Sample RACF security setup job card

//JOBCARD
//*
//* Dynamic APF authorization of hlq.SDOELINK
//* Add the datasets to your PROGxx system parmlib member for
//* APF authorization to persist across IPLs.
//*
//* Before you change the format of the APF list to dynamic, contact the system
//* programmer to validate that all programs and vendor products are converted to
//* use dynamic APF services and that the proper program products are installed.
//*
//* For non-SMS managed datasets use the following syntax instead:
//* SETPROG APF,ADD,DSNAME=hlq.SDOELINK,VOL=volser
//*
  SETPROG APF,FORMAT=DYN
  SETPROG APF,ADD,
    DSNAME=hlq.SDOELINK,SMS
//* 
//* 
//* 
//STEP1  EXEC PGM=IKJEFT01
//SYSTSPRT DD   SYSOUT=*
//SYSTSIN  DD   *

/*                                              */
/* User IDs for started tasks                   */
/*                                              */
/* #stcgroup# : group for started tasks         */
/* #doestc#   : STC user ID for the DOE server  */
/* #dbauser#  : Functional user ID used by DOE  */
/*              for certain provisioning and    */
/*              merge operations. Need SYSADM auth. */
/*              You need the user ID and password */
/*              when completing the Setup wizard */
/* #grpowner# : Owner of groups for STCs        */
/*                                              */
/* Note: AUTOGID requires SHARED.IDS to be      */
/*       implemented                            */
/* Note: HOME and OWNER are commented out for   */
/*       the user ID creation                   */

ADDGROUP #stcgroup#                        -
   /* OWNER(#grpowner) SUPGROUP(xxx) */    -
   OMVS(AUTOGID)

ADDUSER (#doestc#)                         -
   OMVS(AUTOUID                            -
        /* HOME(xxx) */                    -
        PROGRAM(/bin/sh) )                 -
   NOPASSWORD                              -
   /* OWNER(xxx) */                        -
   DFLTGRP(#stcgroup#) 

ADDUSER (#dbauser#)                        -
   OMVS(AUTOUID                            -
        /* HOME(xxx) */                    -
        PROGRAM(/bin/sh)                   -
	PASSWORD(password) )               -
   TSO( ACCTNUM(xxx) COMMAND(ISPF)         -
        PROC(xxx) SIZE(1024000) SYS(x) )   -
   /* OWNER(xxx) */                        -
   DFLTGRP(#stcgroup#) 
PASSWORD USER(#dbauser#) NOINTERVAL     

/*                                              */
/* Activate required classes                    */
/*                                              */

SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY)

SETROPTS CLASSACT(STARTED) RACLIST(STARTED)
SETROPTS GENERIC(STARTED)

/*                                              */
/* DevOps server started task                   */
/* There are currenly no JCL procedure sample   */
/* supplied for DevOps server started tasks     */
/* The RACF commands below assume you create    */
/* a JCL proc DOESRV                            */
/*                                              */

RDEFINE STARTED DOESRV.* UACC(NONE) -
   STDATA(USER(#doestc#) GROUP(#stcgroup#) TRUSTED(NO))

/*                                              */
/* Refresh RACF FACILITY and STARTED class */
/*                                              */

SETROPTS RACLIST(FACILITY) REFRESH
SETROPTS RACLIST(STARTED) REFRESH

/*                                              */
/* Define the RACF class that will contain all  */
/* administration profiles.                     */
/* The default class name is ZOWE               */
/*                                              */

SETROPTS RACLIST(CDT)

RDEFINE CDT ZOWE UACC(NONE)    -
  CDTINFO(                      -
   DEFAULTUACC(NONE)            -
   FIRST(ALPHA)                 -
   OTHER(ALPHA,NATIONAL,NUMERIC,SPECIAL) -
   MAXLENGTH(246)               -
   POSIT(607)                   -
   RACLIST(DISALLOWED))

SETROPTS RACLIST(CDT) REFRESH
SETROPTS CLASSACT(ZOWE)

/*                                              */
/* Create groups for Db2 DevOps Experience      */
/* Replace #doeusergrp# and #doeadmingrp# with  */
/* group names of your choice                   */
/*                                              */

ADDGROUP #doeusergrp# OWNER(#OWNER#)
ADDGROUP #doeadmingrp# OWNER(#OWNER#)


/*                                              */
/* Authorizations needed for DevOps Experience  */
/* administrators                               */
/* - connected to DevOps Experience user group  */
/* - connected to DevOps Experience admin group */
/* - connected to z/OSMF admin group            */
/* - class authorization for ZOWE               */
/* - permit read to OMVSAPPL in class APPL if   */
/*   defined                                    */

CONNECT adminuser GROUP(#doeadmingrp#) SPECIAL
CONNECT adminuser GROUP(#doeusergrp#)
CONNECT adminuser GROUP(IZUADMIN)
ALU (adminuser) CLAUTH(ZOWE)
/* PERMIT OMVSAPPL CLASS(APPL) -
   ID(adminuser) ACCESS(READ) */

/*                                              */
/* Authorizations needed for DevOps Experience  */
/* team administrators and developers           */
/* - connected to DevOps Experience user group  */
/* - connected to z/OSMF user group             */
/* - permit read to OMVSAPPL in class APPL if   */
/*   defined                                    */
/*                                              */

CONNECT developer GROUP(#doeusergrp#)
CONNECT developer GROUP(IZUUSER)
/* PERMIT OMVSAPPL CLASS(APPL) -
   ID(developer) ACCESS(READ) */

/*                                              */
/* Authorizations needed for DevOps Experience  */
/* functional user id                           */
/* - must hold SYSADM or equivalent Db2 auth    */
/* - connected to z/OSMF user group             */
/* - permit read to OMVSAPPL in class APPL if   */
/*   defined                                    */
/*                                              */

CONNECT #dbauser# GROUP(IZUUSER)
/* PERMIT OMVSAPPL CLASS(APPL) -
   ID(#dbauser#) ACCESS(READ) */