Steps for setting up security

In a z/OSMF base configuration, the initial IBM Cloud Provisioning and Management for z/OS environment includes a default domain and default tenant to help you quickly get started. This topic describes the steps for creating the security authorizations for the default domain and default tenant.

Before you begin

This procedure assumes that your installation has already created a base z/OSMF configuration.

This procedure is presented as an alternative for users who prefer to perform the security updates manually. The authorizations that it creates are equivalent to the security setup that is performed by running the IZUPRSEC job in SYS1.SAMPLIB. If you choose to run the IZUPRSEC job instead, locate the commented sections for Cloud Provisioning and uncomment them. Be sure to review and modify the job as necessary to ensure that its definitions work in your security environment. A summary of the IZUPRSEC authorizations is provided in Summary of security requirements for the Cloud Provisioning tasks.

Regardless of whether you create authorizations manually or through IZUPRSEC, you need to connect one or more z/OS system programmer user IDs to the provisioning administrator group, as described in Step 2.d of the procedure. These users, called provisioning administrators, are responsible for managing the cloud environment.

Note: With the installation of the PTF for APAR PH29813, the default domain now supports manual security mode for creating templates and tenants. This option is intended for provisioning environments that cannot use automatic security mode. Previously, the default domain was required to run in automatic security mode. Now, when the default domain is created at z/OSMF startup time, it is placed in manual security mode if no security administrator is specified on the CLOUD_SEC_ADMIN statement in the IZUPRMxx parmlib member.

If you have incorrectly configured the security mode for Cloud Provisioning and Management, it is possible to change it. Doing so requires only that you edit the CLOUD_SEC_ADMIN statement in the IZUPRMxx parmlib member and restart the z/OSMF server. You can switch a domain from automatic security to manual security, and vice versa. Your changes to the CLOUD_SEC_ADMIN statement affect the security mode of all existing domains. The suggested practice is that you run Cloud Provisioning and Management in automatic security mode.

About this task

Use this procedure to define an initial set of security groups, user IDs, and resource profiles for your Cloud Provisioning environment.

This procedure involves the following changes to your security database:
  • Activating the necessary RACF classes
  • Creating the required SAF security groups
  • Defining the required SAF resource profiles
  • Granting the appropriate authorizations
  • Refreshing the necessary RACF classes.

The examples in this section show the commands as they would be entered for a RACF installation. If your installation uses a security manager other than RACF, your security administrator can refer to the IZUPRSEC job for examples when creating equivalent authorizations for your system.

The instructions in this procedure assume that your installation shares its security database across the participating systems in the sysplex. If you use more than one security database, your security administrator must duplicate the Cloud Provisioning authorizations in each security database.

This procedure is intended only for your initial security set-up. Later, after you complete this procedure, you use the Software Services task and Resource Management task to maintain your security environment. However, managing the provisioning administrator IDs is a manual operation that you perform in your security database. This work involves connecting users to, or removing users from, the provisioning administrator group.

Procedure

  1. Activate the ZMFCLOUD resource class and enable the RACLIST and GENERIC profiles.
    SETROPTS CLASSACT(ZMFCLOUD) GENERIC(ZMFCLOUD) RACLIST(ZMFCLOUD)
  2. Create the provisioning administrator identity.
    1. Define the provisioning administrator security group.
      ADDGROUP IYU OWNER(some group)
      Where IYU is the default SAF profile prefix for Cloud Provisioning. This prefix is used for the provisioning administrator group. User IDs with the provisioning administrator role have the authority to create domains, delete domains, and assign administrators within domains.

      The IYU prefix is used in the examples in this procedure. Your installation can choose a different prefix by specifying it on the CLOUD_SAF_PREFIX keyword in the IZUPRMxx parmlib member. If so, substitute that value in the examples in this procedure.

    2. Define the SAF profile to be used for granting users access to the provisioning administrator role.
      RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU) UACC(NONE)
      Where IZUDFLT is the default SAF profile prefix for z/OSMF. This prefix is used for the z/OSMF resource profiles.

      The IZUDFLT prefix is used in the examples in this procedure. Your installation can choose a different prefix by specifying it on the SAF_PREFIX keyword in the IZUPRMxx parmlib member. If so, substitute that value in the examples in this procedure.

    3. Grant the provisioning administrator group read access to the provisioning administrator profile.
      PERMIT IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU +
      CLASS(ZMFCLOUD) ID(IYU IZUADMIN) + 
      ACCESS(READ)
      If you do not want all z/OSMF administrators to have the provisioning administrator role, remove the IZUADMIN group from the ID list.
    4. Select a user ID to be the provisioning administrator and connect it to the provisioning administrator group.
      CONNECT <user-id> GROUP(IYU)
    To authorize more provisioning administrator users, connect each user ID to the provisioning administrator group.
  3. Set up security for the default domain.
    1. Define the domain administrator group for the default domain.
      ADDGROUP IYU0 SUPGROUP(IYU)
      Where IYU0 is the group name for domain administrators; it is defined under the Cloud Provisioning group (IYU), which is its RACF superior group.
    2. Define the SAF profile to be used for authorizing users to be domain administrators.
      RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU0) UACC(NONE)   
      
    3. Grant the provisioning administrator group (IYU), domain administrator group for the default domain (IYU0), and z/OSMF administrator group (IZUADMIN) read access to the domain administrator profile for the default domain.
      PERMIT IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU0 + 
      CLASS(ZMFCLOUD) ID(IYU IYU0 IZUADMIN) ACCESS(READ)
      
      If you chose not to allow all z/OSMF administrators to be able to administer the default domain, remove the z/OSMF administrator group from the ID list. If you choose to later expand this authorization, you can use the Resource Management task in Cloud Provisioning to add individual users as domain administrators.
    4. Define the resource pool administrator group for networking for the default domain.
      ADDGROUP IYU0RPAN SUPGROUP(IYU)
      Where IYU0RPAN is the group name for networking administrators. It is defined as a subgroup of the Cloud Provisioning group.
    5. Define the resource pool administrator group for WLM for the default domain.
      ADDGROUP IYU0RPAW SUPGROUP(IYU)
      Where IYU0RPAW is the group name for WLM administrators. It is defined as a subgroup of the Cloud Provisioning group.
  4. Set up security for the default tenant.
    1. Define the tenant consumer group for the default tenant.
      ADDGROUP IYU000 SUPGROUP(IYU0)
      
      Where IYU000 is the group name for tenant consumers. It is defined as a subgroup of the domain administrator group.
    2. Define the SAF profile to be used for authorizing users to be consumers in the default tenant.
      RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU000) + 
      UACC(NONE)
    3. Grant the tenant consumer group read access to the tenant consumer profile for the default tenant.
      PERMIT IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT.IYU000 + 
      CLASS(ZMFCLOUD) ID(IYU000) ACCESS(READ)
      
  5. Define the SAF profile to be used for authorizing users to be template approvers for the default domain.
    RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.TEMPLATE.APPROVERS.IYU0) UACC(NONE)
  6. Authorize users to be WLM administrators for the default domain.
    1. Define the SAF profile to be used for authorizing users to be resource pool administrators for WLM.
      RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.RESOURCE_POOL.WLM.IYU0) UACC(NONE)
    2. Grant the WLM administrator group and the z/OSMF administrator group (IZUADMIN) read access to the WLM administrator profile.
      PERMIT IZUDFLT.ZOSMF.RESOURCE_POOL.WLM.IYU0 +
      CLASS(ZMFCLOUD) ID(IYU0RPAW IZUADMIN) ACCESS(READ)
    3. Grant the z/OSMF server user ID access to the WLM administrator profile.
      PERMIT IZUDFLT.ZOSMF.RESOURCE_POOL.WLM.IYU0 +
      CLASS(ZMFCLOUD) ID(IZUSVR) ACCESS(READ)
      Where IZUSVR is the default user ID for the z/OSMF server, which in turn has a default name of IZUSVR1. If you assigned a different user ID to the z/OSMF server started task, specify that user ID instead.
  7. Authorize users to be network administrators for the default domain.
    1. Define the SAF profile to be used for authorizing users to be resource pool administrators for the network.
      RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.RESOURCE_POOL.NETWORK.IYU0) UACC(NONE)
    2. Grant the network administrator group and the z/OSMF administrator group (IZUADMIN) read access to the network administrator profile.
      PERMIT IZUDFLT.ZOSMF.RESOURCE_POOL.NETWORK.IYU0 +
      CLASS(ZMFCLOUD) ID(IYU0RPAN IZUADMIN) ACCESS(READ)
      
    3. Grant the z/OSMF server user ID access to the network administrator profile.
      PERMIT IZUDFLT.ZOSMF.RESOURCE_POOL.NETWORK.IYU0 + 
      CLASS(ZMFCLOUD) ID(IZUSVR) ACCESS(READ)
      Where IZUSVR is the default user ID for the z/OSMF server, which in turn has a default name of IZUSVR1. If you assigned a different user ID to the z/OSMF server started task, specify that user ID instead.
  8. Define the ZMFAPLA profiles for the Cloud Provisioning, Workflows, Workflow Editor, and System Variables resources.
    1. Define the SAF profile to be used for authorizing users to the Software Services task.
      RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES) UACC(NONE)
    2. Define the SAF profile to be used for authorizing users to the Resource Management task.
      RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT) UACC(NONE)
    3. Define the SAF profile to be used for authorizing users to the Workflows task.
      RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS) UACC(NONE)
    4. Define the SAF profile to be used for authorizing users to the Workflow Editor task.
      RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.WORKFLOW.EDITOR) UACC(NONE)
    5. Define the SAF profile to be used for authorizing users to the System Variables resource.
      RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.VARIABLES.SYSTEM.ADMIN) UACC(NONE)
  9. Grant z/OSMF access to the provisioning administrator, default domain administrator, and the default tenant consumer groups.
    PERMIT IZUDFLT.ZOSMF CLASS(ZMFAPLA) ID(IYU IYU0 IYU000) ACC(READ)
  10. Grant the resource administrator groups access to z/OSMF.
    PERMIT IZUDFLT.ZOSMF CLASS(ZMFAPLA) ID(IYU0RPAN IYU0RPAW) ACCESS(READ)
  11. Grant the user groups access to the Software Services, Workflows, and Workflow Editor tasks.
    PERMIT IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES +  
    CLASS(ZMFAPLA) ID(IYU IYU0 IYU000) ACCESS(READ)
    
    PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS + 
    CLASS(ZMFAPLA) ID(IYU IYU0 IYU000) ACCESS(READ)
    
    PERMIT IZUDFLT.ZOSMF.WORKFLOW.EDITOR + 
    CLASS(ZMFAPLA) ID(IYU IYU0 IYU000) ACCESS(READ)
    
  12. Grant administrators access to the Resource Management task.
    PERMIT IZUDFLT.ZOSMF.PROVISIONING.RESOURCE_MANAGEMENT + 
    CLASS(ZMFAPLA) ID(IYU IYU0) ACCESS(READ)
    
  13. Grant the resource administrator groups access to the Workflows task and Software Services task.
    PERMIT IZUDFLT.ZOSMF CLASS(ZMFAPLA) ID(IYU0RPAN IYU0RPAW) ACCESS(READ)
    
    PERMIT IZUDFLT.ZOSMF.PROVISIONING.SOFTWARE_SERVICES + 
    CLASS(ZMFAPLA) ID(IYU0RPAN IYU0RPAW) ACCESS(READ)
    
    PERMIT IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS + 
    CLASS(ZMFAPLA) ID(IYU0RPAN IYU0RPAW) ACCESS(READ)
    
  14. Grant the z/OSMF administrator group the authority to modify or delete system variables by using the Systems task or a z/OSMF REST service.
    PERMIT IZUDFLT.ZOSMF.VARIABLES.SYSTEM.ADMIN + 
    CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(READ)
    
  15. Create the z/OSMF security administrator role if it does not exist already.
    These users can perform automatic security updates in the Resource Management task.
    1. Define the z/OSMF security administrator group.
      ADDGROUP IZUSECAD
      Where IZUSECAD is the default group name.
    2. Define the SAF profile to be used for authorizing users to be z/OSMF security administrators.
      RDEFINE ZMFCLOUD (IZUDFLT.ZOSMF.SECURITY.ADMIN) UACC(NONE)
      Where IZUDFLT is the z/OSMF SAF profile prefix.
    3. Grant the security administrator group read access to the security administrator profile.
      PERMIT IZUDFLT.ZOSMF.SECURITY.ADMIN CLASS(ZMFCLOUD) +
      ID(IZUSECAD) ACCESS(READ)
      
    Only users with read access to this profile can be selected as domain security administrators by the provisioning administrator.
  16. Enable the z/OSMF server to perform authorization checks for ZMFCLOUD class resources.
    1. Create the SERVER class profile.
      RDEFINE SERVER (BBG.SECCLASS.ZMFCLOUD) UACC(NONE)
      
    2. Grant the z/OSMF server user ID access to the SERVER class profile.
      PERMIT BBG.SECCLASS.ZMFCLOUD CLASS(SERVER) ID(IZUSVR) + 
      ACCESS(READ)
      Where IZUSVR is the default user ID for the z/OSMF server, which in turn has a default name of IZUSVR1. If you assigned a different user ID to the z/OSMF server started task, specify that user ID instead.
    3. Connect the z/OSMF started task user ID to the z/OSMF security administrator group (by default, IZUSECAD).
      CONNECT IZUSVR GROUP(IZUSECAD)
  17. Refresh the RACF classes to make the preceding changes effective.
    SETROPTS RACLIST(ZMFAPLA ZMFCLOUD SERVER) REFRESH
    

What to do next

To verify that you configured IBM Cloud Provisioning and Management for z/OS correctly, you can use the supplied IVP template in the default domain. For the steps to follow, see Verify that security is set up for the domain administrator.