Steps for setting up security for the Printer Inventory, common message log, and operator commands

These steps show the RACF® and z/OS® UNIX commands to use to set up security for the Printer Inventory, common message log, and Infoprint Server operator commands.

Tip: The sample CLIST in SYS1.SAMPLIB(AOPRACF) contains the RACF commands for most of the steps that are described in this section. You must modify AOPRACF before you run it.

Define a group to RACF for Infoprint Server administrators.
An Infoprint Server administrator can view and update the Printer Inventory and can view all messages in the common message log. The suggested group name for administrators is AOPADMIN. However, you can use any name. The group profile must have an OMVS segment and an OMVS group identifier (GID).
Example: This ADDGROUP command defines group AOPADMIN. For group-identifier, specify an integer that is different from other GIDs in your installation:
```
ADDGROUP (AOPADMIN) OMVS(GID(group-identifier))   
```
If you use the MVS™ system logger for the common message log, Infoprint Server administrators must also have READ access to the profile that protects the log stream. For information, see Setting up security for log streams.
Define a group to RACF for Infoprint Server operators.
Infoprint Server operators can start and stop Infoprint Server daemons with the start and stop commands from the z/OS UNIX command line or the JCL startup and shutdown procedures. The suggested group name for Infoprint Server operators is AOPOPER. However, you can use any name. The group profile must have an OMVS segment and a group identifier (GID).
Example: This ADDGROUP command creates group AOPOPER. For group-identifier, specify an integer that is different from other GIDs in your installation:
```
ADDGROUP (AOPOPER) OMVS(GID(group-identifier))
```
If your installation's security policy does not require a distinction between Infoprint Server administrators and operators, you can skip this step and give the group for Infoprint Server administrators (AOPADMIN) access to the AOP.ADMINISTRATOR profile in a later step.
(Optional) Define a group to RACF for Infoprint Server configuration managers.
Infoprint Server configuration managers can view and update Infoprint Server configuration attributes in the system configuration definition if the dynamic configuration function is enabled. The suggested group name for Infoprint Server configuration managers is AOPCONF. However, you can use any name. The group profile does not need an OMVS segment and a group identifier (GID).
Example: This ADDGROUP command creates group AOPCONF:
```
ADDGROUP (AOPCONF)
```
Consider defining the AOPCONF group if you enable dynamic configuration and you define the AOP.CONFIGURATION resource profile to restrict access to the system configuration definition.
Activate the PRINTSRV class. In addition, to improve performance, copy profiles in the PRINTSRV class into virtual storage. If you copy profiles into virtual storage, you must use the SETROPTS command to refresh the PRINTSRV class after you define new profiles or authorize new users to profiles in the class.
Example: This SETROPTS command activates the PRINTSRV class and copies profiles into virtual storage.
```
SETROPTS CLASSACT(PRINTSRV) RACLIST(PRINTSRV) 
```
Define a resource profile to RACF named AOP.ADMINISTRATOR in the PRINTSRV class.
Example: This RDEFINE command defines resource profile AOP.ADMINISTRATOR with universal READ access:
```
RDEFINE PRINTSRV (AOP.ADMINISTRATOR) UACC(READ)
SETROPTS RACLIST(PRINTSRV) REFRESH  
```
Guideline: If you want RACF to notify the security administrator (by a message) when a user tries to read or update the Printer Inventory and is not authorized, specify the NOTIFY parameter on the RDEFINE command. Otherwise, Infoprint Server suppresses RACF messages when it checks the AOP.ADMINISTRATOR profile.
(Optional) Define a resource profile to RACF named AOP.CONFIGURATION in the PRINTSRV class.
If you want to restrict who can update the system configuration definition separately from other definitions in the Printer Inventory, define the AOP.CONFIGURATION profile. If you do not define the AOP.CONFIGURATION profile, users who have UPDATE access to the AOP.ADMINISTRATOR profile can update the system configuration definition and other objects in the Printer Inventory.

Users who have READ access to either the AOP.CONFIGURATION profile or the AOP.ADMINISTRATOR profile can view the system configuration definition.
Example: This RDEFINE command defines resource profile AOP.CONFIGURATION with universal access of NONE:
```
RDEFINE PRINTSRV (AOP.CONFIGURATION) UACC(NONE)
SETROPTS RACLIST(PRINTSRV) REFRESH  
```
Give non-administrators READ access to the AOP.ADMINISTRATOR profile.
If you defined resource profile AOP.ADMINISTRATOR with universal access of NONE, give users who need to view the Printer Inventory with either Infoprint Server ISPF panels or Infoprint Central, READ access to the AOP.ADMINISTRATOR profile.
Example: This PERMIT command lets a user or group read the Printer Inventory:
```
PERMIT AOP.ADMINISTRATOR CLASS(PRINTSRV) ACCESS(READ) ID(userid or groupid)
SETROPTS RACLIST(PRINTSRV) REFRESH  
```
Note: READ access to the AOP.ADMINISTRATOR profile also lets users use the ISPF panels to view the system configuration definition.
Give the Infoprint Server administrator group (AOPADMIN) UPDATE access to the AOP.ADMINISTRATOR resource profile.
You can authorize group AOPADMIN to the AOP.ADMINISTRATOR resource profile or you can authorize each user separately. Users must have UPDATE (or higher) access to the AOP.ADMINISTRATOR resource profile to view and update the Printer Inventory.
Example: This PERMIT command authorizes the AOPADMIN group to the AOP.ADMINISTRATOR profile in the PRINTSRV class:
```
PERMIT AOP.ADMINISTRATOR CLASS(PRINTSRV) ACCESS(UPDATE) ID(AOPADMIN)
SETROPTS RACLIST(PRINTSRV) REFRESH  
```
(Optional) If you defined the AOP.CONFIGURATION resource profile in step 6, give Infoprint Server configuration managers UPDATE access to the profile.
You can authorize group AOPCONF to the AOP.CONFIGURATION resource profile or you can authorize each user separately.
Example: This PERMIT command authorizes the AOPCONF group to the AOP.CONFIGURATION profile in the PRINTSRV class:
```
PERMIT AOP.CONFIGURATION CLASS(PRINTSRV) ACCESS(UPDATE) ID(AOPCONF)
SETROPTS RACLIST(PRINTSRV) REFRESH  
```
(Optional) If you defined resource profiles AOP.CONFIGURATION and AOP.ADMINISTRATOR with universal access of NONE, give users who need to view the system configuration definition, but not update it, READ access to either the AOP.CONFIGURATION profile or the AOP.ADMINISTRATOR profile.
Example: This PERMIT command lets a user view the system configuration definition:
```
PERMIT AOP.CONFIGURATION CLASS(PRINTSRV) ACCESS(READ) ID(userid
SETROPTS RACLIST(PRINTSRV) REFRESH  
```
Define Infoprint Server administrators, operators, and other users whom you want to read the Printer Inventory to RACF as z/OS UNIX users. This step shows one way to define users to RACF. For complete information about how to define z/OS UNIX users to RACF, see z/OS UNIX System Services Planning.
For each user, establish an OMVS segment and set the user's default group to a group that has an OMVS segment with a group identifier (GID). You can specify any home directory or use the default home directory. You can use either the ADDUSER command to define a new user ID or the ALTUSER command to modify an existing user ID.
Example: This ALTUSER command modifies an existing user ID. For userid, specify an existing user ID. For user-identifier, specify an integer that is different from other UIDs in your installation. For group, specify AOPOPER, AOPADMIN, or any another group that has an OMVS GID.
```
ALTUSER userid OMVS(UID(user-identifier) PROGRAM('/bin/sh')) 
   DFLTGRP(group)
```
Guidelines:
1. The user's default group must have a GID defined so that the user can use z/OS UNIX.
2. For instructions about how to define a user ID for use with the JCL startup and shutdown procedures, see Creating a user ID to assign to the JCL startup and shutdown procedures.
Connect Infoprint Server administrators, operators, and configuration managers to the appropriate group.
If you use the JCL startup and shutdown procedures to start and stop Infoprint Server, connect the user ID assigned to these procedures to the AOPOPER group.
Example: These CONNECT commands connect a user to the AOPADMIN group for administrators, connect a user to the AOPOPER group for operators, and connect a user to the AOPCONF group for configuration managers. Specify an existing user ID for userid:
```
CONNECT (userid) GROUP(AOPADMIN) 
```
```
CONNECT (userid) GROUP(AOPOPER)
```
```
CONNECT (userid) GROUP(AOPCONF)
```
Tip: If you did not define a separate group for Infoprint Server operators in step 2, connect the operators to the group for Infoprint Server administrators (AOPADMIN).
Give the AOPOPER group (or the user ID that is associated with the JCL startup procedure) RACF authorization to these resources and profiles:
- If you use IP PrintWay™ extended mode, UPDATE access to profiles in the JESSPOOL class. See Authorizing IP PrintWay to select data sets from the JES spool (extended mode).
- If you use IP PrintWay extended mode, READ access to the BPX.SMF profile in the FACILITY class. See Authorizing IP PrintWay to write SMF type 6 records (extended mode).
- If you use Infoprint Central, access to profiles in the OPERCMDS and JESSPOOL classes. For information about the type of access that is required, see Setting up security for Infoprint Central.
- If you use IBM® transforms from AFP to PCL, PDF, or PostScript, READ access to transform resources, such as AFP resource libraries, that are on the z/OS system. For more information, see the documentation for the transform.
- If you use the MVS system logger for the common message log, UPDATE access to the profile that protects the log stream. For information, see Setting up security for log streams.
Tip: If you always use the JCL startup and shutdown procedures (and not the start and stop commands from the z/OS UNIX command line) to start and stop Infoprint Server, instead of giving RACF access to the AOPOPER group, you can give RACF access to the user ID that is associated with the JCL startup and shutdown procedures.
Give universal RACF access to the Infoprint Server ISPF data sets. This lets all users view Infoprint Server ISPF panels.
Example: The RACF ADDGROUP command creates a group that is named AOP to own the data set resource profile. The RACF ADDSD command creates a generic data set resource profile that gives universal READ access to data sets that start with "AOP.":
```
ADDGROUP (AOP) SUPGROUP(SYS1) OWNER(SYS1)
ADDSD 'AOP.*' GENERIC OWNER(AOP) UACC(READ) 
```