Defining a RACF class and profile for the CIM server

Access to the CIM server is controlled through RACF® class WBEM. Define a new class in RACF through the dynamic CDT feature of the z/OS Security Server as follows:

  1. To be able to build the dynamic class WBEM, activate the class descriptor table (CDT) using the following RACF command: 
    SETROPTS CLASSACT(CDT) RACLIST(CDT)
  2. By adding a profile to the IBM® class named CDT, you can create a new class definition. This profile then represents a dynamic class. The segment CDTINFO is used to define the class attributes. You can define the dynamic class WBEM with the following RACF commands: 
    RDEFINE CDT WBEM UACC(NONE) CDTINFO(
	CASE(UPPER)
	FIRST(ALPHA)
	OTHER(ALPHA,NUMERIC)
	MAXLENGTH(246)
	MAXLENX(246)
	KEYQUALIFIERS(0)
	PROFILESALLOWED(YES)
	POSIT(200)
	DEFAULTRC(8) 	DEFAULTUACC(NONE)	RACLIST(REQUIRED) ) SETROPTS RACLIST(CDT) REFRESH

    The default values previously shown (except POSIT(200)) are expected by the CIM server; do not use different values as this can yield unpredictable results.

    You can ignore the warning message which is issued when adding class WBEM.

    For a more detailed description of how to create a new class within RACF dynamic CDT, see z/OS Security Server RACF Security Administrator's Guide.

  3. To activate the new class, issue: 
    SETROPTS CLASSACT(WBEM) RACLIST(WBEM)
  4. After creating and activating the WBEM class, create the CIMSERV profile within this class. Profile CIMSERV is used to grant users access to the CIM server.

    The following example illustrates the RACF commands that are required to define a profile named CIMSERV in this class:

    RDEFINE WBEM CIMSERV
SETROPTS CLASSACT(WBEM) RACLIST(WBEM) REFRESH
Parent topic: CIM server security setup