Security and Authorization

You can secure the product. Only authorized personnel are able to access product-specific data sets, find out runtime information about automated resources, or change the status of such resources.

After the initial configuration, the product is set up so that you familiarize yourself with the functions for testing purposes and you make it secure for your production environment. However, before you begin, you are advised to change the default passwords of the operator IDs that come with the product. You locate the default operators that are defined in <nv_hlq_smpe>.DSIPARM member DSIOPFEX. Copy this member to <sa_hlq_user>.DSIPARM, edit it and change the PASSWORD parameter for each of them. For example, to change OPER1's password to XYZ123, specify:


OPER1        OPERATOR    PASSWORD=XYZ123
             PROFILEN    DSIPROFA

Use a System Authorization Facility (SAF) product, such as the z/OS® Resource Access Control Facility (RACF®) to secure your environment as follows:

  • Operators are defined and authenticated by a SAF product
  • Command authorization is done by a SAF product that is based on the issuer of a command
  • Resource authorization is done by a SAF product that is based on the issuer of particular commands

SA z/OS facilitates the steps of securing your environment. The Configuration Assistant generates the INGESAF member that is based on the input in your Configuration Options file. The INGESAF member contains the following items:

  • Profiles that protect commands and other resources
  • Definitions of groups that represent roles
  • Group membership that contain the individual operators in each role
  • Necessary definitions for all the auto operators that are required by the product
  • PERMIT statements that grant certain roles access to definitions for commands

You find the INGESAF member and all the other generated members in the CONFLIB data set. See Base SA z/OS Configuration Using the Configuration Assistant for details about using the Configuration Assistant.

It is assumed that you intend to follow the IBM® recommendations to secure your automation environment, and to use the samples in the INGESAF member. See IBM Z® NetView® Security Reference for a complete description for details about the recommended settings and other security options that you can use.

Notes:
  1. For evaluation and browsing purposes a member INGESAF in a readable format is also provided in the SINGSAMP sample library. Refer to the description section of this member and discover the provided security definitions within this member. For establishing the SAF-based security environment it is required to use the Configuration Assistant.
  2. Make sure you have APAR OA41282 installed. With this APAR, the z/OS RACF provides the new general SYSAUTO resource class as a system-provided resource class.

    When using a SAF product other than RACF, manually define the SYSAUTO class.