Setting up user security on a z/OS system by using RACFSetting up user security on a z/OS system using RACF

Additional information you need for setting up user security on a z/OS® system.

Before you begin

Review the information in Permissions .

About this task

Repository permissions and role-based permissions for users are similar for servers running on z/OS and other platforms; however, on z/OS, when the Jazz® Team Server and the IBM Engineering Lifecycle Management (ELM) applications are configured to use RACF® for security, the WebSphere® Application Server or the WebSphere Liberty profile determines repository permissions based on RACF EJBROLE profiles for security control.

Define the Jazz Team Server and ELM application repository permissions using the EJBROLE class by completing the following tasks:

  1. Define the EJBROLE profiles:
    JazzAdmins
    Jazz repository administrators with full read/write access.
    JazzProjectAdmins
    Jazz repository administrators with specific permissions to manipulate project areas, team areas, and process templates.
    JazzGuests
    Users with read-only access to the Jazz repository.
    JazzUsers
    Users with regular read/write access to the Jazz repository.
    Example RACF commands:
    RDEFINE EJBROLE JazzAdmins UACC(NONE)
    RDEFINE EJBROLE JazzProjectAdmins UACC (NONE)
    RDEFINE EJBROLE JazzGuests UACC(READ)
    RDEFINE EJBROLE JazzUsers UACC(NONE)
  2. Permit the appropriate access to users or groups.
    Example RACF commands:
    Permit JazzAdmins CLASS(EJBROLE) ID(jazAdmns) ACCESS(READ)
    Permit JazzProjectAdmins CLASS(EJBROLE) ID(jPradmns) ACCESS (READ)
    Permit JazzUsers CLASS(EJBROLE) ID(jazzgrp) ACCESS(READ)
  3. Activate the new definitions:
    After the RACF RDEFINE and PERMIT commands, you must issue the following command to take them into account:
    SETROPTS RACLIST(EJBROLE) REFRESH 
  4. After you configure Jazz Team Server, you must log on as a Jazz Team Server administrator to verify the configuration. Before attempting to verify the configuration, provide at least one user ID or group with read authority to the JazzAdmins profile in the EJBROLE class.
    Notes:
    • When you add user IDs to the Jazz repository, you must also give them read authority to the appropriate RACF profile in the EJBROLE class (JazzAdmins, JazzProjectAdmins, JazzGuests, JazzUsers).
    • For WebSphere Application Server:
      • Specifying a System Authorization Facility (SAF) profile prefix during the WebSphere Application Server customization process affects the way the EJBROLE profiles are referenced. For more information about using EJBROLE profiles, search the WebSphere Application Server for z/OS product documentation for the version that you are running for the System Authorization Facility for role-based authorization topic.
      • If you select the Enable SAF Authorization option as the external authorization provider and select Use the APPL profile to restrict access to the application server, you must grant READ access to the APPL profile for the IBM Engineering Workflow Management (EWM) users. Search the WebSphere Application Server for z/OS product documentation for the version that you are running for more information.
      • If it is set, note the value of com.ibm.security.SAF.profilePrefix. It will be used as a prefix for the EJBROLEs in RACF.
    • For WebSphere Liberty profile:
      • A System Authorization Facility (SAF) profile prefix is specified in the server.xml and jvm.options files that affects the way the EJBROLE profiles are referenced. For more information about using EJBROLE profiles, search the WebSphere Application Server for z/OS product documentation for the version that you are running for the System Authorization Facility for role-based authorization topic.
      • You must grant READ access to the APPL profile for the Engineering Workflow Management users. Search the WebSphere Application Server for z/OS product documentation for the version that you are running for more information.
      • The value for profilePrefix in server.xml will be used as a prefix for the EJBROLEs in RACF.
    Attention: When your password expires, you cannot connect to the Jazz Team Server, but you will not receive an error message that indicates your password has expired. If you cannot connect to the Jazz Team Server because of an expired password, you must change the password using TSO or IBM Developer for z/OS.