Parameters in IZUPRMxx
The IZUPRMxx parmlib member specifies options for z/OSMF. SYS1.SAMPLIB contains a copy of the IZUPRMxx member that you can copy to SYS1.PARMLIB and modify. This topic describes the key parameters in parmlib member IZUPRMxx for IBM Cloud Provisioning and Management for z/OS.
For complete information about IZUPRMxx, see IBM z/OS Management Facility Configuration Guide.
Key parameters for cloud provisioning
- SAF profile prefix that is prepended to the names of any groups to be used for authorizing users
to IBM Cloud® Provisioning and Management for z/OS® task activities.Note: The IZUPRSEC sample job contains commands that include the group name for creating authorizations for IBM Cloud Provisioning and Management for z/OS. The value that is specified here must match the prefix name that you define for Cloud Provisioning authorizations in the IZUPRSEC job or by entering equivalent commands.Rules:
- Must follow the rules for RACF profile names.
- 1 – 3 characters.
- Specifies the security administrator user ID to be used for automatic security management in Cloud Provisioning. When specified, automatic security
updates are performed under this user ID. Otherwise, if this value is omitted, security updates for
Cloud Provisioning must be performed manually by your
security administrator.The user ID that is specified here must be connected to the z/OSMF security administrator group, which is named IZUSECAD by default. The IZUPRSEC job in SYS1.SAMPLIB contains a commented RACF command for creating this authorization. Minimally, this user ID requires:
- READ access to the ZMFCLOUD class resource profile IZUDFLT.ZOSMF.SECURITY.ADMIN.
- Authorization to manage resource profiles in the ZMFAPLA and ZMFCLOUD resource classes.
- Authorization to manage security groups.
During regular operations with Cloud Provisioning, your installation might periodically update Resource Management domains and tenants to add or remove users. Such changes require updates to your security setup. By specifying a user ID for the CLOUD_SEC_ADMIN keyword, you indicate that automatic security is to be used for performing user authorizations. If so, the authorizations are performed automatically by the Resource Management task, by using a security REXX exec that is provided by the external security manager. For example, IBM supplies the REXX exec izu.provisioning.security.config.rexx for use with RACF. For more information, see Automatic security management for Cloud Provisioning.
If the CLOUD_SEC_ADMIN value is changed, the new setting applies only to domains that are created after the change. Any existing domains continue to operate with manual or automated security, based on the value that was in effect when these domains were created.Note: With the installation of the PTF for APAR PH29813, the default domain now supports manual security mode for creating templates and tenants. This option is intended for provisioning environments that cannot use automatic security mode. Previously, the default domain was required to run in automatic security mode. Now, when the default domain is created at z/OSMF startup time, it is placed in manual security mode if no security administrator is specified on the CLOUD_SEC_ADMIN statement in the IZUPRMxx parmlib member.
If you have incorrectly configured the security mode for Cloud Provisioning and Management, it is possible to change it. Doing so requires only that you edit the CLOUD_SEC_ADMIN statement in the IZUPRMxx parmlib member and restart the z/OSMF server. You can switch a domain from automatic security to manual security, and vice versa. Your changes to the CLOUD_SEC_ADMIN statement affect the security mode of all existing domains. The suggested practice is that you run Cloud Provisioning and Management in automatic security mode.Rules:
Default: None. If you do not provide a valid z/OS user ID, the Resource Management task does not perform automatic security updates.
- Must follow the rules for z/OS user IDs.
- 1 – 8 characters.
- Specifies the optional plug-ins to be made available in your configuration.
Enter all of the plug-in identifiers that are shown in Table 1.
Table 1. z/OSMF plug-ins that are required for IBM Cloud Provisioning and Management for z/OS Plug-in ID Plug-in name COMMSERVER_CFG Network Configuration Assistant RESOURCE_MON Resource Monitoring WORKLOAD_MGMT Workload Management