Execution of the SQDconf Utility can be managed at the Command level using the z/OS System Authorization Facility (SAF).
The z/OS System Authorization Facility (SAF) utilizes Classes to identify and define Objects to be managed and the Resources associated with those objects. It also supports the creation of Groups of users with common privileges. Implementation of Connect CDC SQData SAF security requires a dynamic class descriptor table (CDT) class, SQDATA0, first be defined. Groups can then be created that grant specific privileges to authorized users of the resources.
Note: The rules and examples are expressed in terms of RACF.
To define and activate the
SQDATA0
class:- Define SQDATA0 class in the dynamic CDT.
RDEFINE CDT SQDATA0 UACC(NONE) + CDTINFO(DEFAULTUACC(NONE) CASE(UPPER) FIRST(ALPHA,SPECIAL) + OTHER(ALPHA,NATIONAL,NUMERIC,SPECIAL) + MAXLENGTH(246) MAXLENX(246) + GENERIC(ALLOWED) RACLIST(ALLOWED) + POSIT(<posit_number>)) + DATA('SQDATA RESOURCE PROFILE CLASS')
Note: The POSIT number <nnn> used must be unique and not currently in use. - Refresh the CDT class.
SETROPTS RACLIST(CDT) REFRESH
- Activate the new SQDATA0 class
SETROPTS CLASSACT(SQDATA0) RACLIST(SQDATA0) SETROPTS GENERIC(SQDATA0)
- Create user Groups. Two user Groups for the SQDATA0 Class should be created; one for SQData product administrators with full privileges and another for operators with more limited privileges. Finally, the display command is granted a UACC of READ so that any user may issue it.Create SQDATA0 groups of administrator and operator roles.
ADDGROUP SQDOPER SUPGROUP(<superior group name>) ADDGROUP SQDADMIN SUPGROUP(<superior group name>) CONNECT (USER1 + USER2) + GROUP(SQDADMIN) AUTH(CREATE) CONNECT (USER3 + USER4 + USER5) + GROUP(SQDOPER) AUTH(USE)
Note: The Groups defined above are only suggestions. While Administrator and Operator roles may be adequate, others can be defined as needed. - Define Resources for SQDconf.Publisher cab (both types) --type=db2 and --type=zlog
CONF.PUBLISHER.ADD CONF.PUBLISHER.APPLY CONF.PUBLISHER.CONNECT CONF.PUBLISHER.CREATE CONF.PUBLISHER.DISCONNECT CONF.PUBLISHER.DISPLAY CONF.PUBLISHER.MIGRATE CONF.PUBLISHER.MODIFY CONF.PUBLISHER.MOUNT CONF.PUBLISHER.PAUSE CONF.PUBLISHER.REFRESH CONF.PUBLISHER.REMOVE CONF.PUBLISHER.RESUME CONF.PUBLISHER.RESUMEAT CONF.PUBLISHER.START CONF.PUBLISHER.STOP CONF.PUBLISHER.UNMOUNT
Store cab --type=storeCONF.STORE.ADD CONF.STORE.CREATE CONF.STORE.DISPLAY CONF.STORE.MODIFY
IMS cab --type=imsCONF.IMS.ADD CONF.IMS.CREATE CONF.IMS.DISPLAY CONF.IMS.MODIFY CONF.IMS.PAUSE CONF.IMS.REMOVE CONF.IMS.RESUME CONF.IMS.STOP CONF.IMS.TUNE
Note: The first four steps need only be performed once. If the SQDATA0 class and required user Groups have already been configured for another utility, then only the Resources remain to be defined. It is only necessary to define those resources applicable to Captures/Publishers used:Capture Resources Db2 Log Reader CONF.PUBLISHER, CONF.STORE IMS TM Exit CONF.PUBLISHER IMS Log Reader CONF.IMS, CONF.PUBLISHER VSAM Log CONF.PUBLISHER Keyed Files CONF.PUBLISHER
Example
Define desired profiles in the SQDATA0 class including Generic profiles as desired for the SQDconf Utility. Create two groups; one for SQData product administrators with full privileges, and another for operators with more limited privileges. Finally, the display command is granted a UACC of READ so that any user may issue it. The six z/OS JOBS below will accomplish the task.
//SQDATA1 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID.,
// TYPRUN=HOLD
//*
//* Define SQDATA0 class in the dynamic CDT
//*
//CLASS EXEC PGM=IKJEFT1B
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
RDEFINE CDT SQDATA0 UACC(NONE) +
CDTINFO(DEFAULTUACC(NONE) CASE(UPPER) FIRST(ALPHA,SPECIAL) +
OTHER(ALPHA,NATIONAL,NUMERIC,SPECIAL) +
MAXLENGTH(246) MAXLENX(246) +
GENERIC(ALLOWED) RACLIST(ALLOWED) +
POSIT(<posit_number>)) +
DATA('SQDATA RESOURCE PROFILE CLASS')
/*
//SQDATAR2 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID.,
// TYPRUN=HOLD
//*
//* Refresh the CDT class
//*
//CDTREFR EXEC PGM=IKJEFT1B
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
SETROPTS RACLIST(CDT) REFRESH
/*
//SQDATAR3 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID.,
// TYPRUN=HOLD
//*
//* Activate the new SQDATA0 class
//*
//CLASSACT EXEC PGM=IKJEFT1B
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
SETROPTS CLASSACT(SQDATA0) RACLIST(SQDATA0)
SETROPTS GENERIC(SQDATA0)
/*
//SQDATAR4 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID.,
// TYPRUN=HOLD
//*
//* Create SQDATA0 groups for administrator and operator roles
//*
//GROUP EXEC PGM=IKJEFT1B
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
ADDGROUP SQDOPER SUPGROUP(<superior group name>)
ADDGROUP SQDADMIN SUPGROUP(<superior group name>)
CONNECT (USER1 +
USER2) +
GROUP(SQDADMIN) AUTH(CREATE)
CONNECT (USER3 +
USER4 +
USER5) +
GROUP(SQDOPER) AUTH(USE)
/*
//SQDATAR5 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID.,
// TYPRUN=HOLD
//*
//* Define profiles in the SQDATA0 class and PERMIT access.
//*
//GROUP EXEC PGM=IKJEFT1B
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
RDEFINE SQDATA0 CONF.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.DISPLAY.** UACC(READ)
RDEFINE SQDATA0 CONF.PUBLISHER.MOUNT.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.START.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.PAUSE.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.RESUME.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.STOP.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.UNMOUNT.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.APPLY.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.CONNECT.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.DISCONNECT.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.REFRESH.** UACC(NONE)
RDEFINE SQDATA0 CONF.STORE.DISPLAY.** UACC(READ)
RDEFINE SQDATA0 CONF.IMS.DISPLAY.** UACC(READ)
RDEFINE SQDATA0 CONF.IMS.STOP.** UACC(NONE)
RDEFINE SQDATA0 CONF.IMS.PAUSE.** UACC(NONE)
RDEFINE SQDATA0 CONF.IMS.RESUME.** UACC(NONE)
RDEFINE SQDATA0 CONF.IMS.TUNE.** UACC(NONE)
PERMIT CONF.** CLASS(SQDATA0) ID(SQDADMIN) ACC(READ)
PERMIT CONF.PUBLISHER.MOUNT.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.PUBLISHER.START.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.PUBLISHER.PAUSE.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.PUBLISHER.RESUME.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.PUBLISHER.STOP.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.PUBLISHER.UNMOUNT.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.PUBLISHER.APPLY.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.PUBLISHER.CONNECT.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.PUBLISHER.DISCONNECT.** CLASS(SQDATA0) ID(SQDOPER) +
ACC(READ)
PERMIT CONF.PUBLISHER.REFRESH.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.IMS.TUNE.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.IMS.STOP.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.IMS.PAUSE.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.IMS.RESUME.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
/*
//SQDATAR6 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID.,
// TYPRUN=HOLD
//*
//* Refresh the SQDATA0 classto activate the profiles and permissions
//*
//REFRESH EXEC PGM=IKJEFT1B
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
SETROPTS RACLIST(SQDATA0) REFRESH
/*
//
Note: In the example, the following possible profiles were not defined because they are all administrator capabilities covered by the CONF.** generic, to which only users in the SQDADMIN group are granted READ access.
RDEFINE SQDATA0 CONF.PUBLISHER.ADD.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.CREATE.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.MODIFY.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.REMOVE.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.MIGRATE.** UACC(NONE)
RDEFINE SQDATA0 CONF.STORE.ADD.** UACC(NONE)
RDEFINE SQDATA0 CONF.STORE.CREATE.** UACC(NONE)
RDEFINE SQDATA0 CONF.STORE.MODIFY.** UACC(NONE)
RDEFINE SQDATA0 CONF.IMS.ADD.** UACC(NONE)
RDEFINE SQDATA0 CONF.IMS.CREATE.** UACC(NONE)
RDEFINE SQDATA0 CONF.IMS.MODIFY.** UACC(NONE)
RDEFINE SQDATA0 CONF.IMS.REMOVE.** UACC(NONE)