    Permit JazzAdmins CLASS(EJBROLE) ID(jazAdmns) ACCESS(READ)
Permit JazzProjectAdmins CLASS(EJBROLE) ID(jPradmns) ACCESS (READ)
Permit JazzUsers CLASS(EJBROLE) ID(jazzgrp) ACCESS(READ)
  3. Activate the new definitions:
    After the RACF RDEFINE and PERMIT commands, you must issue the following command to take them into account:
    SETROPTS RACLIST(EJBROLE) REFRESH
  4. After you configure Jazz Team Server, you must log on as a Jazz Team Server administrator to verify the configuration. Before attempting to verify the configuration, provide at least one user ID or group with read authority to the JazzAdmins profile in the EJBROLE class.
    Notes:
    • When you add user IDs to the Jazz repository, you must also give them read authority to the appropriate RACF profile in the EJBROLE class (JazzAdmins, JazzProjectAdmins, JazzGuests, JazzUsers).
    • For IBM WebSphere Liberty:
      • A System Authorization Facility (SAF) profile prefix is specified in the server.xml and jvm.options files that affects the way the EJBROLE profiles are referenced. For more information about using EJBROLE profiles, search the WebSphere Liberty Server for z/OS for the version that you are running for the System Authorization Facility for role-based authorization topic.
      • You must grant READ access to the APPL profile for the Engineering Workflow Management users. Search the WebSphere Liberty server for z/OS for the version that you are running for more information.
      • The value for profilePrefix in server.xml will be used as a prefix for the EJBROLEs in RACF.
    Attention: When your password expires, you cannot connect to the Jazz Team Server, but you will not receive an error message that indicates your password has expired. If you cannot connect to the Jazz Team Server because of an expired password, you must change the password using TSO or IBM Developer for z/OS® .