Granting clients and administrators access to the CIM server
The CIM server authenticates users with the z/OS Security Server to determine which users can log into it. Authentication is performed for every new connection (local or remote) before a user is granted access to the CIM server.
For the CIM server for z/OS, users log on over HTTP or HTTPS using basic authentication or certificate authentication. When logging on, users are authenticated using their z/OS user ID and password as defined, for example, in RACF®.
To access the CIM server, a user must be at least linked to a group with READ access to RACF profile CIMSERV. In order to use any of the administrative command-line tools of the CIM server, as described in CIM server command-line utilities and console commands, a group instead requires CONTROL access to the CIMSERV profile.
For detailed information about the required access authorities, see the following table.
| CIM operation type | CIM operations | RACF access |
|---|---|---|
| Basic read | GetClass, EnumerateClasses, EnumerateClassNames, GetInstance, EnumerateInstance, EnumerateInstanceNames, GetProperty, GetQualifier, EnumerateQualifier | READ |
| Basic write | SetProperty | UPDATE |
| "Method" | ExecuteMethod | UPDATE |
| Schema Manipulation | CreateClass, ModifyClass, DeleteClass | CONTROL |
| Instance Manipulation | CreateInstance, ModifyInstance, DeleteInstance | UPDATE |
| Indication Subscription | CreateInstance, ModifyInstance, DeleteInstance | UPDATE |
| Association Traversal | Associators, AssociatorNames, References, ReferenceNames | READ |
| Query | ExecQuery | READ |
| Qualifier Declaration | SetQualifier, DeleteQualifier | CONTROL |
The following example shows how to define UPDATE access for a client group called CFZUSRGP:
Example:
PERMIT CIMSERV CL(WBEM) ACCESS(UPDATE) ID(CFZUSRGP)
SETROPTS RACLIST(WBEM) REFRESHIn addition, the CIM server user ID must be defined as a surrogate of the client user ID (see Switching identity (surrogate)).
To enable a user to use the command line tools, set up the UNIX System Services environment as described in Customizing the UNIX System Services shell.