|
z/OS Security Options |
Scroll |
Execution of the SQDconf Utility can be managed at the Command level using the z/OS System Authorization Facility (SAF).
The z/OS System Authorization Facility (SAF) utilizes Classes to identify and define Objects to be managed and the Resources associated with those objects. It also supports the creation of Groups of users with common privileges. Implementation of Connect CDC SQData SAF security requires a dynamic class descriptor table (CDT) class, SQDATA0, first be defined. Groups can then be created that grant specific privileges to authorized users of the resources.
Note, the rules and examples are expressed in terms of RACF.
The following required steps must be followed in sequence to define and activate the SQDATA0 class:
1. Define SQDATA0 class in the dynamic CDT
RDEFINE CDT SQDATA0 UACC(NONE) +
CDTINFO(DEFAULTUACC(NONE) CASE(UPPER) FIRST(ALPHA,SPECIAL) +
OTHER(ALPHA,NATIONAL,NUMERIC,SPECIAL) +
MAXLENGTH(246) MAXLENX(246) +
GENERIC(ALLOWED) RACLIST(ALLOWED) +
POSIT(<posit_number>)) +
DATA('SQDATA RESOURCE PROFILE CLASS')
Note, the POSIT number <nnn> used must be unique and not currently in use.
2. Refresh the CDT class
SETROPTS RACLIST(CDT) REFRESH
3. Activate the new SQDATA0 class
SETROPTS CLASSACT(SQDATA0) RACLIST(SQDATA0)
SETROPTS GENERIC(SQDATA0)
4. Create user Groups
Two user Groups for the SQDATA0 Class should be created; one for SQData product administrators with full privileges and another for operators with more limited privileges. Finally, the display command is granted a UACC of READ so that any user may issue it.
Create SQDATA0 groups of administrator and operator roles.
ADDGROUP SQDOPER SUPGROUP(<superior group name>)
ADDGROUP SQDADMIN SUPGROUP(<superior group name>)
CONNECT (USER1 +
USER2) +
GROUP(SQDADMIN) AUTH(CREATE)
CONNECT (USER3 +
USER4 +
USER5) +
GROUP(SQDOPER) AUTH(USE)
Note, the Groups defined above are only suggestions. While Administrator and Operator roles may be adequate, others can be defined as needed.
5. Define Resources for SQDconf
Publisher cab (both types) --type=db2 and --type=zlog
CONF.PUBLISHER.ADD
CONF.PUBLISHER.APPLY
CONF.PUBLISHER.CONNECT
CONF.PUBLISHER.CREATE
CONF.PUBLISHER.DISCONNECT
CONF.PUBLISHER.DISPLAY
CONF.PUBLISHER.MIGRATE
CONF.PUBLISHER.MODIFY
CONF.PUBLISHER.MOUNT
CONF.PUBLISHER.PAUSE
CONF.PUBLISHER.REFRESH
CONF.PUBLISHER.REMOVE
CONF.PUBLISHER.RESUME
CONF.PUBLISHER.RESUMEAT
CONF.PUBLISHER.START
CONF.PUBLISHER.STOP
CONF.PUBLISHER.UNMOUNT
Store cab --type=store
CONF.STORE.ADD
CONF.STORE.CREATE
CONF.STORE.DISPLAY
CONF.STORE.MODIFY
IMS cab --type=ims
CONF.IMS.ADD
CONF.IMS.CREATE
CONF.IMS.DISPLAY
CONF.IMS.MODIFY
CONF.IMS.PAUSE
CONF.IMS.REMOVE
CONF.IMS.RESUME
CONF.IMS.STOP
CONF.IMS.TUNE
Notes:
The first four steps need only be performed once. If the SQDATA0 class and required user Groups have already been configured for another utility, then only the Resources remain to be defined.
It is only necessary to define those resources applicable to Captures/Publishers used:
Capture |
Resources |
Db2 Log Reader |
CONF.PUBLISHER, CONF.STORE |
IMS TM Exit |
CONF.PUBLISHER |
IMS Log Reader |
CONF.IMS, CONF.PUBLISHER |
VSAM Log |
CONF.PUBLISHER |
Keyed Files |
CONF.PUBLISHER |
Example
Define desired profiles in the SQDATA0 class including Generic profiles as desired for the SQDconf Utility. Create two groups; one for SQData product administrators with full privileges, and another for operators with more limited privileges. Finally, the display command is granted a UACC of READ so that any user may issue it. The six z/OS JOBS below will accomplish the task.
//SQDATA1 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID.,
// TYPRUN=HOLD
//*
//* Define SQDATA0 class in the dynamic CDT
//*
//CLASS EXEC PGM=IKJEFT1B
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
RDEFINE CDT SQDATA0 UACC(NONE) +
CDTINFO(DEFAULTUACC(NONE) CASE(UPPER) FIRST(ALPHA,SPECIAL) +
OTHER(ALPHA,NATIONAL,NUMERIC,SPECIAL) +
MAXLENGTH(246) MAXLENX(246) +
GENERIC(ALLOWED) RACLIST(ALLOWED) +
POSIT(<posit_number>)) +
DATA('SQDATA RESOURCE PROFILE CLASS')
/*
//SQDATAR2 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID.,
// TYPRUN=HOLD
//*
//* Refresh the CDT class
//*
//CDTREFR EXEC PGM=IKJEFT1B
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
SETROPTS RACLIST(CDT) REFRESH
/*
//SQDATAR3 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID.,
// TYPRUN=HOLD
//*
//* Activate the new SQDATA0 class
//*
//CLASSACT EXEC PGM=IKJEFT1B
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
SETROPTS CLASSACT(SQDATA0) RACLIST(SQDATA0)
SETROPTS GENERIC(SQDATA0)
/*
//SQDATAR4 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID.,
// TYPRUN=HOLD
//*
//* Create SQDATA0 groups for administrator and operator roles
//*
//GROUP EXEC PGM=IKJEFT1B
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
ADDGROUP SQDOPER SUPGROUP(<superior group name>)
ADDGROUP SQDADMIN SUPGROUP(<superior group name>)
CONNECT (USER1 +
USER2) +
GROUP(SQDADMIN) AUTH(CREATE)
CONNECT (USER3 +
USER4 +
USER5) +
GROUP(SQDOPER) AUTH(USE)
/*
//SQDATAR5 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID.,
// TYPRUN=HOLD
//*
//* Define profiles in the SQDATA0 class and PERMIT access.
//*
//GROUP EXEC PGM=IKJEFT1B
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
RDEFINE SQDATA0 CONF.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.DISPLAY.** UACC(READ)
RDEFINE SQDATA0 CONF.PUBLISHER.MOUNT.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.START.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.PAUSE.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.RESUME.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.STOP.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.UNMOUNT.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.APPLY.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.CONNECT.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.DISCONNECT.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.REFRESH.** UACC(NONE)
RDEFINE SQDATA0 CONF.STORE.DISPLAY.** UACC(READ)
RDEFINE SQDATA0 CONF.IMS.DISPLAY.** UACC(READ)
RDEFINE SQDATA0 CONF.IMS.STOP.** UACC(NONE)
RDEFINE SQDATA0 CONF.IMS.PAUSE.** UACC(NONE)
RDEFINE SQDATA0 CONF.IMS.RESUME.** UACC(NONE)
RDEFINE SQDATA0 CONF.IMS.TUNE.** UACC(NONE)
PERMIT CONF.** CLASS(SQDATA0) ID(SQDADMIN) ACC(READ)
PERMIT CONF.PUBLISHER.MOUNT.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.PUBLISHER.START.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.PUBLISHER.PAUSE.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.PUBLISHER.RESUME.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.PUBLISHER.STOP.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.PUBLISHER.UNMOUNT.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.PUBLISHER.APPLY.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.PUBLISHER.CONNECT.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.PUBLISHER.DISCONNECT.** CLASS(SQDATA0) ID(SQDOPER) +
ACC(READ)
PERMIT CONF.PUBLISHER.REFRESH.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.IMS.TUNE.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.IMS.STOP.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.IMS.PAUSE.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.IMS.RESUME.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
/*
//SQDATAR6 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID.,
// TYPRUN=HOLD
//*
//* Refresh the SQDATA0 classto activate the profiles and permissions
//*
//REFRESH EXEC PGM=IKJEFT1B
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
SETROPTS RACLIST(SQDATA0) REFRESH
/*
//
Note, In the example, the following possible profiles were not defined because they are all administrator capabilities covered by the CONF.** generic, to which only users in the SQDADMIN group are granted READ access.
RDEFINE SQDATA0 CONF.PUBLISHER.ADD.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.CREATE.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.MODIFY.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.REMOVE.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.MIGRATE.** UACC(NONE)
RDEFINE SQDATA0 CONF.STORE.ADD.** UACC(NONE)
RDEFINE SQDATA0 CONF.STORE.CREATE.** UACC(NONE)
RDEFINE SQDATA0 CONF.STORE.MODIFY.** UACC(NONE)
RDEFINE SQDATA0 CONF.IMS.ADD.** UACC(NONE)
RDEFINE SQDATA0 CONF.IMS.CREATE.** UACC(NONE)
RDEFINE SQDATA0 CONF.IMS.MODIFY.** UACC(NONE)
RDEFINE SQDATA0 CONF.IMS.REMOVE.** UACC(NONE)
