Defining the z/OSMF started procedures to RACF
Description
When you create the new z/OSMF configuration, as described in IBM z/OS Management Facility Configuration Guide, you must define the z/OSMF started procedures to RACF.
Table 1 provides more details about this migration action. Use this information to plan your changes to the system.
| Element or feature: | z/OSMF |
|---|---|
| When change was introduced: | z/OS V2R1. |
| Applies to migration from: | z/OS V1R13. |
| Timing: | Before installing z/OS V2R2. |
| Is the migration action required? | Yes. |
| Target system hardware requirements: | None. |
| Target system software requirements: | None. |
| Other system (coexistence or fallback) requirements: | None. |
| Restrictions: | None. |
| System impacts: | None. |
| Related IBM® Health Checker for z/OS® check: | None. |
Steps to take
/* Define the STARTED profiles for the z/OSMF server */
CALL RacfCmd "RDEFINE STARTED IZUSVR1.* UACC(NONE) STDATA(USER(IZUSVR)
GROUP(IZUADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))"
CALL RacfCmd "RDEFINE STARTED IZUANG1.* UACC(NONE) STDATA(USER(IZUSVR)
GROUP(IZUADMIN) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))"
You can create more specific profiles to associate the started tasks with particular job names. Doing so allows you to run the started tasks under another user ID, as needed, based on job name. Use this method to control the started tasks behavior, rather than modifying the started procedures directly. Note that any user ID that is used for running the started tasks must have the same security authorizations as the started task user ID. By default, this user ID is IZUSVR.
With the STARTED class, you can modify the security definitions for started procedures dynamically, using the RDEFINE, RALTER, and RLIST commands.
Reference information
For more information about using started procedures, see z/OS Security Server RACF Security Administrator's Guide.