Evaluate your usage of the zOSMFAD user ID from previous releases

Description

In previous releases of z/OSMF, the configuration process created a special user ID known as the z/OSMF administrator user ID. By default, the user ID was ZOSMFAD. You used this user ID for running configuration scripts and performing administration tasks, such as adding users and working with z/OSMF log files.

As of z/OSMF V2R1, the configuration process no longer creates, or requires the use of, the administrator user ID. Though z/OSMF retains the concept of an administrator role, you can use any existing user ID for this purpose, as long as you define the user ID to the z/OSMF administrator security group (IZUADMIN).

If you do not use the z/OSMF administrator user ID for any other purposes, you can remove it and its associated authorizations as part of the migration to z/OS V2R2.

Table 1 provides more details about this migration action. Use this information to plan your changes to the system.

Table 1. Information about this migration action
Element or feature: z/OSMF
When change was introduced: z/OS V2R1.
Applies to migration from: z/OS V1R13.
Timing: Before installing z/OS V2R2.
Is the migration action required? No, but recommended.
Target system hardware requirements: None.
Target system software requirements: None.
Other system (coexistence or fallback) requirements: None.
Restrictions: None.
System impacts: None.
Related IBM® Health Checker for z/OS® check: None.

Steps to take

If you want to continue using the ZOSMFAD user ID (or whichever value you specified for IZU_ADMIN_NAME) in z/OS V2R2, you must ensure that it has superuser authority, which is needed for running the z/OSMF configuration scripts. At a minimum, ensure that ZOSMFAD has the following UNIXPRIV class profile privileges:
  • CONTROL access to SUPERUSER.FILESYS
  • UPDATE access to SUPERUSER.FILESYS.MOUNT
  • READ access to SUPERUSER.FILESYS.CHOWN
  • READ access to SUPERUSER.FILESYS.CHANGEPERMS
  • READ access to SUPERUSER.FILESYS.PFSCTL
If you do not want to continue using the ZOSMFAD user ID, you can remove this user ID and its associated authorizations. For a RACF installation, your security administrator can use a utility to identify the user ID objects and authorizations in the RACF database, including the following examples:
  • z/OSMF administrator user ID. By default, this is ZOSMFAD.
  • Directories and files that were created for the ZOSMFAD user ID, such as /home/zosmfad
  • Administrator user ID authorizations to z/OSMF resources, as follows:
    • WebSphere Application Server administrators group (WSCFG1)
    • CIM server administrators group (CFZADMGP)
    • Capacity Provisioning Query Group (CPOQUERY)
    • Capacity Provisioning Control Group (CPOCTRL)
    • Workload Management group (WLMGRP)

Reference information

For information about configuring z/OSMF, see IBM z/OS Management Facility Configuration Guide.

Parent topic: z/OSMF actions to perform before installing z/OS V2R2