In a z/OSMF base configuration, the initial IBM Cloud Provisioning and Management for z/OS environment
includes a default domain and default tenant to help you quickly get started. This topic describes
the steps for creating the security authorizations for the default domain and default
tenant.
Before you begin
This procedure assumes that your installation has already created a base z/OSMF
configuration.
This procedure is presented as an alternative for users who prefer to perform
the security updates manually. The authorizations that it creates are equivalent to the security
setup that is performed by running the IZUPRSEC job in SYS1.SAMPLIB. If you choose to run the
IZUPRSEC job instead, locate the commented sections for Cloud Provisioning and uncomment them. Be
sure to review and modify the job as necessary to ensure that its definitions work in your security
environment. A summary of the IZUPRSEC authorizations is provided in Summary of security requirements for the Cloud Provisioning tasks.
Regardless of whether you create authorizations manually or through IZUPRSEC, you
need to connect one or more z/OS system programmer user IDs to the provisioning administrator group, as described
in Step 2.d of the procedure. These
users, called provisioning administrators, are
responsible for managing the cloud environment.
Note: With the installation of the PTF for APAR PH29813, the default domain now
supports manual security mode for creating templates and tenants. This option is intended for
provisioning environments that cannot use automatic security mode. Previously, the default domain
was required to run in automatic security mode. Now, when the default domain is created at z/OSMF
startup time, it is placed in manual security mode if no security administrator is specified on the
CLOUD_SEC_ADMIN statement in the IZUPRMxx parmlib member.
If you have incorrectly configured the
security mode for Cloud Provisioning and Management, it is possible to change it. Doing so requires
only that you edit the CLOUD_SEC_ADMIN statement in the IZUPRMxx parmlib member and restart the
z/OSMF server. You can switch a domain from automatic security to manual security, and vice versa.
Your changes to the CLOUD_SEC_ADMIN statement affect the security mode of all existing domains. The
suggested practice is that you run Cloud Provisioning and Management in automatic security
mode.
About this task
Use this procedure to define an initial set of security groups, user IDs, and resource profiles
for your Cloud Provisioning
environment.
This procedure involves the following changes to your security database:
- Activating the necessary RACF classes
- Creating the required SAF security groups
- Defining the required SAF resource profiles
- Granting the appropriate authorizations
- Refreshing the necessary RACF classes.
The examples in this section show the commands as they would be entered for a RACF installation.
If your installation uses a security manager other than RACF, your security administrator can refer
to the IZUPRSEC job for examples when creating equivalent authorizations for your system.
The instructions in this procedure assume that your installation shares its security database
across the participating systems in the sysplex. If you use more than one security database, your
security administrator must duplicate the Cloud Provisioning authorizations in each security
database.
This procedure is intended only for your initial security set-up. Later, after you complete this
procedure, you use the Software Services task and Resource Management task to maintain your security
environment. However, managing the provisioning administrator IDs is a manual
operation that you perform in your security database. This work involves connecting users to, or
removing users from, the provisioning administrator group.
Procedure
-
Activate the ZMFCLOUD resource class and enable the RACLIST and GENERIC profiles.
SETROPTS CLASSACT(ZMFCLOUD) GENERIC(ZMFCLOUD) RACLIST(ZMFCLOUD)
-
Create the provisioning administrator identity.
-
Define the provisioning administrator
security group.
ADDGROUP IYU OWNER(some group)
Where
IYU
is the default SAF profile prefix for Cloud Provisioning. This
prefix is used for the
provisioning administrator group.
User IDs with the provisioning administrator role have the
authority to create domains, delete domains, and assign administrators within domains.The
IYU
prefix is used in the examples in this procedure. Your installation can choose
a different prefix by specifying it on the CLOUD_SAF_PREFIX keyword in the IZUPRMxx parmlib member.
If so, substitute that value in the examples in this procedure.
-
Define the SAF profile to be used for granting users access to the provisioning administrator role.
RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU) UACC(NONE)
Where
IZUDFLT
is the default SAF profile prefix for z/OSMF. This prefix is
used for the z/OSMF resource profiles.
The IZUDFLT
prefix is used in the
examples in this procedure. Your installation can choose a different prefix by specifying it on the
SAF_PREFIX keyword in the IZUPRMxx parmlib member. If so, substitute that value in the examples in
this procedure.
-
Grant the provisioning administrator group read access to the provisioning administrator profile.
PERMIT IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU +
CLASS(ZMFCLOUD) ID(IYU IZUADMIN) +
ACCESS(READ)
If you do not want all z/OSMF administrators to have the provisioning administrator role,
remove the IZUADMIN group from the ID list.
-
Select a user ID to be the provisioning administrator and connect it to
the provisioning administrator
group.
CONNECT <user-id> GROUP(IYU)
To authorize more provisioning administrator users, connect each
user ID to the provisioning administrator
group.
-
Set up security for the default domain.
-
Define the domain administrator group for the default domain.
ADDGROUP IYU0 SUPGROUP(IYU)
Where IYU0
is the group name for domain administrators; it is defined under
the Cloud Provisioning group (IYU), which is its RACF superior group.
-
Define the SAF profile to be used for authorizing users to be domain
administrators.
RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU0) UACC(NONE)
-
Grant the provisioning administrator
group (IYU), domain administrator group for the default domain (IYU0), and z/OSMF administrator
group (IZUADMIN) read access to the domain administrator profile for the default domain.
PERMIT IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU0 +
CLASS(ZMFCLOUD) ID(IYU IYU0 IZUADMIN) ACCESS(READ)
If you chose not to allow all z/OSMF administrators to be able to administer the default
domain, remove the z/OSMF administrator group from the ID list. If you choose to later expand this
authorization, you can use the Resource Management task in Cloud Provisioning to add individual
users as domain administrators.
-
Define the resource pool administrator group for networking for the default domain.
ADDGROUP IYU0RPAN SUPGROUP(IYU)
Where IYU0RPAN
is the group name for networking administrators. It is defined
as a subgroup of the Cloud Provisioning group.
-
Define the resource pool administrator group for WLM for the default domain.
ADDGROUP IYU0RPAW SUPGROUP(IYU)
Where IYU0RPAW
is the group name for WLM administrators. It is defined as a
subgroup of the Cloud Provisioning group.
-
Set up security for the default tenant.
-
Define the tenant consumer group for the default tenant.
ADDGROUP IYU000 SUPGROUP(IYU0)
Where IYU000
is the group name for tenant consumers. It is defined as a
subgroup of the domain administrator group.
-
Define the SAF profile to be used for authorizing users to be consumers in the default tenant.
RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU000) +
UACC(NONE)
-
Grant the tenant consumer group read access to the tenant consumer profile for the default
tenant.
PERMIT IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU000 +
CLASS(ZMFCLOUD) ID(IYU000) ACCESS(READ)
-
Define the SAF profile to be used for authorizing users to be template approvers for the
default domain.
RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.TEMPLATE.APPROVERS.IYU0) UACC(NONE)
-
Authorize users to be WLM administrators for the default domain.
-
Define the SAF profile to be used for authorizing users to be resource pool administrators for
WLM.
RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.RESOURCE_POOL.WLM.IYU0) UACC(NONE)
-
Grant the WLM administrator group and the z/OSMF administrator group (IZUADMIN) read access to
the WLM administrator profile.
PERMIT IZUDFLT.ZOSMF.RESOURCE_POOL.WLM.IYU0 +
CLASS(ZMFCLOUD) ID(IYU0RPAW IZUADMIN) ACCESS(READ)
-
Grant the z/OSMF server user ID access to the WLM administrator profile.
PERMIT IZUDFLT.ZOSMF.RESOURCE_POOL.WLM.IYU0 +
CLASS(ZMFCLOUD) ID(IZUSVR) ACCESS(READ)
Where IZUSVR
is the default user ID for the z/OSMF server, which in turn has
a default name of IZUSVR1. If you assigned a different user ID to the z/OSMF server started task,
specify that user ID instead.
-
Authorize users to be network administrators for the default domain.
-
Define the SAF profile to be used for authorizing users to be resource pool administrators for
the network.
RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.RESOURCE_POOL.NETWORK.IYU0) UACC(NONE)
-
Grant the network administrator group and the z/OSMF administrator group (IZUADMIN) read access
to the network administrator profile.
PERMIT IZUDFLT.ZOSMF.RESOURCE_POOL.NETWORK.IYU0 +
CLASS(ZMFCLOUD) ID(IYU0RPAN IZUADMIN) ACCESS(READ)
-
Grant the z/OSMF server user ID access to the network administrator profile.
PERMIT IZUDFLT.ZOSMF.RESOURCE_POOL.NETWORK.IYU0 +
CLASS(ZMFCLOUD) ID(IZUSVR) ACCESS(READ)
Where IZUSVR
is the default user ID for the z/OSMF server, which in turn has
a default name of IZUSVR1. If you assigned a different user ID to the z/OSMF server started task,
specify that user ID instead.
-
Define the ZMFAPLA profiles for the Cloud Provisioning, Workflows, Workflow Editor, and
System Variables resources.
-
Define the SAF profile to be used for authorizing users to the Software Services task.
RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES) UACC(NONE)
-
Define the SAF profile to be used for authorizing users to the Resource Management task.
RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT) UACC(NONE)
-
Define the SAF profile to be used for authorizing users to the Workflows task.
RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) UACC(NONE)
-
Define the SAF profile to be used for authorizing users to the Workflow Editor task.
RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.WORKFLOW.EDITOR) UACC(NONE)
-
Define the SAF profile to be used for authorizing users to the System Variables resource.
RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.VARIABLES.SYSTEM.ADMIN) UACC(NONE)
-
Grant z/OSMF access to the provisioning administrator, default domain
administrator, and the default tenant consumer groups.
PERMIT IZUDFLT.ZOSMF CLASS(ZMFAPLA) ID(IYU IYU0 IYU000) ACC(READ)
-
Grant the resource administrator groups access to z/OSMF.
PERMIT IZUDFLT.ZOSMF CLASS(ZMFAPLA) ID(IYU0RPAN IYU0RPAW) ACCESS(READ)
-
Grant the user groups access to the Software Services, Workflows, and Workflow Editor
tasks.
PERMIT IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES +
CLASS(ZMFAPLA) ID(IYU IYU0 IYU000) ACCESS(READ)
PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS +
CLASS(ZMFAPLA) ID(IYU IYU0 IYU000) ACCESS(READ)
PERMIT IZUDFLT.ZOSMF.WORKFLOW.EDITOR +
CLASS(ZMFAPLA) ID(IYU IYU0 IYU000) ACCESS(READ)
-
Grant administrators access to the Resource Management task.
PERMIT IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT +
CLASS(ZMFAPLA) ID(IYU IYU0) ACCESS(READ)
-
Grant the resource administrator groups access to the Workflows task and Software Services
task.
PERMIT IZUDFLT.ZOSMF CLASS(ZMFAPLA) ID(IYU0RPAN IYU0RPAW) ACCESS(READ)
PERMIT IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES +
CLASS(ZMFAPLA) ID(IYU0RPAN IYU0RPAW) ACCESS(READ)
PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS +
CLASS(ZMFAPLA) ID(IYU0RPAN IYU0RPAW) ACCESS(READ)
-
Grant the z/OSMF administrator group the authority to modify or delete system variables by
using the Systems task or a z/OSMF REST service.
PERMIT IZUDFLT.ZOSMF.VARIABLES.SYSTEM.ADMIN +
CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
-
Create the z/OSMF security administrator role if it does not exist already.
These users can perform automatic security updates in the Resource Management task.
-
Define the z/OSMF security administrator group.
Where IZUSECAD
is the default group name.
-
Define the SAF profile to be used for authorizing users to be z/OSMF security
administrators.
RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.SECURITY.ADMIN) UACC(NONE)
Where IZUDFLT
is the z/OSMF SAF profile prefix.
-
Grant the security administrator group read access to the security administrator profile.
PERMIT IZUDFLT.ZOSMF.SECURITY.ADMIN CLASS(ZMFCLOUD) +
ID(IZUSECAD) ACCESS(READ)
Only users with read access to this profile can be selected as domain security administrators
by the provisioning administrator.
-
Enable the z/OSMF server to perform authorization checks for ZMFCLOUD class
resources.
-
Create the SERVER class profile.
RDEFINE SERVER (BBG.SECCLASS.ZMFCLOUD) UACC(NONE)
-
Grant the z/OSMF server user ID access to the SERVER class profile.
PERMIT BBG.SECCLASS.ZMFCLOUD CLASS(SERVER) ID(IZUSVR) +
ACCESS(READ)
Where IZUSVR
is the default user ID for the z/OSMF server, which in turn has
a default name of IZUSVR1. If you assigned a different user ID to the z/OSMF server started task,
specify that user ID instead.
-
Connect the z/OSMF started task user ID to the z/OSMF security administrator group (by default,
IZUSECAD).
CONNECT IZUSVR GROUP(IZUSECAD)
-
Refresh the RACF classes to make the preceding changes effective.
SETROPTS RACLIST(ZMFAPLA ZMFCLOUD SERVER) REFRESH
What to do next
To verify that you configured IBM Cloud Provisioning and Management for z/OS correctly, you can
use the supplied IVP template in the default domain. For the steps to follow, see Verify that security is set up for the domain administrator.