Terms you should know

Security for IBM Cloud Provisioning and Management for z/OS is based on SAF authorizations for resources and user groups. This topic describes the key concepts and terms that security administrators should know when creating authorizations for IBM Cloud Provisioning and Management for z/OS.

Terms and concepts are described in the following topics:

Resources

The following are the key resources in the Cloud Provisioning tasks.
Table 1. Resources for Cloud Provisioning
Resource Description
Domain

Defines the management scope for tenants, services, and resource pools.

Start of changeA domain consists of a z/OS system. A z/OS system can be in a single domain, or in multiple domains (up to 36) that are managed by a single instance of z/OSMF. Cloud domains are defined by landlords. Each cloud domain is assigned one or more domain administrators.End of change
Resource pool

Identifies z/OS resources that are required by a z/OS software service. A resource pool defines the scope of shared z/OS resources within a cloud domain that has multiple tenants.
Tenant

Defines the resource sharing scope, for example, a line of business or a class of users.

A tenant consists of a user or group of users that have contracted for use of specified services, and pooled z/OS resources that are associated with the services in a domain.

User roles

The following are the key roles in the Cloud Provisioning tasks.
Table 2. User roles for Cloud Provisioning
Role Description
Landlord

Start of changeA user who defines the cloud domains and the associated system resources for the cloud. The landlord also designates one or more users as domain administrators.End of change
Domain administrator

A user who manages a domain. The domain administrator is responsible for defining services, tenants, and resource pools for the domain, and managing the relationship across tenants, services and resource pools.

Resource pool networking administrator

A user who is responsible for managing a resource pool for the networking resources in the cloud, such as network configuration policies.
Resource pool WLM administrator

A user who is responsible for managing a resource pool for the WLM resources in the cloud, such as WLM policies.
Start of changeSecurity administratorEnd of change Start of change

A user who is responsible for maintaining the installation's security management system, such as RACF. This user is a member of the z/OSMF security administrator group, which is named IZUSECAD by default. It is assumed that this user has RACF SPECIAL authority.

End of change
Template administrator

A user who is responsible for customizing the template for a specific middleware instance, such as DB2, CICS, IMS, MQ, or WebSphere Application Server.
Start of changeTemplate approverEnd of change Start of changeA user who is responsible for approving the pending approval records associated with the template.End of change
Consumer

A user who has access to the software services and resource pools for a tenant. A consumer can provision a software services instance, using a software services template, and can manage the lifecycle of a software services instance.

Objects

The following are some basic objects that you work with in the Cloud Provisioning tasks.
Table 3. Objects for Cloud Provisioning
Object Description
Instance, or software services instance

Represents software that has been provisioned through the use of templates.
Template, or software services template

Represents a z/OS middleware or a z/OS middleware resource service. A template consists of workflows and input variables that can be used to provision z/OS software, actions that can be used with the provisioned software (the instance), and documentation.
Parent topic: Preparing to use Cloud Provisioning