Setting up user security on a z/OS system by using RACFSetting up user security on a z/OS system using RACF
Additional information you need for setting up user security on a z/OS® system.
Before you begin
About this task
Repository permissions and role-based permissions for users are similar for servers running on z/OS and other platforms; however, on z/OS, when the Jazz® Team Server and the IBM Engineering Lifecycle Management (ELM) applications are configured to use RACF® for security, the WebSphere® Application Server or the WebSphere Liberty profile determines repository permissions based on RACF EJBROLE profiles for security control.
Define the Jazz Team Server and ELM application repository permissions using the EJBROLE class by completing the following tasks:
- Define the EJBROLE profiles:
- JazzAdmins
- Jazz repository administrators with full read/write access.
- JazzProjectAdmins
- Jazz repository administrators with specific permissions to manipulate project areas, team areas, and process templates.
- JazzGuests
- Users with read-only access to the Jazz repository.
- JazzUsers
- Users with regular read/write access to the Jazz repository.
Example RACF commands:RDEFINE EJBROLE JazzAdmins UACC(NONE) RDEFINE EJBROLE JazzProjectAdmins UACC (NONE) RDEFINE EJBROLE JazzGuests UACC(READ) RDEFINE EJBROLE JazzUsers UACC(NONE)
- Permit the appropriate access to users or groups. Example RACF commands:
Permit JazzAdmins CLASS(EJBROLE) ID(jazAdmns) ACCESS(READ) Permit JazzProjectAdmins CLASS(EJBROLE) ID(jPradmns) ACCESS (READ) Permit JazzUsers CLASS(EJBROLE) ID(jazzgrp) ACCESS(READ)
- Activate the new definitions:After the RACF RDEFINE and PERMIT commands, you must issue the following command to take them into account:
SETROPTS RACLIST(EJBROLE) REFRESH
- After you configure Jazz Team Server, you
must log on as a Jazz Team Server
administrator to verify the configuration. Before attempting to verify the configuration, provide at
least one user ID or group with read authority to the JazzAdmins profile in the EJBROLE class. Notes:
- When you add user IDs to the Jazz repository, you must also give them read authority to the appropriate RACF profile in the EJBROLE class (JazzAdmins, JazzProjectAdmins, JazzGuests, JazzUsers).
- For WebSphere Application
Server:
- Specifying a System Authorization Facility (SAF) profile prefix during the WebSphere Application Server customization process affects the way the EJBROLE profiles are referenced. For more information about using EJBROLE profiles, search the WebSphere Application Server for z/OS product documentation for the version that you are running for the System Authorization Facility for role-based authorization topic.
- If you select the Enable SAF Authorization option as the external authorization provider and select Use the APPL profile to restrict access to the application server, you must grant READ access to the APPL profile for the IBM Engineering Workflow Management (EWM) users. Search the WebSphere Application Server for z/OS product documentation for the version that you are running for more information.
- If it is set, note the value of com.ibm.security.SAF.profilePrefix. It will be used as a prefix for the EJBROLEs in RACF.
- For WebSphere Liberty profile:
- A System Authorization Facility (SAF) profile prefix is specified in the server.xml and jvm.options files that affects the way the EJBROLE profiles are referenced. For more information about using EJBROLE profiles, search the WebSphere Application Server for z/OS product documentation for the version that you are running for the System Authorization Facility for role-based authorization topic.
- You must grant READ access to the APPL profile for the Engineering Workflow Management users. Search the WebSphere Application Server for z/OS product documentation for the version that you are running for more information.
- The value for
profilePrefix
in server.xml will be used as a prefix for the EJBROLEs in RACF.
Attention: When your password expires, you cannot connect to the Jazz Team Server, but you will not receive an error message that indicates your password has expired. If you cannot connect to the Jazz Team Server because of an expired password, you must change the password using TSO or IBM Developer for z/OS.