Terms you should know
Security for IBM Cloud Provisioning and Management for z/OS is based on SAF authorizations for resources and user groups. This topic describes the key concepts and terms that security administrators should know when creating authorizations for IBM Cloud Provisioning and Management for z/OS.
Resources
Resource | Description |
---|---|
Domain | Defines the management scope for tenants, services, and resource pools. A domain consists of a z/OS system. A z/OS system can be in a single domain, or in multiple domains (up to 36) that are managed by a single instance of z/OSMF. Cloud domains are defined by landlords. Each cloud domain is assigned one or more domain administrators. |
Resource pool | Identifies z/OS resources that are required by a z/OS software service. A resource pool defines the scope of shared z/OS resources within a cloud domain that has multiple tenants. |
Tenant | Defines the resource sharing scope, for example, a line of business or a class of users. A tenant consists of a user or group of users that have contracted for use of specified services, and pooled z/OS resources that are associated with the services in a domain. |
User roles
Role | Description |
---|---|
Landlord | A user who defines the cloud domains and the associated system resources for the cloud. The landlord also designates one or more users as domain administrators. |
Domain administrator | A user who manages a domain. The domain administrator is responsible for defining services, tenants, and resource pools for the domain, and managing the relationship across tenants, services and resource pools. |
Resource pool networking administrator | A user who is responsible for managing a resource pool for the networking resources in the cloud, such as network configuration policies. |
Resource pool WLM administrator | A user who is responsible for managing a resource pool for the WLM resources in the cloud, such as WLM policies. |
Security administrator | A user who is responsible for maintaining the installation's security management system, such as RACF. This user is a member of the z/OSMF security administrator group, which is named IZUSECAD by default. It is assumed that this user has RACF SPECIAL authority. |
Template administrator | A user who is responsible for customizing the template for a specific middleware instance, such as DB2, CICS, IMS, MQ, or WebSphere Application Server. |
Template approver | A user who is responsible for approving the pending approval records associated with the template. |
Consumer | A user who has access to the software services and resource pools for a tenant. A consumer can provision a software services instance, using a software services template, and can manage the lifecycle of a software services instance. |
Objects
Object | Description |
---|---|
Instance, or software services instance | Represents software that has been provisioned through the use of templates. |
Template, or software services template | Represents a z/OS middleware or a z/OS middleware resource service. A template consists of workflows and input variables that can be used to provision z/OS software, actions that can be used with the provisioned software (the instance), and documentation. |