This section shows the RACF® commands
you can use to set up security for the Printer Inventory for PSF.
- Define RACF groups for Infoprint Server
administrators and operators:
- Infoprint Server
administrators can view and update the Printer Inventory. The suggested RACF group name for administrators
is AOPADMIN. However, you can use any name. The group profile must
have an OMVS segment and an OMVS group identifier (GID).
- Infoprint Server
operators can start and stop Infoprint Server. The suggested RACF group name for Infoprint Server
operators is AOPOPER. However, you can use any name. The group profile
must have an OMVS segment and a group identifier (GID).
Example: These RACF ADDGROUP commands define groups AOPADMIN and
AOPOPER. For yy and zz,
specify an integer between 00 and 2147483647 that is different from
other GIDs in your installation:
ADDGROUP (AOPADMIN) OMVS(GID(yy))
ADDGROUP (AOPOPER) OMVS(GID(zz))
_______________________________________________________
- Activate the PRINTSRV class and, to improve performance, copy
profiles in the PRINTSRV class into virtual storage. If you copy profiles
into virtual storage, you must use the SETROPTS command to refresh
the PRINTSRV class after you define new profiles or permit new users
to profiles in the class.
Example: This RACF SETROPTS command activates
the PRINTSRV class and copies profiles into virtual storage.
SETROPTS CLASSACT(PRINTSRV) RACLIST(PRINTSRV)
_______________________________________________________
- Define a resource profile to RACF named
AOP.ADMINISTRATOR in the PRINTSRV class.
Example: This RACF RDEFINE command defines resource
profile AOP.ADMINISTRATOR:
RDEFINE PRINTSRV (AOP.ADMINISTRATOR) UACC(NONE)
SETROPTS RACLIST(PRINTSRV) REFRESH
Guideline: If
you want RACF to notify the
security administrator (by a message) when a user tries to read or
update the Printer Inventory and is not authorized, specify the NOTIFY
parameter on the RDEFINE command. Otherwise, Infoprint Server suppresses RACF messages when it checks the
AOP.ADMINISTRATOR profile.
_______________________________________________________
- Give the Infoprint Server
administrator group UPDATE access to the AOP.ADMINISTRATOR profile.
You
can permit group AOPADMIN to the AOP.ADMINISTRATOR resource profile
or you can permit each user separately.
Example: This RACF PERMIT command permits the
AOPADMIN group to the AOP.ADMINISTRATOR profile in the PRINTSRV class:
PERMIT AOP.ADMINISTRATOR CLASS(PRINTSRV) ACCESS(UPDATE) ID(AOPADMIN)
SETROPTS RACLIST(PRINTSRV) REFRESH
_______________________________________________________
- Create a separate z/OS user ID to be associated
with the Infoprint Server
startup and shutdown procedures (AOPSTART and AOPSTOP). The user ID
must be connected to the AOPOPER group.
You can select any name
for this user ID. For dd, specify an integer
that is different from other UIDs in your installation.
Example: This ADDUSER RACF command
creates user ID AOPSTC in default group AOPOPER:
ADDUSER AOPSTC OMVS(UID(dd) HOME('/tmp')
PROGRAM('/bin/sh')) DFLTGRP(AOPOPER) NOPASSWORD
The
NOPASSWORD operand defines the user ID as a protected user
ID. Protected user IDs cannot log on to the z/OS system, and they
cannot be revoked due to incorrect password attempts.
_______________________________________________________
- Make sure that all user IDs for Infoprint Server
administrators and operators are defined as z/OS UNIX users. The user ID must have an OMVS segment,
and the user's default group must have an OMVS segment with a group
identifier (GID). You can specify any home directory including the
default directory. If a user ID is not a z/OS® UNIX user,
modify the user ID to add an OMVS segment and a default group that
has an OMVS GID.
Example: This RACF ALTUSER command modifies an
existing user ID. For userid, specify an existing
user ID. For uu, specify an integer that is
different from other UIDs in your installation. For group,
specify AOPOPER, AOPADMIN, or another group that has an OMVS GID.
The user ID must be connected to the default group.
ALTUSER userid OMVS(UID(uu) HOME('/tmp')
PROGRAM('/bin/sh')) DFLTGRP(group)
_______________________________________________________
- Connect the Infoprint Server administrator user IDs to
the AOPADMIN group.
Example: This RACF CONNECT command connects the
user ID for an administrator to the AOPADMIN group:
CONNECT (userid) GROUP(AOPADMIN)
_______________________________________________________
- Define
profiles for the Infoprint Server
startup and shutdown procedures (AOPSTART and AOPSTOP) in the RACF STARTED class.
Example: These
commands assign the AOPSTC user ID to the AOPSTART and AOPSTOP procedures.
RDEFINE STARTED AOPSTART.* STDATA(USER(AOPSTC) GROUP(AOPOPER))
RDEFINE STARTED AOPSTOP.* STDATA(USER(AOPSTC) GROUP(AOPOPER))
SETROPTS RACLIST(STARTED) REFRESH
Tip: You
can instead use the started procedure table (ICHRIN03).
_______________________________________________________
- Give universal RACF access
to the Infoprint Server
ISPF data sets. This lets all users view the Infoprint Server ISPF panels.
Example: The RACF ADDGROUP
command creates a group named AOP to own the data set resource
profile. The RACF ADDSD command
creates a generic data set resource profile that gives universal read
access to data sets that start with AOP.SAOP:
ADDGROUP (AOP) SUPGROUP(SYS1) OWNER(SYS1)
ADDSD 'AOP.SAOP*' GENERIC OWNER(AOP) UACC(READ)
_______________________________________________________