Execution of the SQDutil can be managed at the Command level using the z/OS System Authorization Facility (SAF).
The z/OS System Authorization Facility (SAF) utilizes Classes to identify and define Objects to be managed and the Resources associated with those objects. It also supports the creation of Groups of users with common privileges. Implementation of Connect CDC SQData SAF security requires a dynamic class descriptor table (CDT) class, SQDATA0, first be defined. Groups can then be created that grant specific privileges to authorized users of the resources.
Note: The rules and examples are expressed in terms of RACF.
To define and activate the
SQDATA0
class:- Define SQDATA0 class in the dynamic CDT.
RDEFINE CDT SQDATA0 UACC(NONE) + CDTINFO(DEFAULTUACC(NONE) CASE(UPPER) FIRST(ALPHA,SPECIAL) + OTHER(ALPHA,NATIONAL,NUMERIC,SPECIAL) + MAXLENGTH(246) MAXLENX(246) + GENERIC(ALLOWED) RACLIST(ALLOWED) + POSIT(<posit_number>)) + DATA('SQDATA RESOURCE PROFILE CLASS')
Note: The POSIT number <nnn> used must be unique and not currently in use. - Refresh the CDT class.
SETROPTS RACLIST(CDT) REFRESH
- Activate the new SQDATA0 class
SETROPTS CLASSACT(SQDATA0) RACLIST(SQDATA0) SETROPTS GENERIC(SQDATA0)
- Create user Groups. Two user Groups for the SQDATA0 Class should be created; one for SQData product administrators with full privileges and another for operators with more limited privileges. Finally, the display command is granted a UACC of READ so that any user may issue it.Create SQDATA0 groups of administrator and operator roles.
ADDGROUP SQDOPER SUPGROUP(<superior group name>) ADDGROUP SQDADMIN SUPGROUP(<superior group name>) CONNECT (USER1 + USER2) + GROUP(SQDADMIN) AUTH(CREATE) CONNECT (USER3 + USER4 + USER5) + GROUP(SQDOPER) AUTH(USE)
Note: The Groups defined above are only suggestions. While Administrator and Operator roles may be adequate, others can be defined as needed. - Define Resources for SQDUTIL.
UTIL.CLEAN UTIL.DUMP
Note: Steps 1 - 4 should only be performed once. If the SQDATA0 class and required user Groups have already been configured for another utility, then only the Resources remain to be defined.Example
Define desired profiles in the SQDATA0 class including Generic profiles as desired for SQDUTIL. Create two groups; one for SQData product administrators with full privileges, and another for operators with more limited privileges. The six z/OS JOBS below will accomplish the task.//SQDATA1 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID., // TYPRUN=HOLD //* //* Define SQDATA0 class in the dynamic CDT //* //CLASS EXEC PGM=IKJEFT1B //SYSTSPRT DD SYSOUT=* //SYSTSIN DD * RDEFINE CDT SQDATA0 UACC(NONE) + CDTINFO(DEFAULTUACC(NONE) CASE(UPPER) FIRST(ALPHA,SPECIAL) + OTHER(ALPHA,NATIONAL,NUMERIC,SPECIAL) + MAXLENGTH(246) MAXLENX(246) + GENERIC(ALLOWED) RACLIST(ALLOWED) + POSIT(<posit_number>)) + DATA('SQDATA RESOURCE PROFILE CLASS') /* //SQDATAR2 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID., // TYPRUN=HOLD //* //* Refresh the CDT class //* //CDTREFR EXEC PGM=IKJEFT1B //SYSTSPRT DD SYSOUT=* //SYSTSIN DD * SETROPTS RACLIST(CDT) REFRESH /* //SQDATAR3 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID., // TYPRUN=HOLD //* //* Activate the new SQDATA0 class //* //CLASSACT EXEC PGM=IKJEFT1B //SYSTSPRT DD SYSOUT=* //SYSTSIN DD * SETROPTS CLASSACT(SQDATA0) RACLIST(SQDATA0) SETROPTS GENERIC(SQDATA0) /* //SQDATAR4 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID., // TYPRUN=HOLD //* //* Create SQDATA0 groups for administrator and operator roles //* //GROUP EXEC PGM=IKJEFT1B //SYSTSPRT DD SYSOUT=* //SYSTSIN DD * ADDGROUP SQDOPER SUPGROUP(<superior group name>) ADDGROUP SQDADMIN SUPGROUP(<superior group name>) CONNECT (USER1 + USER2) + GROUP(SQDADMIN) AUTH(CREATE) CONNECT (USER3 + USER4 + USER5) + GROUP(SQDOPER) AUTH(USE) /* //SQDATAR5 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID., // TYPRUN=HOLD //* //* Define profiles in the SQDATA0 class and PERMIT access. //* //GROUP EXEC PGM=IKJEFT1B //SYSTSPRT DD SYSOUT=* //SYSTSIN DD * RDEFINE SQDATA0 UTIL.** UACC(NONE) RDEFINE SQDATA0 UTIL.DUMP.** UACC(READ) RDEFINE SQDATA0 UTIL.CLEAN.** UACC(NONE) PERMIT UTIL.** CLASS(SQDATA0) ID(SQDADMIN) ACC(READ) PERMIT UTIL.DUMP.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ) PERMIT UTIL.CLEAN.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ) /* //SQDATAR6 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID., // TYPRUN=HOLD //* //* Refresh the SQDATA0 class to activate the profiles and permissions //* //REFRESH EXEC PGM=IKJEFT1B //SYSTSPRT DD SYSOUT=* //SYSTSIN DD * SETROPTS RACLIST(SQDATA0) REFRESH /* //
Example
Define desired profiles in the SQDATA0 class including Generic profiles as desired for the SQDconf Utility. Create two groups; one for SQData product administrators with full privileges, and another for operators with more limited privileges. Finally, the display command is granted a UACC of READ so that any user may issue it. The six z/OS JOBS below will accomplish the task.
//SQDATA1 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID.,
// TYPRUN=HOLD
//*
//* Define SQDATA0 class in the dynamic CDT
//*
//CLASS EXEC PGM=IKJEFT1B
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
RDEFINE CDT SQDATA0 UACC(NONE) +
CDTINFO(DEFAULTUACC(NONE) CASE(UPPER) FIRST(ALPHA,SPECIAL) +
OTHER(ALPHA,NATIONAL,NUMERIC,SPECIAL) +
MAXLENGTH(246) MAXLENX(246) +
GENERIC(ALLOWED) RACLIST(ALLOWED) +
POSIT(<posit_number>)) +
DATA('SQDATA RESOURCE PROFILE CLASS')
/*
//SQDATAR2 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID.,
// TYPRUN=HOLD
//*
//* Refresh the CDT class
//*
//CDTREFR EXEC PGM=IKJEFT1B
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
SETROPTS RACLIST(CDT) REFRESH
/*
//SQDATAR3 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID.,
// TYPRUN=HOLD
//*
//* Activate the new SQDATA0 class
//*
//CLASSACT EXEC PGM=IKJEFT1B
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
SETROPTS CLASSACT(SQDATA0) RACLIST(SQDATA0)
SETROPTS GENERIC(SQDATA0)
/*
//SQDATAR4 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID.,
// TYPRUN=HOLD
//*
//* Create SQDATA0 groups for administrator and operator roles
//*
//GROUP EXEC PGM=IKJEFT1B
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
ADDGROUP SQDOPER SUPGROUP(<superior group name>)
ADDGROUP SQDADMIN SUPGROUP(<superior group name>)
CONNECT (USER1 +
USER2) +
GROUP(SQDADMIN) AUTH(CREATE)
CONNECT (USER3 +
USER4 +
USER5) +
GROUP(SQDOPER) AUTH(USE)
/*
//SQDATAR5 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID.,
// TYPRUN=HOLD
//*
//* Define profiles in the SQDATA0 class and PERMIT access.
//*
//GROUP EXEC PGM=IKJEFT1B
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
RDEFINE SQDATA0 CONF.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.DISPLAY.** UACC(READ)
RDEFINE SQDATA0 CONF.PUBLISHER.MOUNT.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.START.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.PAUSE.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.RESUME.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.STOP.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.UNMOUNT.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.APPLY.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.CONNECT.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.DISCONNECT.** UACC(NONE)
RDEFINE SQDATA0 CONF.PUBLISHER.REFRESH.** UACC(NONE)
RDEFINE SQDATA0 CONF.STORE.DISPLAY.** UACC(READ)
RDEFINE SQDATA0 CONF.IMS.DISPLAY.** UACC(READ)
RDEFINE SQDATA0 CONF.IMS.STOP.** UACC(NONE)
RDEFINE SQDATA0 CONF.IMS.PAUSE.** UACC(NONE)
RDEFINE SQDATA0 CONF.IMS.RESUME.** UACC(NONE)
RDEFINE SQDATA0 CONF.IMS.TUNE.** UACC(NONE)
PERMIT CONF.** CLASS(SQDATA0) ID(SQDADMIN) ACC(READ)
PERMIT CONF.PUBLISHER.MOUNT.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.PUBLISHER.START.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.PUBLISHER.PAUSE.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.PUBLISHER.RESUME.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.PUBLISHER.STOP.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.PUBLISHER.UNMOUNT.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.PUBLISHER.APPLY.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.PUBLISHER.CONNECT.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.PUBLISHER.DISCONNECT.** CLASS(SQDATA0) ID(SQDOPER) +
ACC(READ)
PERMIT CONF.PUBLISHER.REFRESH.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.IMS.TUNE.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.IMS.STOP.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.IMS.PAUSE.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
PERMIT CONF.IMS.RESUME.** CLASS(SQDATA0) ID(SQDOPER) ACC(READ)
/*
//SQDATAR6 JOB 1,MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID.,
// TYPRUN=HOLD
//*
//* Refresh the SQDATA0 classto activate the profiles and permissions
//*
//REFRESH EXEC PGM=IKJEFT1B
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
SETROPTS RACLIST(SQDATA0) REFRESH
/*
//