Jazz Team Server security on z/OS systems

Edit online

If you are installing Jazz Team Server on z/OS systems, you must consider several security options. These options help secure your data and provide appropriate access to different types of users.

After you set up the Resource Access Control Facility (RACF) security options, you must complete the server installation and configuration on z/OS . To complete the server installation and configuration, you must have created JAZZCONF and JAZZWORK RACF GROUPs, as outlined in the RACF security on z/OS systems, and completed the customization and submission of the BLZCP* jobs that are required for your configuration.

In addition, a few security considerations are specific to installing Jazz Team Server on z/OS . If you plan to run Jazz Team Server on z/OS , after you create the configuration and work directories by using the BLZCP* sample jobs, you must prepare the Db2® z/OS repositories by creating the databases, editing the .properties files, and running the appropriate repository tools functions. For more information, see Setting up a Db2 database on z/OS.

The basic requirements for creating the Db2 z/OS databases and running repository tools are as follows:
  • A Db2 system administrator must create the databases for Jazz Team Server.
  • A user ID and password must be created that have DBADM authority to the repositories and data warehouse. This user ID and password are used for all access to the Db2 z/OS repositories.
  • In order to read and update the configuration files and logs, the user ID that runs the repository tools sample job to create the database tables, BLZCREDB, must be one of these IDs:
    • The same user ID that ran the BLZCP* sample configuration JCL
    • A member of the JAZZCONF and JAZZWORK RACF GROUPs
  • Two additional user IDs are involved in populating and accessing the data warehouse:
    1. The first user ID is a data collection user ID, which must be a TSO ID with JazzAdmins access (READ access to the JazzAdmins EJBROLE profile). This user ID and password are specified during the setup process using the Jazz Team Server setup wizard.
    2. The second user ID is a report user who is granted SELECT access to the data warehouse tables as part of the data warehouse table creation process. By default, the user is RPTUSER. This user ID access can then be used if external products connect to the data warehouse.

IBM WebSphere Liberty security setup

If you plan to run Jazz Team Server with a IBM WebSphere® Liberty, you must set up several RACF profiles. Specifically, the user ID under which the application server runs must have READ and WRITE access to the IBM Engineering Lifecycle Management server configuration and work directories. Therefore, the user ID must be added to the JAZZCONF and JAZZWORK GROUPs.

In addition, each Engineering Lifecycle Management user's repository permissions are determined by their permissions to specific RACF EJBROLE profiles. The EJBROLE profile definitions can be affected by whether an APPL profile was defined during the creation of the IBM WebSphere Liberty. At least one user ID must be granted READ access to the JazzAdmins EJBROLE profile.

For additional details, see these topics:

Several sections of BLZRACFL address these requirements, including the definition of the EJBROLE profiles.