To deploy applications to an IBM® z/OS® environment,
the user accounts on the agent computer must have adequate access
permissions. You must also identify specific directories and data
sets to the authorized program facility, and configure access to files
where tokens are stored.
Agent user accounts
If you run the agent from a UNIX command line, the agent user account is the account that you use to log on to the UNIX shell. If you run the agent as a started task, the agent user account is assigned by the Resource Access Control Facility (RACF®) by using the started procedures table (ICHRIN03) or the STARTED class. To learn more about RACF, see the z/OS Security Server RACF System Programmer's Guide, SA23-2287-00.
The
agent user account must have the following permissions:
- Access to the Time Sharing Option (TSO) and Interactive System
Productivity Facility (ISPF) environments.
- The ability to create temporary data sets. The prefix of the data
set name must either be the data set prefix that is stored in the
TSO profile, or the user ID.
- Sufficient virtual memory to run Java™ in the OMVS address space. The amount of memory that is required can vary based on which plug-ins are used in deployment processes. The following list includes typical values for RACF configuration parameters that specify virtual memory:
- ASSIZEMAX= 2147483647
- FILEPROCMAX= 00524287
- PROCUSERMAX= 00032767
- THREADSMAX= 00100000
- Sufficient virtual storage limits, if the agent is running as
a started task. To set the virtual storage limits, specify the REGION=0M parameter
in the EXEC PGM=BPXBATCH statement.
The agent user account must have access to the following UNIX directories and files, and MVS™ data sets.
Table 1. Agent
user account permissions| Directories, files, and data sets |
Required access permissions |
|---|
| The /tmp directory or the agent/var/temp directory |
RW |
| The agent/var/work directory |
RW |
| The directory where version artifacts are stored |
R |
| The directory where backup data and deployment
results are stored |
RW |
| The directory where ISPF gateway log files are
stored |
RW |
| The HLQ.SBUZAUTH, HLQ.SBUZEXEC, HLQ.SBUZMENU,
and HLQ.SBUZSAMP data sets |
R |
| The PROFILE data set |
R |
The access permissions are set up when you install the agent.
If you use a different user account to run the agent, the access permissions
must be set correctly for that account.
The directories and
data sets are specified when you install the agent. The agent/conf/toolkit/installed.properties file
contains the locations of the directories and data sets.
Deployment tools user accounts
You run the z/OS deployment
tools to create and deploy component versions. Typically, the user
account that runs the deployment tools is different from the user
account that runs the IBM UrbanCode™ Deploy agent.
The
user account that runs the deployment tools must have the following
permissions:
- Access to the Time Sharing Option (TSO) and Interactive System
Productivity Facility (ISPF) environments
- Sufficient virtual memory to run Java in the OMVS address space. A minimum of 200 MB of virtual memory is required. The following list includes typical values for RACF configuration parameters that specify virtual memory:
- ASSIZEMAX= 2147483647
- FILEPROCMAX= 00524287
- PROCUSERMAX= 00032767
- THREADSMAX= 00100000
The user account that runs the deployment tools must have access to the following UNIX directories and files, and MVS data sets.
Table 2. Deployment tools user account permissions| Directories, files, and data sets |
Required access permissions |
|---|
| The directory where version artifacts are stored |
RW |
| The directory where ISPF gateway log files are
stored |
RW |
| The HLQ.SBUZAUTH, HLQ.SBUZEXEC, HLQ.SBUZMENU,
and HLQ.SBUZSAMP data sets |
R |
| The PROFILE data set |
R |
Authorized program facility
The following
directories and data sets must be authorized by the authorized program
facility (APF).
Table 3. APF-authorized directories and data sets| Directories and data sets |
Required access permissions |
|---|
| The HLQ.SBUZAUTH data set |
The load module BUZJMON must be APF-authorized. |
| agent/bin/checkaccess |
The extended attributes must be set so that
the checkaccess utility is APF-authorized. To set
the extended attributes, type extattr +a at
a command prompt. |
Tokens
The deployment tools use tokens to
connect to the IBM UrbanCode Deploy server.
Tokens are stored in the PROFILE data set. Configure the PROFILE data
set so that only authorized users have access. To learn more about
tokens, see Tokens.
Tokens are also written to the agent/conf/toolkit/installed.properties file.
Restrict access to this file, or remove the token from the file. If
you remove the token from the file, you must enter the token again
when you upgrade the product.