Configure SAF Authorization Using IBM RACF

Configure the SAF authorization of
Topology
user IDs in IBM RACF.
Required roles: systems programmer, security administrator
You can use IBM RACF to configure SAF authorization for an existing Mainframe user ID. To control access based on the purpose of the user ID, grant the user ID with access to the required SAF resources.
This section expects the user to be familiar with the IBM RACF security manager. For more information about the available commands, see the IBM RACF documentation at www.ibm.com.
Follow these steps:
  1. Grant the TPLSTC user ID with READ access to the BPX.SERVER resource in the FACILITY class.
    Example:
    PERMIT BPX.SERVER CLASS(FACILITY) ID(TPLSTC) ACCESS(READ) SETROPTS RACLIST(FACILITY) REFRESH
  2. Define a RACF class for the
    Topology
    API server.
    Example:
    RDEFINE CDT CA$TPL UACC(NONE) - CDTINFO(DEFAULTUACC(NONE) FIRST(ALPHA) MAXLENGTH(42) - OTHER(ALPHA,NUMERIC,SPECIAL) POSIT(?) RACLIST(REQUIRED)
    You can specify an arbitrary value for the POSIT parameter.
    You have defined the CA$TPL class.
  3. Activate the new class.
    Example:
    SETROPTS CLASSACT(CDT) RACLIST(CDT) SETROPTS RACLIST(CDT) REFRESH SETROPTS CLASSACT(CA$TPL) GENERIC(CA$TPL) RACLIST(CA$TPL) SETROPTS RACLIST(CA$TPL) REFRESH
    The class is active.
  4. Create RACF resources for the
    Topology
    API server.
    Currently, the access to UI only verifies one resource in the class: TOPOLOGY.API.ACCESS.
    Example:
    RDEFINE CA$TPL TOPOLOGY.API.ACCESS UACC(NONE)
  5. Grant access to the
    Topology
    user interface to the user ID that requires this access.
    Example:
    PERMIT TOPOLOGY.API.ACCESS CLASS(CA$TPL) ID(TPLUSR) ACC(READ)
    SETROPTS RACLIST(CA$TPL) REFRESH
    SAF is configured to authorize the user ID to access the
    Topology
    user interface.