Resource profile authorization reference

Ensure the user ID's of the started tasks and administrators who execute the panels are sufficiently privileged.

Table 1 summarizes the required resource profile access. The resource profiles are described in the related and factor-specific chapters, and are summarized here for your convenience.
Important: Before you implement the access described in these profiles, review the profiles that are already in place in your environment. Be mindful of any conflicts and potential security errors with other interfaces that use these profiles. Adding specific profiles over generic profiles could effectively remove access required by an existing user or application.

Do not create an access control list on MFADEF FACTOR.** and POLICY.** profiles. For example, FACTOR.AZFSTC.

Checking and updating access to resource profiles

One way to check the current access to a resource profile is with the RLIST command:
RL <class-name> (profile-name ...) ALL 
For example:
RL facility (irr.rfactor.mfadef.azfyubi1) ALL
RL csfserv (csfowh) ALL
If you need to permit access to a resource profile, use the PERMIT command:
PERMIT IRR.RFACTOR.MFADEF.AZFYUBI1 ACCESS(ALTER) CLASS(FACILITY) ID(user-id)
If you change the access to a resource profile, you must refresh the class:
SETROPTS RACLIST(FACILITY) REFRESH

Required user authorization

Note: In the table, AZFSTC is the user ID for AZF#IN00 and AZFWEB is the user ID for AZF#IN01.
Table 1. Required User Authorization
Resource Profile/Data Set Class IBM® MFA Services Started Task User ID AZFSTC IBM MFA Web Services Started Task User ID AZFWEB User ID of Admin Who Executes Panel
SO.TOKEN_NAME CRYPTOZ   CONTROL

CONTROL for PKCS#11 token

CONTROL for RADIUS shared secret

USER.TOKEN_NAME CRYPTOZ UPDATE UPDATE

CONTROL for PKCS#11 token

UPDATE for RADIUS shared secret

CLEARKEY.token-name CRYPTOZ READ   READ
CSFRNG CSFSERV   READ READ
CSF1SKD CSFSERV   READ READ
CSF1SKE CSFSERV   READ READ
CSF1TRC CSFSERV   READ READ
CSF1TRL CSFSERV   READ READ
CSFOWH CSFSERV   READ READ
CSF1GSK CSFSERV   READ READ
CSFIQA CSFSERV   READ READ
CSFRNGL CSFSERV   READ READ
CSF1HMG CSFSERV   READ READ
IRR.DIGTCERT. LISTRING FACILITY   READ  
IRR.RFACTOR.MFADEF. AZFCERT1 FACILITY   READ READ, UPDATE, CONTROL, ALTER
IRR.RFACTOR.MFADEF. AZFSTC FACILITY   READ READ, UPDATE, CONTROL, ALTER
IRR.RFACTOR.MFADEF. AZFTOTP1 FACILITY   READ READ, UPDATE, CONTROL, ALTER
IRR.RFACTOR.MFADEF. AZFSIDP1 FACILITY     READ, UPDATE, CONTROL, ALTER
IRR.RFACTOR.MFADEF. AZFSIDP3 FACILITY     READ, UPDATE, CONTROL, ALTER
IRR.RFACTOR.MFADEF. AZFRADP1 FACILITY     READ, UPDATE, CONTROL, ALTER
IRR.RFACTOR.MFADEF. AZFSFNP1 FACILITY     READ, UPDATE, CONTROL, ALTER
IRR.RFACTOR.MFADEF. AZFSIDR1 FACILITY     READ, UPDATE, CONTROL, ALTER
IRR.RFACTOR.MFADEF. AZFYUBI1 FACILITY   READ READ, UPDATE, CONTROL, ALTER
IRR.RFACTOR.MFADEF. AZFLDAP1 FACILITY     READ, UPDATE, CONTROL, ALTER
IRR.RFACTOR.MFADEF. AZFISAM1 FACILITY     READ, UPDATE, CONTROL, ALTER
IRR.RFACTOR.MFADEF. AZFCKCTC FACILITY     READ, UPDATE, CONTROL, ALTER
IRR.RFACTOR.MFADEF. AZFPASS1 FACILITY     READ, UPDATE, CONTROL, ALTER
IRR.RFACTOR.MFADEF. AZFPTKT1 FACILITY     READ, UPDATE, CONTROL, ALTER
IRR.RFACTOR.USER FACILITY   UPDATE  
IRR.RFACTOR. POLICY.POLICY-NAME FACILITY   READ  
IRRPTAUTH. RACF_APPL_NAME. * PTKTDATA READ    
IRRPTAUTH. AZFAPPL.* PTKTDATA UPDATE    
IRRPTAUTH. PWCHANGE.APPL.AZFAPPL PTKTDATA UPDATE    
Node secret data set   UPDATE    

Special considerations for CHECKAUTH(YES)

Allow access to the CSFSERV resource profiles shown in Table 2 when CHECKAUTH is YES.
Table 2. CSFSERV Resource Profiles When CHECKAUTH is YES
Resource Profile IBM MFA Services Started Task User ID AZFSTC Web Services STC User ID AZFWEB TCPIP Started Task User ID
CSFDSG   READ  
CSFDSV   READ  
CSFOWH READ    
CSFRNG READ READ  
CSFRNGL READ READ  
CSF1DVK   READ  
CSF1GAV   READ  
CSF1GKP   READ  
CSF1GSK   READ  
CSF1HMG READ READ  
CSF1SKD READ READ READ
CSF1SKE   READ  
CSF1TRC   READ  
CSF1TRD READ READ READ
CSF1TRL READ READ  
CSFPKI   READ  

IBM HTTP Server - Powered by Apache for IBM MFA

Table 3 summarizes the required resource profile access for IBM HTTP Server - Powered by Apache.
Table 3. Resource Profiles
Resource Profile Class Web Server User ID
BPX.DAEMON FACILITY UPDATE
BPX.SERVER FACILITY UPDATE
CLEARKEY.TOKEN_NAME CRYPTOZ READ
CSF1HMG CSFSERV READ
CSF1GSK CSFSERV READ
CSF1SKD CSFSERV READ
CSF1SKE CSFSERV READ
CSF1TRC CSFSERV READ
CSF1TRL CSFSERV READ
CSFIQA CSFSERV READ
CSFOWH CSFSERV READ
CSFRNG CSFSERV READ
CSFRNGL CSFSERV READ
IRR.DIGTCERT. LISTRING FACILITY READ

UPDATE is needed if TLS is configured for the web server

SO.TOKEN_NAME CRYPTOZ CONTROL
USER.TOKEN_NAME CRYPTOZ UPDATE
Note: If the web server is configured with SSL/TLS, the web server user ID requires access to additional profiles, such as CSFDSG, CSF1DVK, CSF1GKP, CSF1GAV, CSF1TRD, and CSFPKI. See IBM HTTP Server Powered by Apache (https://publibz.boulder.ibm.com/epubs/pdf/dpr1cg00.pdf) for information on configuring SSL/TLS for the web server.