Configure SAF Authorization Using IBM RACF
Configure the SAF authorization of
Topology
user IDs in IBM RACF.Required roles: systems programmer, security administrator |
|---|
You can use IBM RACF to configure SAF authorization for an existing Mainframe user ID. To control access based on the purpose of the user ID, grant the user ID with access to the required SAF resources.
This section expects the user to be familiar with the IBM RACF security manager. For more information about the available commands, see the IBM RACF documentation at www.ibm.com.
Follow these steps:
- Grant the TPLSTC user ID with READ access to the BPX.SERVER resource in the FACILITY class.Example:PERMIT BPX.SERVER CLASS(FACILITY) ID(TPLSTC) ACCESS(READ) SETROPTS RACLIST(FACILITY) REFRESH
- Define a RACF class for theTopologyAPI server.Example:RDEFINE CDT CA$TPL UACC(NONE) - CDTINFO(DEFAULTUACC(NONE) FIRST(ALPHA) MAXLENGTH(42) - OTHER(ALPHA,NUMERIC,SPECIAL) POSIT(?) RACLIST(REQUIRED)You can specify an arbitrary value for the POSIT parameter.You have defined the CA$TPL class.
- Activate the new class.Example:SETROPTS CLASSACT(CDT) RACLIST(CDT) SETROPTS RACLIST(CDT) REFRESH SETROPTS CLASSACT(CA$TPL) GENERIC(CA$TPL) RACLIST(CA$TPL) SETROPTS RACLIST(CA$TPL) REFRESHThe class is active.
- Create RACF resources for theTopologyAPI server.Currently, the access to UI only verifies one resource in the class: TOPOLOGY.API.ACCESS.Example:RDEFINE CA$TPL TOPOLOGY.API.ACCESS UACC(NONE)
- Grant access to theTopologyuser interface to the user ID that requires this access.Example:PERMIT TOPOLOGY.API.ACCESS CLASS(CA$TPL) ID(TPLUSR) ACC(READ)SETROPTS RACLIST(CA$TPL) REFRESHSAF is configured to authorize the user ID to access theTopologyuser interface.