Granting clients and administrators access to the CIM server

The CIM server authenticates users with the z/OS Security Server to determine which users can log into it. Authentication is performed for every new connection (local or remote) before a user is granted access to the CIM server.

For the CIM server for z/OS, users log on over HTTP or HTTPS using basic authentication or certificate authentication. When logging on, users are authenticated using their z/OS user ID and password as defined, for example, in RACF®.

To access the CIM server, a user must be at least linked to a group with READ access to RACF profile CIMSERV. In order to use any of the administrative command-line tools of the CIM server, as described in CIM server command-line utilities and console commands, a group instead requires CONTROL access to the CIMSERV profile.

For detailed information about the required access rights, see the following table.

The following example shows how to define UPDATE access for a client group called CFZUSRGP:

PERMIT CIMSERV CL(WBEM) ACCESS(UPDATE) ID(CFZUSRGP)
SETROPTS RACLIST(WBEM) REFRESH

In addition, the CIM server user ID must be defined as a surrogate of the client user ID (see Switching identity (surrogate)).

To enable a user to use the command line tools, set up the UNIX System Services environment as described in Customizing the UNIX System Services shell.