Please enable JavaScript to view this site.

Navigation: Utilities > SQDUTIL > Operational Considerations

z/OS Security Options

 Scroll

Execution of  SQDutil can be managed at the Command level using the z/OS System Authorization Facility (SAF).

The z/OS System Authorization Facility (SAF) utilizes Classes to identify and define Objects to be managed and the Resources associated with those objects. It also supports the creation of Groups of users with common privileges. Implementation of Connect CDC SQData SAF security requires a dynamic class descriptor table (CDT) class, SQDATA0, first be defined. Groups can then be created that grant specific privileges to authorized users of the resources.

Note, the rules and examples are expressed in terms of RACF.

The following required steps must be followed in sequence to define and activate the SQDATA0 class:

1.  Define SQDATA0 class in the dynamic CDT

RDEFINE CDT SQDATA0 UACC(NONE) +

   CDTINFO(DEFAULTUACC(NONE) CASE(UPPER) FIRST(ALPHA,SPECIAL) +

           OTHER(ALPHA,NATIONAL,NUMERIC,SPECIAL) +

           MAXLENGTH(246) MAXLENX(246) +

           GENERIC(ALLOWED) RACLIST(ALLOWED) +

           POSIT(<posit_number>)) +

   DATA('SQDATA RESOURCE PROFILE CLASS')

 

Note, the POSIT number <nnn> used must be unique and not currently in use.

2.  Refresh the CDT class

SETROPTS RACLIST(CDT) REFRESH

3.  Activate the new SQDATA0 class

SETROPTS CLASSACT(SQDATA0) RACLIST(SQDATA0)

SETROPTS GENERIC(SQDATA0)

 

4.  Create user Groups

Two user Groups for the SQDATA0 Class should be created; one for SQData product administrators with full privileges and another for operators with more limited privileges.  Finally, the display command is granted a UACC of READ so that any user may issue it.

Create SQDATA0 groups of administrator and operator roles.

ADDGROUP SQDOPER SUPGROUP(<superior group name>)

ADDGROUP SQDADMIN SUPGROUP(<superior group name>)

 

CONNECT (USER1 +

        USER2) +

  GROUP(SQDADMIN) AUTH(CREATE)

 

CONNECT (USER3 +

        USER4 +

        USER5) +

  GROUP(SQDOPER) AUTH(USE)

 

Note, the Groups defined above are only suggestions. While Administrator and Operator roles may be adequate, others can be defined as needed.

5.  Define Resources for SQDUTIL

UTIL.CLEAN

UTIL.DUMP

 

 

Note, the first four steps need only be performed once. If the SQDATA0 class and required user Groups have already been configured for another utility, then only the Resources remain to be defined.

Example

Define desired profiles in the SQDATA0 class including Generic profiles as desired for SQDUTIL. Create two groups; one for SQData product administrators with full privileges, and another for operators with more limited privileges.  The six z/OS JOBS below will accomplish the task.

//SQDATA1  JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID.,

//  TYPRUN=HOLD

//*

//* Define SQDATA0 class in the dynamic CDT

//*

//CLASS    EXEC PGM=IKJEFT1B

//SYSTSPRT DD SYSOUT=*

//SYSTSIN  DD *

RDEFINE CDT SQDATA0 UACC(NONE) +

 CDTINFO(DEFAULTUACC(NONE) CASE(UPPER) FIRST(ALPHA,SPECIAL) +

         OTHER(ALPHA,NATIONAL,NUMERIC,SPECIAL) +

         MAXLENGTH(246) MAXLENX(246) +

         GENERIC(ALLOWED) RACLIST(ALLOWED) +

         POSIT(<posit_number>)) +

 DATA('SQDATA RESOURCE PROFILE CLASS')

/*

 

 

//SQDATAR2 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID.,

//  TYPRUN=HOLD

//*

//* Refresh the CDT class

//*

//CDTREFR  EXEC PGM=IKJEFT1B

//SYSTSPRT DD SYSOUT=*

//SYSTSIN  DD *

SETROPTS RACLIST(CDT) REFRESH

/*

 

 

//SQDATAR3 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID.,

//  TYPRUN=HOLD

//*

//* Activate the new SQDATA0 class

//*

//CLASSACT EXEC PGM=IKJEFT1B

//SYSTSPRT DD SYSOUT=*

//SYSTSIN  DD *

SETROPTS CLASSACT(SQDATA0) RACLIST(SQDATA0)

SETROPTS GENERIC(SQDATA0)

/*

 

 

//SQDATAR4 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID.,

//  TYPRUN=HOLD

//*

//* Create SQDATA0 groups for administrator and operator roles

//*

//GROUP    EXEC PGM=IKJEFT1B

//SYSTSPRT DD SYSOUT=*

//SYSTSIN  DD *

ADDGROUP SQDOPER SUPGROUP(<superior group name>)

ADDGROUP SQDADMIN SUPGROUP(<superior group name>)

CONNECT (USER1 +

        USER2) +

  GROUP(SQDADMIN) AUTH(CREATE)

CONNECT (USER3 +

        USER4 +

        USER5) +

  GROUP(SQDOPER) AUTH(USE)

/*

 

 

//SQDATAR5 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID.,

//  TYPRUN=HOLD

//*

//* Define profiles in the SQDATA0 class and PERMIT access.

//*

//GROUP    EXEC PGM=IKJEFT1B

//SYSTSPRT DD SYSOUT=*

//SYSTSIN  DD *

RDEFINE SQDATA0  UTIL.**          UACC(NONE)

 

RDEFINE SQDATA0  UTIL.DUMP.**     UACC(READ)

RDEFINE SQDATA0  UTIL.CLEAN.**    UACC(NONE)

 

PERMIT UTIL.**                    CLASS(SQDATA0) ID(SQDADMIN) ACC(READ)

PERMIT UTIL.DUMP.**               CLASS(SQDATA0) ID(SQDOPER) ACC(READ)

PERMIT UTIL.CLEAN.**              CLASS(SQDATA0) ID(SQDOPER) ACC(READ)

/*

 

 

//SQDATAR6 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID.,

//  TYPRUN=HOLD

//*

//* Refresh the SQDATA0 class to activate the profiles and permissions

//*

//REFRESH  EXEC PGM=IKJEFT1B

//SYSTSPRT DD SYSOUT=*

//SYSTSIN  DD *

SETROPTS RACLIST(SQDATA0) REFRESH

/*

//