Summary of security requirements for the Cloud Provisioning tasks

This topic describes the resources that must be defined, and the groups that must be permitted to the resources.

Select the Legacy Special user ID

During configuration, you select a user ID to use for authorizing groups to the domain. This user ID, which is referred to as the Legacy Special user ID, requires RACF SPECIAL authority. It must also be connected to the z/OSMF security group for z/OSMF security administrators (IZUSECAD, by default). Typically, this user is a security administrator.

The Legacy Special user is the first provisioning administrator to be defined for your configuration. After Cloud Provisioning is configured, remember the Legacy Special user ID and keep it active for future operations. For example, with the Legacy Special user ID, you can authorize other users to be provisioning administrators, or use the Resource Management task to create more domains and add default domain administrators.

Group name prefix for Cloud Provisioning user groups

Your installation must define a SAF group name to be used for Cloud Provisioning groups. The group name is prepended to the names of the groups that represent the various roles in Cloud Provisioning, such as provisioning administrators, domain administrators, and tenants. The group name prefix is used in the RACF commands for defining groups.

By default, the value IYU is the group name prefix for Cloud Provisioning groups. Your installation can select a different SAF group prefix. To do so, specify the value in the IZUPRMxx parmlib member.

Your installation can select a different group name prefix for user groups. If so, substitute that value in the examples. If you plan to use a different value, ensure that it is 1-3 characters (alpha-numeric, uppercase, or the following special characters: $, and @).

Class activation for Cloud Provisioning

For a RACF® installation, the security class ZMFCLOUD must be active when you configure Cloud Provisioning. The RACF commands for activating the class (with generic profile checking activated) are included in the IZUPRSEC job. If your installation uses an external security manager other than RACF, ask your security administrator to create equivalent commands for your environment.

The ZMFCLOUD class requires the RACLIST option. If you change the profiles, you must refresh the ZMFCLOUD class to have the changes take effect.

Table 1 describes the class activation for Cloud Provisioning.
Table 1. Class activation for Cloud Provisioning
Class Purpose RACF command for activating
ZMFCLOUD Allow the user to use the z/OSMF core functions and tasks that are related to Cloud Provisioning. z/OSMF defines a resource name for each core function and task that is related to Cloud Provisioning.
SETROPTS CLASSACT(ZMFCLOUD) GENERIC(ZMFCLOUD) + 
RACLIST(ZMFCLOUD)

Resource authorizations for security administrators

Users who perform security administration tasks should be members of the z/OSMF security administrator group (IZUSECAD, by default). This group requires an OMVS group ID (GID).

Security administrators require access to the system resources that are used by the Cloud Provisioning tasks. For more information, see Table 2.

Resource authorizations for network administrators

Network administrators require access to the Network Configuration Assistant task, and to system resources that are used by the Network Configuration Assistant task. For more information, see Table 2.

Resource authorizations for WLM administrators

WLM administrators require access to resources, such as those that are protected by the profile MVSADMIN.WLM.POLICY. For more information, see the topic about updating z/OS for the Workload Management plug-in in IBM z/OS Management Facility Configuration Guide and Table 2.

Resource authorizations for application developers

z/OSMF includes the Swagger interface, which allows application developers and other users to display format descriptions of the Cloud Provisioning REST APIs. To enable the use of Swagger at your installation, define the Swagger resources in your external security manager, and grant READ access to the appropriate users and groups.

On a system with RACF as the security manager, you can use the following commands:
  1. Define the allAuthenticatedUsers resource profile:
    RDEFINE EJBROLE IZUDFLT.com.ibm.ws.management.security.resource.allAuthenticatedUsers UACC(NONE)

    The profile includes the z/OSMF SAF profile prefix, which is IZUDFLT, by default. Your installation can select a different SAF profile prefix for z/OSMF in the IZUPRMxx parmlib member.

  2. To give users and administrators access to Swagger, grant them READ access to the allAuthenticatedUsers resource profile:
    PERMIT IZUDFLT.com.ibm.ws.management.security.resource.allAuthenticatedUsers CLASS(EJBROLE) 
    ID(IZUUSER IZUADMIN) ACCESS(READ)

    By default, the user and administrator groups for z/OSMF are IZUUSER and IZUADMIN.

  3. Create an administrator role for Swagger by defining the Administrator resource profile:
    RDEFINE EJBROLE IZUDFLT.com.ibm.ws.management.security.resource.Administrator UACC(NONE)
  4. Assign the administrator role to the z/OSMF administrator group, which is IZUADMIN by default:
    PERMIT IZUDFLT.com.ibm.ws.management.security.resource.Administrator CLASS(EJBROLE) 
    ID(IZUADMIN) ACCESS(READ)

For more information about the Cloud Provisioning REST services, see IBM z/OS Management Facility Programming Guide.

Resource authorizations for the Cloud Provisioning user roles

Table 2 describes the authorization requirements for the common user roles in Cloud Provisioning. The IZUPRSEC job includes sample RACF commands for creating these authorizations on your system. A procedure for creating these authorizations manually is shown in Steps for setting up security.
Table 2. Security setup requirements for Cloud Provisioning user roles
Resource class Resource name Who needs access? Type of access required Why
DATASET your_stack_include_dataset TCP/IP stack started task ID. READ Allows the TCP/IP stack to read the include data set when the TCP/IP stack is started. This definition is applicable only when your installation uses discrete or generic profiles to protect data set access.
DATASET your_stack_dynamic_update_dataset TCP/IP stack started task ID. READ Allows the TCP/IP stack to read the VARY OBEY data set that IBM Cloud Provisioning and Management uses to dynamically update the TCP/IP stack. This definition is applicable only when your installation uses discrete or generic profiles to protect data set access.
EJBROLE <SAF-prefix> .IzuManagementFacilityProvisioning .izuUsers
  • z/OSMF users group (IZUUSER)
  • z/OSMF administrators group (IZUADMIN)
READ Allow the user to connect to the Software Services and Resource Management tasks.
EJBROLE <SAF-prefix> .com.ibm.ws.management. security.resource.Administrator
  • z/OSMF users group (IZUUSER)
  • z/OSMF administrators group (IZUADMIN)
READ Allow the user to act as administrator for the Swagger function in z/OSMF.
EJBROLE <SAF-prefix> .com.ibm.ws.management. security.resource.allAuthenticatedUsers z/OSMF administrators group (IZUADMIN) READ Allow the user to use Swagger to display information about the z/OSMF REST APIs.

For information about the REST services, see IBM z/OS Management Facility Programming Guide. .

ZMFAPLA <SAF-prefix>.ZOSMF.IBM_ CLOUDPORTAL.MARKETPLACE. CONSUMER Consumers and domain administrators READ Allow the user to use the marketplace to provision and manage software services.
ZMFAPLA <SAF-prefix>.ZOSMF.IBM_ CLOUDPORTAL. MARKETPLACE. ADMIN Domain administrators READ Allow the user to control which services are published to the marketplace, and manage the services to which consumers have subscribed.
ZMFAPLA <SAF-prefix>.ZOSMF.PROVISIONING. RESOURCE_MANAGEMENT
  • Provisioning administrator group
  • Domain group
  • Resource pool network administrator group
  • Resource pool WLM administration group
  • z/OSMF security administrators group (IZUSECAD)
READ Allow the user to access the Resource Management task.
ZMFAPLA <SAF-prefix>.ZOSMF.PROVISIONING. SOFTWARE_SERVICES
  • Provisioning administrator group
  • Domain group
  • Tenant group
  • Resource pool network administrator group
  • Resource pool WLM administration group
  • z/OSMF security administrators group (IZUSECAD)
  • Consumers and domain administrators
READ Allow the user to access the Software Services task.
ZMFAPLA <SAF-prefix>.ZOSMF.VARIABLES. SYSTEM.ADMIN z/OSMF administrators group (IZUADMIN) READ Allow the user to access the system variable definitions.
ZMFAPLA <SAF-prefix>.ZOSMF.WORKFLOW. EDITOR
  • Provisioning administrator group
  • Domain group
  • Tenant group
  • z/OSMF users group (IZUUSER)
  • z/OSMF administrators group (IZUADMIN)
READ Allow the user to access the Workflow Editor task in z/OSMF.
ZMFAPLA <SAF-prefix>.ZOSMF.WORKFLOW. WORKFLOWS
  • Provisioning administrator group
  • Domain group
  • Tenant group
  • z/OSMF users group (IZUUSER)
  • z/OSMF administrators group (IZUADMIN)
READ Allow the user to access the Workflows task in z/OSMF.
ZMFAPLA <SAF-prefix>.ZOSMF. WORKLOAD_MANAGEMENT. WORKLOAD_MANAGEMENT.ENWRP
  • z/OSMF administrators group (IZUADMIN)
  • WLM resource pool administration group
READ Allow the user to access the WLM Resource Pooling (WRP) functions of z/OSMF. Using a WRP definition, the user can associate cloud information (tenant name, domain ID, template type, service levels supported) with WLM elements (report classes and classification rules).
ZMFCLOUD <SAF-prefix>.ZOSMF.PROVISIONING. RESOURCE_MANAGEMENT. tenantGroupID Tenant group READ Allow the user to act as a tenant.
ZMFCLOUD <SAF-prefix>.ZOSMF.PROVISIONING. RESOURCE_MANAGEMENT. domainGroupID Domain group READ Allow the user to act as a domain administrator.
ZMFCLOUD <SAF-prefix>.ZOSMF. RESOURCE_POOL.NETWORK. domainGroupID Resource pool network administration group READ Allow the user to act as a network resource pool administrator.
ZMFCLOUD <SAF-prefix>.ZOSMF. RESOURCE_POOL.WLM.domainGroupID Resource pool WLM administration group READ Allow the user to act as a WLM resource pool administrator.
ZMFCLOUD <SAF-prefix>.ZOSMF.SECURITY.ADMIN z/OSMF security administrators group (IZUSECAD) READ Allow the user to access the security administration resource.
ZMFCLOUD <SAF-prefix>.ZOSMF.TEMPLATE. APPROVERS.domainGroupID Template approvers READ Allow the user to act as a cloud domain level template approver.
ZMFCLOUD <SAF-prefix>.ZOSMF.TEMPLATE. APPROVERS.domainGroupID. templateName Template approvers READ Allow the user to approve the specified template.
ZMFCLOUD <SAF-prefix>.ZOSMF.TEMPLATE. INSTANCE.domainGroupID. templateInstanceName Template instance owner READ Allow the user to access the specified template registry instance.

Resource authorizations for the z/OSMF server user ID

Table 3 describes the Cloud authorizations that you must create for the z/OSMF server. By default, the server user ID is IZUSVR1. However, your installation might have selected a different user ID for the server during z/OSMF configuration. The IZUPRSEC job includes sample RACF commands for creating these authorizations on your system.
Table 3. Authorizations required for the z/OSMF server user ID
Resource class Resource name Type of access required Why
DATASET your_stack_include_dataset ALTER Allows the Network Configuration Assistant task to write to the configured include data sets when a network resource is provisioned or deprovisioned. There is one include data set for each stack that is defined for IBM Cloud Provisioning and Management for z/OS. This definition is applicable only when your installation uses discrete or generic profiles to protect data set access.
DATASET your_stack_dynamic_update_dataset ALTER Allows the Network Configuration Assistant task to write to the configured dynamic updates data sets when a network resource is provisioned or deprovisioned. There can be one dynamic update data set for each stack that is defined for IBM Cloud Provisioning and Management for z/OS. This definition is applicable only when your installation uses a discrete or generic profile to protect data set access.
OPERCMDS MVS.VARY.TCPIP.OBEYFILE CONTROL Allows the Network Configuration Assistant task to issue the VARY TCPIP OBEYFILE command for IBM Cloud Provisioning and Management for z/OS. This definition is applicable only when your installation uses the OPERCMDS class to restrict access to the VARY TCPIP OBEYFILE command.
OPERCMDS MVS.MCSOPER.ZCDPLM* READ Allows the Network Configuration Assistant task to issue various operator commands for IBM Cloud Provisioning and Management for z/OS. The console name for this extended MCS console is the text string ZCDPLM that is appended with the MVS sysclone value of the system of the z/OSMF instance.
OPERCMDS MVS.DISPLAY.JOB READ Allows the Network Configuration Assistant task to issue the display A operator command for IBM Cloud Provisioning and Management for z/OS. This definition is applicable only when your installation uses the OPERCMDS class to restrict access to the DISPLAY A operator command.
OPERCMDS MVS.DISPLAY.TCPIP READ Allows the Network Configuration Assistant task to issue the display TCPIP operator command for IBM Cloud Provisioning and Management for z/OS. This definition is applicable only when your installation uses the OPERCMDS class to restrict access to the DISPLAY TCPIP operator command.
OPERCMDS MVS.DISPLAY.XCF READ Allows the Network Configuration Assistant task to issue the DISPLAY XCF operator command for IBM Cloud Provisioning and Management for z/OS. This definition is applicable only when your installation uses the OPERCMDS class to restrict access to the DISPLAY XCF operator command.
OPERCMDS MVS.ROUTE.CMD.sysname READ Allows the Network Configuration Assistant task to issue the ROUTE operator command for IBM Cloud Provisioning and Management for z/OS. This definition is applicable only if the installation uses this profile to restrict the use of the ROUTE command.
SERVAUTH EZB.NETWORKUTILS.CLOUD.mvsname READ Allows the Network Configuration Assistant task to issue operator commands for IBM Cloud Provisioning and Management for z/OS. mvsname is the name of the system where z/OSMF is running.
SERVAUTH EZB.NETSTAT.mvsname.tcpprocname.CONFIG READ Allows the Network Configuration Assistant task to issue the command NETSTAT CONFIG. This definition is applicable only when your installation uses the SERVAUTH class to restrict usage of the NETSTAT command. When this definition is applicable, IZUSVR must be authorized for each stack defined for IBM Cloud Provisioning and Management for z/OS.
SERVAUTH EZB.NETSTAT.mvsname.tcpprocname.VIPADCFG READ Allows the Network Configuration Assistant task to issue the command NETSTAT VIPADCFG. This definition is applicable only when your installation uses the SERVAUTH class to restrict usage of the NETSTAT command. When this definition is applicable, IZUSVR must be authorized for each stack that is defined for IBM Cloud Provisioning and Management for z/OS.
SERVER BBG.SECCLASS.ZMFCLOUD READ Allows the z/OSMF server to perform access checks in the ZMFCLOUD class.
ZMFCLOUD <SAF-prefix>.ZOSMF. RESOURCE_POOL.NETWORK. domainGroupID READ Allows the z/OSMF server to access to the network administrator profile.
ZMFCLOUD <SAF-prefix>.ZOSMF. RESOURCE_POOL.WLM.domainGroupID READ Allows the z/OSMF server to access the WLM administrator profile.