Access control requirements on z/OS
Some of the products in IBM Z and Cloud Modernization Stack that run on z/OS require you to have permission to run certain commands:
- Authority to set extended file attributes
- For IBM 64-bit SDK for z/OS, Java Technology Edition, authority to access the SYSLOG
Authority to set extended file attributes on z/OS
Some products require APF, PROGCTL, and SHARELIB extended file attributes to be set on particular files in the z/OS file system:
- The authorized program facility (APF) attribute identifies system or user programs that can use sensitive system functions; see Defining UNIX files as APF-authorized programs in the IBM z/OS documentation.
- The PROGCTL attribute defines a program in a file as a controlled program; see Defining programs in UNIX files to program control in the IBM z/OS documentation.
- The SHARELIB attribute loads a program into the shared library region for system-wide sharing; see Defining UNIX files as shared library programs in the IBM z/OS documentation.
To set these extended file attributes, the user ID that runs the installation of the product on z/OS must have elevated authority. The following are examples of RACF® commands to provide the elevated authority that is needed to set these extended file attributes. For other SAF providers, please consult their documentation.
To be able to set the APF extended file attribute:
- Issue the TSO command:
rlist facility BPX.FILEATTR.APF - Verify that the user ID that will perform the install has at least READ access
- If the userid does not have authority, issue the TSO command:
permit BPX.FILEATTR.APF class(FACILITY) id(userid) acc(READ)where userid is the user ID that needs authority and then refresh:setropts raclist(FACILITY) refresh
To be able to set the PROGCTL extended file attribute:
- Issue the TSO command:
rlist facility BPX.FILEATTR.PROGCTL - Verify that the user ID that will perform the install has at least READ access
- If the userid does not have authority, issue the TSO command:
permit BPX.FILEATTR.PROGCTL class(FACILITY) id(userid) acc(READ)where userid is the user ID that needs authority and then refresh:setropts raclist(facility) refresh
To be able to set the SHARELIB extended file attribute:
- Issue the TSO command:
rlist facility BPX.FILEATTR.SHARELIB - Verify that the userid that will perform the install has at least READ access
- If the userid does not have authority, issue the TSO command:
permit BPX.FILEATTR.SHARELIB class(FACILITY) id(userid) acc(READ)where userid is the user IDthat needs authority and then refresh:setropts raclist(facility) refresh
Authority to access SYSLOG
z/OS System Display and Search Facility (SDSF) is an optional z/OS feature that allows you to monitor, control, and view the output of jobs in the system; see Authorized SDSF commands in the IBM z/OS documentation. For IBM 64-bit SDK for z/OS, Java Technology Edition, you need authority to access the SYSLOG that is displayed on the LOG panel.
To be able to access the SYSLOG:
- Verify that the user ID that will perform the installation has at least READ access.
- If the user ID does not have authority, issue the TSO command:
permit ISFCMD.ODSP.SYSLOG.jesx class(SDSF) id(userid) acc(READ)where jesx is your JES system name and userid is the user ID that needs authority and then refresh:setropts raclist(sdsf) refresh