Summary of security requirements for the Cloud Provisioning tasks
This topic describes the resources that must be defined, and the groups that must be permitted to the resources.
Select the Legacy Special user ID
During configuration, you select a user ID to use for authorizing groups to the domain. This user ID, which is referred to as the Legacy Special user ID, requires RACF SPECIAL authority. It must also be connected to the z/OSMF security group for z/OSMF security administrators (IZUSECAD, by default). Typically, this user is a security administrator.
The Legacy Special user is the first provisioning administrator to be defined for your configuration. After Cloud Provisioning is configured, remember the Legacy Special user ID and keep it active for future operations. For example, with the Legacy Special user ID, you can authorize other users to be provisioning administrators, or use the Resource Management task to create more domains and add default domain administrators.
Group name prefix for Cloud Provisioning user groups
Your installation must define a SAF group name to be used for Cloud Provisioning groups. The group name is prepended to the names of the groups that represent the various roles in Cloud Provisioning, such as provisioning administrators, domain administrators, and tenants. The group name prefix is used in the RACF commands for defining groups.
By default, the value IYU
is the group name prefix for Cloud Provisioning groups.
Your installation can select a different SAF group prefix. To do so, specify the value in the
IZUPRMxx parmlib member.
Your installation can select a different group name prefix for user groups. If so, substitute that value in the examples. If you plan to use a different value, ensure that it is 1-3 characters (alpha-numeric, uppercase, or the following special characters: $, and @).
Class activation for Cloud Provisioning
For a RACF® installation, the security class ZMFCLOUD must be active when you configure Cloud Provisioning. The RACF commands for activating the class (with generic profile checking activated) are included in the IZUPRSEC job. If your installation uses an external security manager other than RACF, ask your security administrator to create equivalent commands for your environment.
The ZMFCLOUD class requires the RACLIST option. If you change the profiles, you must refresh the ZMFCLOUD class to have the changes take effect.
Class | Purpose | RACF command for activating |
---|---|---|
ZMFCLOUD | Allow the user to use the z/OSMF core functions and tasks that are related to Cloud Provisioning. z/OSMF defines a resource name for each core function and task that is related to Cloud Provisioning. |
|
Resource authorizations for security administrators
Users who perform security administration tasks should be members of the z/OSMF security administrator group (IZUSECAD, by default). This group requires an OMVS group ID (GID).
Resource authorizations for network administrators
Resource authorizations for WLM administrators
Resource authorizations for application developers
z/OSMF includes the Swagger interface, which allows application developers and other users to display format descriptions of the Cloud Provisioning REST APIs. To enable the use of Swagger at your installation, define the Swagger resources in your external security manager, and grant READ access to the appropriate users and groups.
- Define the allAuthenticatedUsers resource
profile:
RDEFINE EJBROLE IZUDFLT.com.ibm.ws.management.security.resource.allAuthenticatedUsers UACC(NONE)
The profile includes the z/OSMF SAF profile prefix, which is
IZUDFLT
, by default. Your installation can select a different SAF profile prefix for z/OSMF in the IZUPRMxx parmlib member. - To give users and administrators access to Swagger, grant them READ access to the
allAuthenticatedUsers resource profile:
PERMIT IZUDFLT.com.ibm.ws.management.security.resource.allAuthenticatedUsers CLASS(EJBROLE) ID(IZUUSER IZUADMIN) ACCESS(READ)
By default, the user and administrator groups for z/OSMF are
IZUUSER
andIZUADMIN
. - Create an administrator role for Swagger by defining the Administrator resource
profile:
RDEFINE EJBROLE IZUDFLT.com.ibm.ws.management.security.resource.Administrator UACC(NONE)
- Assign the administrator role to the z/OSMF administrator group, which is IZUADMIN by default:
PERMIT IZUDFLT.com.ibm.ws.management.security.resource.Administrator CLASS(EJBROLE) ID(IZUADMIN) ACCESS(READ)
For more information about the Cloud Provisioning REST services, see IBM z/OS Management Facility Programming Guide.
Resource authorizations for the Cloud Provisioning user roles
Resource class | Resource name | Who needs access? | Type of access required | Why |
---|---|---|---|---|
DATASET | your_stack_include_dataset | TCP/IP stack started task ID. | READ | Allows the TCP/IP stack to read the include data set when the TCP/IP stack is started. This definition is applicable only when your installation uses discrete or generic profiles to protect data set access. |
DATASET | your_stack_dynamic_update_dataset | TCP/IP stack started task ID. | READ | Allows the TCP/IP stack to read the VARY OBEY data set that IBM Cloud Provisioning and Management uses to dynamically update the TCP/IP stack. This definition is applicable only when your installation uses discrete or generic profiles to protect data set access. |
EJBROLE | <SAF-prefix> .IzuManagementFacilityProvisioning
.izuUsers |
|
READ | Allow the user to connect to the Software Services and Resource Management tasks. |
EJBROLE | <SAF-prefix> .com.ibm.ws.management.
security.resource.Administrator |
|
READ | Allow the user to act as administrator for the Swagger function in z/OSMF. |
EJBROLE | <SAF-prefix> .com.ibm.ws.management.
security.resource.allAuthenticatedUsers |
z/OSMF administrators group (IZUADMIN) | READ | Allow the user to use Swagger to display information about the z/OSMF REST
APIs. For information about the REST services, see IBM z/OS Management Facility Programming Guide. . |
ZMFAPLA | <SAF-prefix> .ZOSMF.IBM_
CLOUDPORTAL.MARKETPLACE. CONSUMER |
Consumers and domain administrators | READ | Allow the user to use the marketplace to provision and manage software services. |
ZMFAPLA | <SAF-prefix> .ZOSMF.IBM_ CLOUDPORTAL.
MARKETPLACE. ADMIN |
Domain administrators | READ | Allow the user to control which services are published to the marketplace, and manage the services to which consumers have subscribed. |
ZMFAPLA | <SAF-prefix> .ZOSMF.PROVISIONING.
RESOURCE_MANAGEMENT |
|
READ | Allow the user to access the Resource Management task. |
ZMFAPLA | <SAF-prefix> .ZOSMF.PROVISIONING.
SOFTWARE_SERVICES |
|
READ | Allow the user to access the Software Services task. |
ZMFAPLA | <SAF-prefix> .ZOSMF.VARIABLES.
SYSTEM.ADMIN |
z/OSMF administrators group (IZUADMIN) | READ | Allow the user to access the system variable definitions. |
ZMFAPLA | <SAF-prefix> .ZOSMF.WORKFLOW.
EDITOR |
|
READ | Allow the user to access the Workflow Editor task in z/OSMF. |
ZMFAPLA | <SAF-prefix> .ZOSMF.WORKFLOW.
WORKFLOWS |
|
READ | Allow the user to access the Workflows task in z/OSMF. |
ZMFAPLA | <SAF-prefix> .ZOSMF.
WORKLOAD_MANAGEMENT. WORKLOAD_MANAGEMENT.ENWRP |
|
READ | Allow the user to access the WLM Resource Pooling (WRP) functions of z/OSMF. Using a WRP definition, the user can associate cloud information (tenant name, domain ID, template type, service levels supported) with WLM elements (report classes and classification rules). |
ZMFCLOUD | <SAF-prefix> .ZOSMF.PROVISIONING.
RESOURCE_MANAGEMENT. tenantGroupID |
Tenant group | READ | Allow the user to act as a tenant. |
ZMFCLOUD | <SAF-prefix> .ZOSMF.PROVISIONING.
RESOURCE_MANAGEMENT. domainGroupID |
Domain group | READ | Allow the user to act as a domain administrator. |
ZMFCLOUD | <SAF-prefix> .ZOSMF.
RESOURCE_POOL.NETWORK. domainGroupID |
Resource pool network administration group | READ | Allow the user to act as a network resource pool administrator. |
ZMFCLOUD | <SAF-prefix> .ZOSMF.
RESOURCE_POOL.WLM.domainGroupID |
Resource pool WLM administration group | READ | Allow the user to act as a WLM resource pool administrator. |
ZMFCLOUD | <SAF-prefix> .ZOSMF.SECURITY.ADMIN |
z/OSMF security administrators group (IZUSECAD) | READ | Allow the user to access the security administration resource. |
ZMFCLOUD | <SAF-prefix> .ZOSMF.TEMPLATE.
APPROVERS.domainGroupID |
Template approvers | READ | Allow the user to act as a cloud domain level template approver. |
ZMFCLOUD | <SAF-prefix> .ZOSMF.TEMPLATE.
APPROVERS.domainGroupID. templateName |
Template approvers | READ | Allow the user to approve the specified template. |
ZMFCLOUD | <SAF-prefix> .ZOSMF.TEMPLATE.
INSTANCE.domainGroupID. templateInstanceName |
Template instance owner | READ | Allow the user to access the specified template registry instance. |
Resource authorizations for the z/OSMF server user ID
Resource class | Resource name | Type of access required | Why |
---|---|---|---|
DATASET | your_stack_include_dataset | ALTER | Allows the Network Configuration Assistant task to write to the configured include data sets when a network resource is provisioned or deprovisioned. There is one include data set for each stack that is defined for IBM Cloud Provisioning and Management for z/OS. This definition is applicable only when your installation uses discrete or generic profiles to protect data set access. |
DATASET | your_stack_dynamic_update_dataset | ALTER | Allows the Network Configuration Assistant task to write to the configured dynamic updates data sets when a network resource is provisioned or deprovisioned. There can be one dynamic update data set for each stack that is defined for IBM Cloud Provisioning and Management for z/OS. This definition is applicable only when your installation uses a discrete or generic profile to protect data set access. |
OPERCMDS | MVS.VARY.TCPIP.OBEYFILE | CONTROL | Allows the Network Configuration Assistant task to issue the VARY TCPIP OBEYFILE command for IBM Cloud Provisioning and Management for z/OS. This definition is applicable only when your installation uses the OPERCMDS class to restrict access to the VARY TCPIP OBEYFILE command. |
OPERCMDS | MVS.MCSOPER.ZCDPLM* | READ | Allows the Network Configuration Assistant task to issue various operator commands for IBM Cloud Provisioning and Management for z/OS. The console name for this extended MCS console is the text string ZCDPLM that is appended with the MVS sysclone value of the system of the z/OSMF instance. |
OPERCMDS | MVS.DISPLAY.JOB | READ | Allows the Network Configuration Assistant task to issue the display A operator command for IBM Cloud Provisioning and Management for z/OS. This definition is applicable only when your installation uses the OPERCMDS class to restrict access to the DISPLAY A operator command. |
OPERCMDS | MVS.DISPLAY.TCPIP | READ | Allows the Network Configuration Assistant task to issue the display TCPIP operator command for IBM Cloud Provisioning and Management for z/OS. This definition is applicable only when your installation uses the OPERCMDS class to restrict access to the DISPLAY TCPIP operator command. |
OPERCMDS | MVS.DISPLAY.XCF | READ | Allows the Network Configuration Assistant task to issue the DISPLAY XCF operator command for IBM Cloud Provisioning and Management for z/OS. This definition is applicable only when your installation uses the OPERCMDS class to restrict access to the DISPLAY XCF operator command. |
OPERCMDS | MVS.ROUTE.CMD.sysname | READ | Allows the Network Configuration Assistant task to issue the ROUTE operator command for IBM Cloud Provisioning and Management for z/OS. This definition is applicable only if the installation uses this profile to restrict the use of the ROUTE command. |
SERVAUTH | EZB.NETWORKUTILS.CLOUD.mvsname | READ | Allows the Network Configuration Assistant task to issue operator commands for IBM Cloud Provisioning and Management for z/OS. mvsname is the name of the system where z/OSMF is running. |
SERVAUTH | EZB.NETSTAT.mvsname.tcpprocname.CONFIG | READ | Allows the Network Configuration Assistant task to issue the command NETSTAT CONFIG. This definition is applicable only when your installation uses the SERVAUTH class to restrict usage of the NETSTAT command. When this definition is applicable, IZUSVR must be authorized for each stack defined for IBM Cloud Provisioning and Management for z/OS. |
SERVAUTH | EZB.NETSTAT.mvsname.tcpprocname.VIPADCFG | READ | Allows the Network Configuration Assistant task to issue the command NETSTAT VIPADCFG. This definition is applicable only when your installation uses the SERVAUTH class to restrict usage of the NETSTAT command. When this definition is applicable, IZUSVR must be authorized for each stack that is defined for IBM Cloud Provisioning and Management for z/OS. |
SERVER | BBG.SECCLASS.ZMFCLOUD | READ | Allows the z/OSMF server to perform access checks in the ZMFCLOUD class. |
ZMFCLOUD | <SAF-prefix> .ZOSMF.
RESOURCE_POOL.NETWORK. domainGroupID |
READ | Allows the z/OSMF server to access to the network administrator profile. |
ZMFCLOUD | <SAF-prefix> .ZOSMF.
RESOURCE_POOL.WLM.domainGroupID |
READ | Allows the z/OSMF server to access the WLM administrator profile. |