Security configuration requirements for the Cloud Provisioning tasks
This topic describes the resources that must be defined, and the groups that must be permitted to the resources.
Select the Legacy Special user ID
Select a user ID to use for creating the initial domain and authorizing groups to the domain. This user ID, which is referred to as the Legacy Special user ID, requires RACF SPECIAL authority. It must also be connected to the z/OSMF security group for z/OSMF security administrators (IZUSECAD, by default).
The Legacy Special user is the first landlord to be defined for your configuration. After Cloud Provisioning is configured, remember the Legacy Special user ID and keep it active for future operations with IBM Cloud Provisioning and Management for z/OS. For example, with the Legacy Special user ID, you can authorize other users to be landlords, or use the Resource Management task to create more domains and add default domain administrators.
SAF profile prefix for Cloud Provisioning resources
Your installation must define a system authorization facility (SAF) profile prefix to be used for z/OSMF resources. The SAF prefix is prepended to the names of resource profiles, and is used in the RACF commands for defining resources.
By default, the IBM Cloud Provisioning and Management for z/OS resources use the z/OSMF SAF profile prefix, which is IZUDFLT, by default. Your installation can select a different SAF profile prefix for z/OSMF. To do so, specify the value in the IZUPRMxx parmlib member. For information, see the description of the SAF_PREFIX statement in Optionally creating a IZUPRMxx parmlib member.
The IZUSEC sample job contains commands that include the SAF profile prefix for creating resource profile names. The SAF profile prefix that is specified in IZUPRMxx must match the prefix that you define for z/OSMF in the IZUSEC job or by entering equivalent commands for your security product.
Group name prefix for Cloud Provisioning user groups
Your installation must define a SAF group name to be used for IBM Cloud Provisioning and Management for z/OS user groups. The group name is prepended to the names of the groups that represent the various roles in Cloud Provisioning, such as landlords, domain administrators and tenants. The group name prefix is used in the RACF commands for defining groups.
By default, the value IYU is the group name prefix for IBM Cloud Provisioning and Management for z/OS groups. Your installation can select a different SAF group prefix. To do so, specify the value in the IZUPRMxx parmlib member. For information, see the description of the CLOUD_SAF_PREFIX statement in Optionally creating a IZUPRMxx parmlib member.
Your installation can select a different group name prefix for user groups. If so, substitute that value in the examples. If you plan to use a different value, ensure that it is 1-3 characters (alpha-numeric, uppercase, or the following special characters: $, and @).
Class activation for Cloud Provisioning
For a RACF® installation, the security class ZMFCLOUD must be active when you configure IBM Cloud Provisioning and Management for z/OS. The RACF commands for activating the class (with generic profile checking activated) are included in the IZUSEC job. If your installation uses a security management product other than RACF, ask your security administrator to create equivalent commands for your security product.
The ZMFCLOUD class requires the RACLIST
option. If you change the profiles, you must refresh the ZMFCLOUD class to have the changes take
effect.
| Class | Purpose | RACF command for activating |
|---|---|---|
| ZMFCLOUD | Allows the user to use the z/OSMF core functions and tasks related to Cloud Provisioning. z/OSMF defines a resource name for each core function and task related to Cloud Provisioning. | |
Resource authorizations for security administrators
Users who will perform security administration tasks should be members of the z/OSMF security administrator group (IZUSECAD, by default). This group requires an OMVS group ID (GID).
Security administrators require access to the system resources that are used by the IBM Cloud Provisioning and Management for z/OS tasks. For more information, see Table 2.
As part of configuration for IBM Cloud Provisioning and Management for z/OS,
your security administrator should review, and if necessary modify, an IBM-supplied REXX exec called
izu.provisioning.security.config.rexx. For information, see Steps for setting up security.
Resource authorizations for network administrators
Network administrators require access to the Configuration Assistant task, and to system resources that are used by the Configuration Assistant task. For more information, see Table 2.
Resource authorizations for WLM administrators
WLM administrators require access to resources, such as those that are protected by the profile MVSADMIN.WLM.POLICY. For more information, see Updating z/OS for the Workload Management plug-in and Table 2.
Resource authorizations for the Cloud Provisioning functions
Table 2 describes the authorization requirements for a default IBM Cloud Provisioning and Management for z/OS environment. A procedure for creating these authorizations is shown in Steps for setting up security.
| Resource class | Resource name | Who needs access? | Type of access required | Why |
|---|---|---|---|---|
| DATASET | your_stack_include_dataset | IZUSVR | ALTER | Allows the Configuration Assistant task to write to the configured include data sets when a network resource is provisioned or de-provisioned. There is one include data set per stack defined for IBM Cloud Provisioning and Management for z/OS. This definition is applicable only when your installation uses discrete or generic profiles to protect data set access. |
| DATASET | your_stack_dynamic_update_dataset | IZUSVR | ALTER | Allows the Configuration Assistant task to write to the configured dynamic updates data sets when a network resource is provisioned or de-provisioned. There can be one dynamic update data set per stack defined for IBM Cloud Provisioning and Management for z/OS. This definition is applicable only when your installation uses a discrete or generic profile to protect data set access. |
| OPERCMDS | MVS.VARY.TCPIP.OBEYFILE | IZUSVR | CONTROL | Allows the Configuration Assistant task to issue the VARY TCPIP OBEYFILE command for IBM Cloud Provisioning and Management for z/OS. This definition is applicable only when your installation uses the OPERCMDS class to restrict access to the VARY TCPIP OBEYFILE command. |
| OPERCMDS | MVS.MCSOPER.ZCDPLM* | IZUSVR | READ | Allows the Configuration Assistant task to issue various operator commands for IBM Cloud Provisioning and Management for z/OS. The console name for this extended MCS console is the text string ZCDPLM that is appended with the MVS sysclone value of the system of the z/OSMF instance. |
| OPERCMDS | MVS.DISPLAY.XCF | IZUSVR | READ | Allows the Configuration Assistant task to issue the display XCF operator command for IBM Cloud Provisioning and Management for z/OS. This definition is applicable only when your installation uses the OPERCMDS class to restrict access to the display XCF operator command. |
| OPERCMDS | MVS.ROUTE.sysname | IZUSVR | READ | Allows the Configuration Assistant task to issue the ROUTE operator command for IBM Cloud Provisioning and Management for z/OS. This definition is applicable only if the installation uses this profile to restrict the use of the ROUTE command. |
| SERVAUTH | EZB.NETWORKUTILS.CLOUD.mvsname | IZUSVR | READ | Allows the Configuration Assistant task to issue operator commands for IBM Cloud Provisioning and Management for z/OS. mvsname is the name of the system where z/OSMF is running. |
| SERVAUTH | EZB.NETSTAT.mvsname .tcpprocname.VIPADCFG | IZUSVR | READ | Allows the Configuration Assistant task to issue the command NETSTAT VIPADCFG. This definition is applicable only when your installation uses the SERVAUTH class to restrict usage of the NETSTAT command. When this definition is applicable, IZUSVR must be authorized for each stack defined for IBM Cloud Provisioning and Management for z/OS. |
| SERVER | BBG.SECCLASS.ZMFCLOUD | z/OSMF server user ID (IZUSVR1, by default). | READ | Allows the z/OSMF server to perform access checks in the ZMFCLOUD class |
| ZMFAPLA | <SAF-prefix>.ZOSMF.IBM_ CLOUDPORTAL.MARKETPLACE. CONSUMER | Marketplace consumers and marketplace administrators | READ | Allows the user to use the marketplace to provision and manage software services. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.IBM_ CLOUDPORTAL. MARKETPLACE. ADMIN | Marketplace administrators | READ | Allows the user to control which services are published to the marketplace, and manage the services to which consumers have subscribed. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.PROVISIONING. RESOURCE_MANAGEMENT |
|
READ | Allows the user to access the Resource Management task. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.PROVISIONING. SOFTWARE_SERVICES |
|
READ | Allows the user to access the Software Services task. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.VARIABLES. SYSTEM.ADMIN | z/OSMF administrators group (IZUADMIN) | READ | Allows the user to access the system variable definitions. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.WORKFLOW. EDITOR |
|
READ | Allows the user to access the Workflow Editor task in z/OSMF. |
| ZMFAPLA |
<SAF-prefix>.ZOSMF.WORKFLOW.
WORKFLOWS |
|
READ |
Allows the user to access the Workflows task in z/OSMF. |
| ZMFAPLA |
<SAF-prefix>.ZOSMF.
WORKLOAD_MANAGEMENT. WORKLOAD_MANAGEMENT.ENWRP |
|
READ |
Allow the user to access the WLM Resource Pooling (WRP) functions of z/OSMF.
Using a WRP definition, the user can associate cloud information (tenant name, domain ID, template
type, service levels supported) with WLM elements (report classes and classification rules). |
| ZMFCLOUD | <SAF-prefix>.ZOSMF.PROVISIONING. RESOURCE_MANAGEMENT. tenantGroupID | Tenant group | READ | Allow the user to act as a tenant. |
| ZMFCLOUD | <SAF-prefix>.ZOSMF.PROVISIONING. RESOURCE_MANAGEMENT. domainGroupID | Domain group | READ | Allow the user to act as a domain administrator. |
| ZMFCLOUD | <SAF-prefix>.ZOSMF. RESOURCE_POOL.NETWORK. domainGroupID | Resource pool network administration group | READ | Allow the user to act as a network resource pool administrator. |
| ZMFCLOUD | <SAF-prefix>.ZOSMF. RESOURCE_POOL.WLM.domainGroupID | Resource pool WLM administration group | READ | Allow the user to act as a WLM resource pool administrator. |
| ZMFCLOUD | <SAF-prefix>.ZOSMF.SECURITY.ADMIN | z/OSMF security administrators group (IZUSECAD) | READ | Allow the user to access the security administration resource. |
| ZMFCLOUD |
<SAF-prefix>.ZOSMF.TEMPLATE.
APPROVERS.domainGroupID |
Template approvers |
READ |
Allow the user to act as a cloud domain level template approver. |
| ZMFCLOUD | <SAF-prefix>.ZOSMF.TEMPLATE. APPROVERS.domainGroupID. templateName | Template approvers | READ | Allow the user to approve the specified template. |
| ZMFCLOUD | <SAF-prefix>.ZOSMF.TEMPLATE. INSTANCE.domainGroupID. templateInstanceName | Template instance owner | READ | Allow the user to access the specified template registry instance. |