Implementing security for z/OS UNIX files

To implement access control for z/OS® UNIX files used by CICS® web support, when they are specified as static responses in URIMAP definitions that use the HFSFILE attribute, follow the steps listed in this topic.

1. Select an appropriate method to give permissions to web clients to access the z/OS UNIX files and directories.
   You might choose to use the group permissions for the files and directories, or access control lists (ACLs).
   Even if it is possible for you to use group permissions, the use of ACLs is the preferred solution for giving permissions to web clients' user IDs. With ACLs, you can allow access to multiple user groups, and the access can be set for single files or once for all the files in a directory. Directory permissions can be arranged in the same way. You can also use ACL commands to modify permissions for the files and directories. Although you work with ACLs in the z/OS UNIX System Services shell environment, they are created and checked by RACF®, so if you are using a different security product, check its documentation to see if ACLs are supported.
   When you have chosen your preferred method, follow the relevant steps in the remainder of this procedure.
2. Identify the authenticated user IDs used by web clients. These must be the basis of your access control. (You cannot supply an override by using an analyzer program, as you can with application-generated responses.)
   Authenticated user IDs already have a user profile defined in your security manager.
3. For each web client user ID, choose and assign a suitable z/OS UNIX user identifier (UID). The UIDs are numbers that can be in the range 0 - 16 777 216. To assign UIDs, specify the UID value in the OMVS segment of the user profile for each user ID.
   RACF user profiles tells you how to update a RACF user profile by using the ALTUSER command.
   For example, if the web client's user ID is WEBUSR1, and the UID you want to assign is 2006, use the command:

   ALTUSER WEBUSR1 OMVS(UID(2006))

   All users must have a z/OS UNIX user identifier (UID) in their user profile in order to use z/OS UNIX function, even if you are not assigning permissions based on the UID. z/OS UNIX System Services Planning explains how to manage the UIDs and GIDs for your z/OS UNIX system.
4. Choose, or create, RACF groups that can be used by groups of web clients with the same permissions.
   For best performance, even if you are using ACLs, you should assign permissions to groups rather than individual users.
5. For each RACF group, choose a suitable z/OS UNIX group identifier (GID), and assign the GID to the RACF group. To assign a GID, specify the GID value in the OMVS segment of the RACF group profile.
   For example, if the RACF group is CICSWEB1, and the GID you want to assign is 9, use the command:

   ALTGROUP CICSWEB1 OMVS(GID(9))

6. Make sure that each of your web client user IDs connects to a RACF group to which you assigned a z/OS UNIX group identifier (GID).
   If your web clients must connect to more than one RACF group, RACF list of groups must be active in your system.
7. Before you modify the permissions for the z/OS UNIX files and directories, ensure that your user ID is either a superuser on z/OS UNIX, or the owner of each z/OS UNIX file and directory you want to work with. Also, if you are working with groups, the owner of the files and directories must be connected to the RACF groups that you are using.
8. Optional: If you have chosen to use ACLs, set up ACLs that apply to all of the z/OS UNIX files and directories used by CICS web support for static responses, by using the setfacl command in the z/OS UNIX System Services shell environment.
   z/OS UNIX System Services Planning has information about using ACLs, and examples of how to use the setfacl command.
   1. For files, you can set up access ACLs, which apply to an individual file, or file default ACLs, which apply to all the files within a directory and within its subdirectories.
   2. For directories, you can set up access ACLs, which apply to an individual directory, or directory default ACLs, which apply to the subdirectories within a directory.
   3. To minimize the impact to performance, assign group permissions for the files to the RACF groups to which your web clients' user IDs connect, rather than using individual user IDs.
      (There is also a limit on the number of items that can be specified in an ACL.)
   4. If you must change the permissions granted to the groups (the base permission bits which specify read, write and execute access), you can specify this using the setfacl command as well.
      Web clients must have read access to the z/OS UNIX files and directories.
   5. If you are using ACLs, ensure that the FSSEC class is activated. Use the RACF command SETROPTS CLASSACT(FSSEC) to do this.
      You can define ACLs before activating the FSSEC class, but you must activate the FSSEC class before ACLs can be used in access decisions.
9. Optional: If you have chosen to use group permissions without using ACLs, assign the group permissions for each z/OS UNIX file and directory to a group to which your web clients connect, and give the group read permissions. Use the UNIX command chmod to do this. z/OS UNIX System Services Command Reference and z/OS UNIX System Services User's Guide have information about using this command.
   (Note that as group permissions only can be assigned to one group if you are using this method, some of your web clients' user IDs might need to connect to more than one group to acquire all the correct permissions.)
10. Specify SEC=YES as a CICS system initialization parameter. (SECPRFX is not relevant for z/OS UNIX files, as they do not have RACF profiles).
11. Specify XHFS=YES as a CICS system initialization parameter.
    This step activates access control for all z/OS UNIX files in the CICS region.