z/OS Infoprint Server Printer Inventory for PSF
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Steps for setting up security

z/OS Infoprint Server Printer Inventory for PSF
SA38-0694-00

Steps for setting up security

This section shows the RACF® commands you can use to set up security for the Printer Inventory for PSF.

Tip: The sample CLIST in SYS1.SAMPLIB(AOPRACF) contains the RACF commands that are described in this section.

To set up security:

  1. Define RACF groups for Infoprint Server administrators and operators:
    • Infoprint Server administrators can view and update the Printer Inventory. The suggested RACF group name for administrators is AOPADMIN. However, you can use any name. The group profile must have an OMVS segment and an OMVS group identifier (GID).
    • Infoprint Server operators can start and stop Infoprint Server. The suggested RACF group name for Infoprint Server operators is AOPOPER. However, you can use any name. The group profile must have an OMVS segment and a group identifier (GID).

    Example: These RACF ADDGROUP commands define groups AOPADMIN and AOPOPER. For yy and zz, specify an integer between 00 and 2147483647 that is different from other GIDs in your installation:

    ADDGROUP (AOPADMIN) OMVS(GID(yy)) 
    ADDGROUP (AOPOPER) OMVS(GID(zz))  

    _______________________________________________________

  2. Activate the PRINTSRV class and, to improve performance, copy profiles in the PRINTSRV class into virtual storage. If you copy profiles into virtual storage, you must use the SETROPTS command to refresh the PRINTSRV class after you define new profiles or permit new users to profiles in the class.

    Example: This RACF SETROPTS command activates the PRINTSRV class and copies profiles into virtual storage.

    SETROPTS CLASSACT(PRINTSRV) RACLIST(PRINTSRV) 

    _______________________________________________________

  3. Define a resource profile to RACF named AOP.ADMINISTRATOR in the PRINTSRV class.

    Example: This RACF RDEFINE command defines resource profile AOP.ADMINISTRATOR:

    RDEFINE PRINTSRV (AOP.ADMINISTRATOR) UACC(NONE)
    SETROPTS RACLIST(PRINTSRV) REFRESH  

    Guideline: If you want RACF to notify the security administrator (by a message) when a user tries to read or update the Printer Inventory and is not authorized, specify the NOTIFY parameter on the RDEFINE command. Otherwise, Infoprint Server suppresses RACF messages when it checks the AOP.ADMINISTRATOR profile.

    _______________________________________________________

  4. Give the Infoprint Server administrator group UPDATE access to the AOP.ADMINISTRATOR profile.

    You can permit group AOPADMIN to the AOP.ADMINISTRATOR resource profile or you can permit each user separately.

    Example: This RACF PERMIT command permits the AOPADMIN group to the AOP.ADMINISTRATOR profile in the PRINTSRV class:

    PERMIT AOP.ADMINISTRATOR CLASS(PRINTSRV) ACCESS(UPDATE) ID(AOPADMIN)
    SETROPTS RACLIST(PRINTSRV) REFRESH  

    _______________________________________________________

  5. Create a separate z/OS user ID to be associated with the Infoprint Server startup and shutdown procedures (AOPSTART and AOPSTOP). The user ID must be connected to the AOPOPER group.

    You can select any name for this user ID. For dd, specify an integer that is different from other UIDs in your installation.

    Example: This ADDUSER RACF command creates user ID AOPSTC in default group AOPOPER:

    ADDUSER AOPSTC OMVS(UID(dd) HOME('/tmp')
       PROGRAM('/bin/sh')) DFLTGRP(AOPOPER) NOPASSWORD

    The NOPASSWORD operand defines the user ID as a protected user ID. Protected user IDs cannot log on to the z/OS system, and they cannot be revoked due to incorrect password attempts.

    _______________________________________________________

  6. Make sure that all user IDs for Infoprint Server administrators and operators are defined as z/OS UNIX users. The user ID must have an OMVS segment, and the user's default group must have an OMVS segment with a group identifier (GID). You can specify any home directory including the default directory. If a user ID is not a z/OS® UNIX user, modify the user ID to add an OMVS segment and a default group that has an OMVS GID.

    Example: This RACF ALTUSER command modifies an existing user ID. For userid, specify an existing user ID. For uu, specify an integer that is different from other UIDs in your installation. For group, specify AOPOPER, AOPADMIN, or another group that has an OMVS GID. The user ID must be connected to the default group.

    ALTUSER userid OMVS(UID(uu) HOME('/tmp')
       PROGRAM('/bin/sh')) DFLTGRP(group)

    _______________________________________________________

  7. Connect the Infoprint Server administrator user IDs to the AOPADMIN group.

    Example: This RACF CONNECT command connects the user ID for an administrator to the AOPADMIN group:

    CONNECT (userid) GROUP(AOPADMIN) 

    _______________________________________________________

  8. Define profiles for the Infoprint Server startup and shutdown procedures (AOPSTART and AOPSTOP) in the RACF STARTED class.

    Example: These commands assign the AOPSTC user ID to the AOPSTART and AOPSTOP procedures.

    RDEFINE STARTED AOPSTART.* STDATA(USER(AOPSTC) GROUP(AOPOPER))
    RDEFINE STARTED AOPSTOP.* STDATA(USER(AOPSTC) GROUP(AOPOPER))
    SETROPTS RACLIST(STARTED) REFRESH

    Tip: You can instead use the started procedure table (ICHRIN03).

    _______________________________________________________

  9. Give universal RACF access to the Infoprint Server ISPF data sets. This lets all users view the Infoprint Server ISPF panels.

    Example: The RACF ADDGROUP command creates a group named AOP to own the data set resource profile. The RACF ADDSD command creates a generic data set resource profile that gives universal read access to data sets that start with AOP.SAOP:

    ADDGROUP (AOP) SUPGROUP(SYS1) OWNER(SYS1)
    ADDSD 'AOP.SAOP*' GENERIC OWNER(AOP) UACC(READ) 

    _______________________________________________________

Related information:

Go to the previous page Go to the next page




Copyright IBM Corporation 1990, 2014