RACF security on z/OS systems
When you deploy Jazz Team Server and the other IBM® Engineering Lifecycle Management (ELM) applications on z/OS systems, you can use several RACF® security settings. These settings help secure your data and provide appropriate access to different types of users.
The basic requirements for installing z/OS components are:
- SMP/E installation
- Specific z/OS UNIX Systems Services (USS) directories and data sets are created based on which FMIDs are installed. The z/OS data sets are protected based on the data set profiles that you already configured. The user ID of the installer owns the USS directories. Other users have READ and EXECUTE access. You can set up additional security protections.
- Creation of USS configuration and working directories
- Running the sample JCL creates configuration and working directories. The sample jobs are called BLZCP* jobs because there is a version for each component. For example, the Jazz Team Server job is BLZCPJTS, and the Build System Toolkit is BLZCPBTK. You can specify group permissions when you run these sample jobs. Directories are created with the sticky bit turned on.
The following sections provide additional security information for installed components:
Data set profile protection
Before you begin the SMP/E installation, create a high-level qualifier (HLQ) for the ELM target and distribution libraries so that you can protect the HLQ by using RACF. Users who work with z/OS functions such as the IBM Engineering Workflow Management (EWM) ISPF client or Enterprise Extensions deployment and promotion functions must have READ access on the target data sets. If you copy the target data set elsewhere, users also need READ access on those copy data sets.
If you are installing Jazz Team Server and the ELM applications, you can see an example of RACF statements in the instructions that are provided with the BLZRACF job in hlq.SBLZSAMP, where hlq is the high-level qualifier that was specified during the SMP/E installation. Similar statements are included in the BLZRACFL job if you plan to run the server with the WebSphere Liberty profile. Review these jobs carefully.
If you are installing the EWM Build System Toolkit, the same RACF commands are provided in the BLZRACFT job in hlq.SBLZSAMP.
For most EWM data sets, READ access for users and ALTER access for system programmers is sufficient. Ask the system programmer who installed and configured the product for the correct data set names. The default high-level qualifier is BLZ, and a BLZ GROUP is allocated before creating the data set definition. To protect a data set with RACF, the first-level qualifier of the data set name must be a RACF-defined user ID or group name.
These sample RACF commands are included in the JCL:
LISTGRP BLZ
ADDGROUP (BLZ) OWNER(IBMUSER) SUPGROUP(SYS1) -
DATA('EWM - HLQ STUB')
# general data set protection
LISTDSD PREFIX(BLZ) ALL
ADDSD 'BLZ.**' -
UACC(READ) DATA('EWM')
PERMIT 'BLZ.**' -
CLASS(DATASET) ACCESS(ALTER) ID(#sysprog)
SETROPTS GENERIC(DATASET) REFRESH
# show results
LISTGRP BLZ
LISTDSD PREFIX(BLZ) ALL
User ID OMVS segment creation
You must define a RACF OMVS segment or equivalent that specifies a valid z/OS UNIX user ID (UID), home directory, and shell command for the user who runs the BLZCP* configuration jobs for both the server and the Build System Toolkit. The user's default group also requires an OMVS segment with a group ID.
BLZRACF and BLZRACFT contain similar RACF statements that you can use to create IDs. For the following sample RACF commands, replace the following placeholders with actual values: #userid, #user-identifier, #group-name, and #group-identifier.
ALTUSER #userid OMVS(UID(#user-identifier) HOME(/u/#userid) PROGRAM(/bin/sh) NOASSIZEMAX)
ALTGROUP #group-name OMVS(GID(#group-identifier))
Jazz RACF group creation for access to resources
During the server and Build System Toolkit installation and configuration, several directories are created to hold configuration and temporary files. These directories are created in the BLZCP* jobs that are shipped in the hlq.SBLZSAMP data set. The directories are identified in the various BLZCP* jobs as @confPath@ and @workPath@. By default, the directories are set to /etc/jazz702 and /u/jazz702. Running these jobs creates the directories. The owner is the user ID who submits the jobs.
These jobs require the configuration of two RACF GROUPs that provide additional permission to other users who need access to the directories. If you are installing Jazz Team Server, see the sample RACF statements to perform this task in the relevant step in the BLZRACF job in hlq.SBLZSAMP. If you are installing the Build System Toolkit, the same RACF commands are provided in the BLZRACFT job in hlq.SBLZSAMP.
ADDGROUP JAZZCONF OMVS(GID(#conf-group-id))
DATA('GROUP WITH OMVS SEGMENT FOR JAZZ CONFIG DIRECTORIES')
ADDGROUP JAZZWORK OMVS(GID(#work-group-id))
DATA('GROUP WITH OMVS SEGMENT FOR JAZZ CONFIG DIRECTORIES')
In general, you can control access to the USS configuration and work directories by limiting access to the directories that contain them. For example, access to /etc/jazz702 can be restricted if the user or group does not have READ access to /etc.