Applying the required RACF® (or equivalent) rules

The Fault Analyzer web interface requires a set of rules to be implemented in your z/OS® security system.

Many of these sample rules include placeholders where you can provide values tailored to your installation environment, including:

<ServerUserId>: The user ID that the two server jobs (started tasks) run under
<UserId>: The user ID of someone who has been granted access to use the Fault Analyzer web interface (optional)

To allow the Fault Analyzer web interface to provide appropriate access to z/OS® resources, the following RACF® (or equivalent) rules must be applied:


RDEF SERVER BBG.ANGEL UACC(NONE)                                
PERMIT BBG.ANGEL CLASS(SERVER) ACCESS(READ) ID(<ServerUserId>)        
                                                                
RDEF SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE)                     
PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) ACCESS(READ) ID(<ServerUserId>)                                                    
                                                                
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE)             
PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) ACCESS(READ) ID(<ServerUserId>)
                                                                
RDEFINE SERVER BBG.SECPFX.IDIZDFLT UACC(NONE)                   
PERMIT BBG.SECPFX.IDIZDFLT CLASS(SERVER) ACCESS(READ) ID(<ServerUserId>)
                                                                
SETROPTS RACLIST(SERVER) GENERIC(SERVER) REFRESH

To facilitate user authentication and authorization, the following rules must be customized to suit your environment. The last two rules control user access to the Fault Analyzer web interface. Access can be granted to specific user IDs, or a UACC of READ can be used to give global access.

Note: Providing a UACC(READ) does not change the security checks made for individual history file data sets, it is just controlling access to the web application itself.


RDEFINE FACILITY BBG.SYNC.IDIZDFLT UACC(NONE)                   
PERMIT BBG.SYNC.IDIZDFLT ACCESS(CONTROL) CLASS(FACILITY) ID(<ServerUserId>)                                    
SETROPTS RACLIST(FACILITY) GENERIC(FACILITY) REFRESH            
                                                                
RDEFINE EJBROLE IDIZDFLT.IDIGWEB.AllAuthenticated UACC(NONE)    
PERMIT IDIZDFLT.IDIGWEB.AllAuthenticated CLASS(EJBROLE) ACCESS(READ) ID(<UserId>)                                         
SETROPTS RACLIST(EJBROLE) GENERIC(EJBROLE) REFRESH              
                                                                
RDEFINE APPL IDIZDFLT UACC(NONE)                                
PERMIT IDIZDFLT CLASS(APPL) ACCESS(READ) ID(<UserId>)             
SETROPTS RACLIST(APPL) GENERIC(APPL) REFRESH

An unauthenticated user must be added for newer versions of Liberty, which is used to treat users who have not yet authenticated. Define WSGUEST, which will reside in the WSGUESTG group, as the default unauthenticated ID that Liberty will search for.

ADDGROUP WSGUESTG SUPGROUP(SYS1)OWNER(SYS1)                   
         DATA('WAS Unauthenticated User Group')               
         OMVS(AUTOGID)                                        
                                                              
ADDUSER WSGUEST DFLTGRP(WSGUESTG) OWNER(SYS1)                 
         OMVS(AUTOUID                                         
         HOME(/u/WSGUEST)                                     
         PROGRAM(/bin/sh))                                    
         NAME('WAS unauth')                                   
         NOPASSWORD NOOIDCARD                                 
         RESTRICTED                                           
                                                              
PERMIT IDIZDFLT CLASS(APPL) ID(WSGUEST) ACCESS(READ)