Resource profile authorization reference
Ensure the user ID's of the started tasks and administrators who execute the panels are sufficiently privileged.
Table 1 summarizes the
required resource profile access. The resource profiles are described in the related and
factor-specific chapters, and are summarized here for your convenience.
Important: Before you implement the access described in these profiles,
review the profiles that are already in place in your environment. Be mindful of any conflicts and
potential security errors with other interfaces that use these profiles. Adding specific profiles
over generic profiles could effectively remove access required by an existing user or
application.
Do not create an access control list on MFADEF FACTOR.** and POLICY.** profiles. For example, FACTOR.AZFSTC.
Checking and updating access to resource profiles
One way to check the current access to a resource profile is with the RLIST
command:
RL <class-name> (profile-name ...) ALL
For
example:RL facility (irr.rfactor.mfadef.azfyubi1) ALL
RL csfserv (csfowh) ALL
If you need to permit access to a resource profile, use the PERMIT command:
PERMIT IRR.RFACTOR.MFADEF.AZFYUBI1 ACCESS(ALTER) CLASS(FACILITY) ID(user-id)
If you change the access to a resource profile, you must refresh the
class:
SETROPTS RACLIST(FACILITY) REFRESH
Required user authorization
Note: In the table, AZFSTC is the user ID for AZF#IN00 and AZFWEB is the user ID for
AZF#IN01.
Resource Profile/Data Set | Class | IBM® MFA Services Started Task User ID AZFSTC | IBM MFA Web Services Started Task User ID AZFWEB | User ID of Admin Who Executes Panel |
---|---|---|---|---|
SO.TOKEN_NAME | CRYPTOZ | CONTROL |
CONTROL for PKCS#11 token CONTROL for RADIUS shared secret |
|
USER.TOKEN_NAME | CRYPTOZ | UPDATE | UPDATE |
CONTROL for PKCS#11 token UPDATE for RADIUS shared secret |
CLEARKEY.token-name | CRYPTOZ | READ | READ | |
CSFRNG | CSFSERV | READ | READ | |
CSF1SKD | CSFSERV | READ | READ | |
CSF1SKE | CSFSERV | READ | READ | |
CSF1TRC | CSFSERV | READ | READ | |
CSF1TRL | CSFSERV | READ | READ | |
CSFOWH | CSFSERV | READ | READ | |
CSF1GSK | CSFSERV | READ | READ | |
CSFIQA | CSFSERV | READ | READ | |
CSFRNGL | CSFSERV | READ | READ | |
CSF1HMG | CSFSERV | READ | READ | |
IRR.DIGTCERT. LISTRING | FACILITY | READ | ||
IRR.RFACTOR.MFADEF. AZFCERT1 | FACILITY | READ | READ, UPDATE, CONTROL, ALTER | |
IRR.RFACTOR.MFADEF. AZFSTC | FACILITY | READ | READ, UPDATE, CONTROL, ALTER | |
IRR.RFACTOR.MFADEF. AZFTOTP1 | FACILITY | READ | READ, UPDATE, CONTROL, ALTER | |
IRR.RFACTOR.MFADEF. AZFSIDP1 | FACILITY | READ, UPDATE, CONTROL, ALTER | ||
IRR.RFACTOR.MFADEF. AZFSIDP3 | FACILITY | READ, UPDATE, CONTROL, ALTER | ||
IRR.RFACTOR.MFADEF. AZFRADP1 | FACILITY | READ, UPDATE, CONTROL, ALTER | ||
IRR.RFACTOR.MFADEF. AZFSFNP1 | FACILITY | READ, UPDATE, CONTROL, ALTER | ||
IRR.RFACTOR.MFADEF. AZFSIDR1 | FACILITY | READ, UPDATE, CONTROL, ALTER | ||
IRR.RFACTOR.MFADEF. AZFYUBI1 | FACILITY | READ | READ, UPDATE, CONTROL, ALTER | |
IRR.RFACTOR.MFADEF. AZFLDAP1 | FACILITY | READ, UPDATE, CONTROL, ALTER | ||
IRR.RFACTOR.MFADEF. AZFISAM1 | FACILITY | READ, UPDATE, CONTROL, ALTER | ||
IRR.RFACTOR.MFADEF. AZFCKCTC | FACILITY | READ, UPDATE, CONTROL, ALTER | ||
IRR.RFACTOR.MFADEF. AZFPASS1 | FACILITY | READ, UPDATE, CONTROL, ALTER | ||
IRR.RFACTOR.MFADEF. AZFPTKT1 | FACILITY | READ, UPDATE, CONTROL, ALTER | ||
IRR.RFACTOR.USER | FACILITY | UPDATE | ||
IRR.RFACTOR. POLICY.POLICY-NAME | FACILITY | READ | ||
IRRPTAUTH. RACF_APPL_NAME. * | PTKTDATA | READ | ||
IRRPTAUTH. AZFAPPL.* | PTKTDATA | UPDATE | ||
IRRPTAUTH. PWCHANGE.APPL.AZFAPPL | PTKTDATA | UPDATE | ||
Node secret data set | UPDATE |
Special considerations for CHECKAUTH(YES)
Allow access to the CSFSERV resource profiles shown in Table 2 when CHECKAUTH is YES.
Resource Profile | IBM MFA Services Started Task User ID AZFSTC | Web Services STC User ID AZFWEB | TCPIP Started Task User ID |
---|---|---|---|
CSFDSG | READ | ||
CSFDSV | READ | ||
CSFOWH | READ | ||
CSFRNG | READ | READ | |
CSFRNGL | READ | READ | |
CSF1DVK | READ | ||
CSF1GAV | READ | ||
CSF1GKP | READ | ||
CSF1GSK | READ | ||
CSF1HMG | READ | READ | |
CSF1SKD | READ | READ | READ |
CSF1SKE | READ | ||
CSF1TRC | READ | ||
CSF1TRD | READ | READ | READ |
CSF1TRL | READ | READ | |
CSFPKI | READ |
IBM HTTP Server - Powered by Apache for IBM MFA
Table 3 summarizes the required resource profile access for IBM HTTP Server - Powered by Apache.
Resource Profile | Class | Web Server User ID |
---|---|---|
BPX.DAEMON | FACILITY | UPDATE |
BPX.SERVER | FACILITY | UPDATE |
CLEARKEY.TOKEN_NAME | CRYPTOZ | READ |
CSF1HMG | CSFSERV | READ |
CSF1GSK | CSFSERV | READ |
CSF1SKD | CSFSERV | READ |
CSF1SKE | CSFSERV | READ |
CSF1TRC | CSFSERV | READ |
CSF1TRL | CSFSERV | READ |
CSFIQA | CSFSERV | READ |
CSFOWH | CSFSERV | READ |
CSFRNG | CSFSERV | READ |
CSFRNGL | CSFSERV | READ |
IRR.DIGTCERT. LISTRING | FACILITY | READ UPDATE is needed if TLS is configured for the web server |
SO.TOKEN_NAME | CRYPTOZ | CONTROL |
USER.TOKEN_NAME | CRYPTOZ | UPDATE |
Note: If the web server is configured with SSL/TLS, the web server user ID
requires access to additional profiles, such as CSFDSG, CSF1DVK, CSF1GKP,
CSF1GAV, CSF1TRD, and CSFPKI. See IBM
HTTP Server Powered by Apache (https://publibz.boulder.ibm.com/epubs/pdf/dpr1cg00.pdf) for
information on configuring SSL/TLS for the web server.