Enabling support for profile qualifier

Edit online

Unified Management Server now supports the ability to select a profileQualifier that is used to support more than one user set for the useSAFOnly security mode. This profileQualifier will be used to perform all the SAF checks.

Before you begin

Notes:
  • The prefix will always be IZP.
  • Steps 1 to 5 are required for UMS users and steps 6 to 10 are required for Db2® CI/CD Expert users.

Procedure

  1. Stop all Zowe started tasks.
  2. Change {components.izp.security.profileQualifier} to a unique value with three to eight characters.
  3. Run IZPGENER in IZP JCLLIB.
  4. Create role profiles. 
    RDEFINE IZP IZP.{components.izp.security.profileQualifier}.SUPER UACC(NONE)
    RDEFINE IZP IZP.{components.izp.security.profileQualifier}.ADMIN UACC(NONE)
  5. Grant access to a set of UMS users (individual or group) either SUPER or ADMIN (not both). 
    PERMIT IZP.{components.izp.security.profileQualifier}.SUPER ID(<end_user>) ACCESS(READ)
    PERMIT IZP.{components.izp.security.profileQualifier}.ADMIN ID(<end_user>) ACCESS(READ)
  6. Create function profiles. 
    RDEFINE IZP IZP.{components.izp.security.profileQualifier}.FUNCTION.ROLES.GET UACC(NONE)
    RDEFINE IZP IZP.{components.izp.security.profileQualifier}.FUNCTION.TEAMS.GET UACC(NONE)
    RDEFINE IZP IZP.{components.izp.security.profileQualifier}.FUNCTION.USERS.GET UACC(NONE)
  7. Grant access to administrators (group or individual). 
    PERMIT IZP.{components.izp.security.profileQualifier}.FUNCTION.ROLES.GET ID(<end_user>) ACCESS(READ)
    PERMIT IZP.{components.izp.security.profileQualifier}.FUNCTION.TEAMS.GET ID(<end_user>) ACCESS(READ)
    PERMIT IZP.{components.izp.security.profileQualifier}.FUNCTION.USERS.GET ID(<end_user>) ACCESS(READ)
  8. Optional: If you are creating a team, make a team profile in the same way. 
    RDEFINE IZP IZP.{components.izp.security.profileQualifier}.TEAM.{SAF_ID}
  9. Optional: If a team is already created, grant team access to a profile. (user or individual).
    Team Admin
    PERMIT IZP.{components.izp.security.profileQualifier}.TEAM.{SAF_ID} ID(<end_user> ACCESS(UPDATE)
    Team User
    PERMIT IZP.{components.izp.security.profileQualifier}.TEAM.{SAF_ID} ID(<end_user> ACCESS(READ)
  10. Start all Zowe started tasks.