[z/OS]

Securing the planejador de tarefa using groups on the z/OS operating system

You can secure the planejador de tarefa using groups. A user can then act on a job only if the user and job are members of the same group.

Before you begin

Start the deployment manager and all node agents.

About this task

Enable WebSphere® Application Server global security. Configure the user registry bridge for federated repositories. Install and configure a VMM SAF mapping module and add the module to three login modules. Use RACF® to create a group and add a user to the group. Then assign a group to a job.

Procedure

  1. Enable global security.
    Read the section on enabling security in the WebSphere Application Server documentation and follow the directions. On the Global Security pages, ensure that you select the following options.
    • Enable administrative security and Enable application security
    • Federated repositories for Available realm definitions

      If this option is not selected, select it and click Set as current.

    • Enable SAF Delegation for Authorization provider
  2. Configure the user registry bridge for federated repositories.

    Read the section on configuring the user registry bridge for federated repositories using wsadmin scripting in the WebSphere Application Server documentation and follow the directions.

  3. Install and configure the SampleVMMSAFMappingModule module.

    Read the section on installing and configuring a custom System Authorization Facility mapping module for the product and follow the directions. You add the module to the WEB_INBOUND, RMI_INBOUND, and DEFAULT login modules.

  4. Synchronize your changes and restart the cell.
  5. Create a group and add a user to the group.

    Read the information about creating a group and adding a user to the group in the RACF user's guide, Security Server RACF General User's Guide.

  6. Set the custom property that indicates which policy the batch environment uses.
    1. Expand System administration > Job scheduler.
    2. Under Additional Properties, click Custom properties > New.
    3. In the Name field, type JOB_SECURITY_POLICY, and in the Value field, type GROUP.
    4. Click OK.
  7. Assign a group to a job.

    A job belongs to a user group and an administrative group. If the JOB_SECURITY_ADMIN_GROUP variable is not defined, the job scheduler automatically assigns the administrative group to each job.

    • Configure the value of the administrative group name through the JOB_SECURITY_ADMIN_GROUP job scheduler custom property:
      JOB_SECURITY_ADMIN_GROUP=JSYSADMN
      The default administrative group name is JSYSADMN.
    • Assign the group using one of the following methods.
      • Define the group on the group attribute in the xJCL, for example:
        <job-name=”{jobname}” group=”{group-name}” …  />
      • Set the job scheduler default group name using the JOB_SECURITY_DEFAULT_GROUP job scheduler custom property:
        JOB_SECURITY_DEFAULT_GROUP=JSYSDFLT
        The default group name is JSYSDFLT.
      The group attribute in the xJCL takes precedence over the job scheduler custom property. If you do not specify a group name in your xJCL, the job scheduler assigns the default group name.

Results

You created a group and assigned a user to the group so that a user can manage jobs using group security.

What to do next

Manage jobs using group security.

  1. Submit the job.
  2. Have the user1 user that you created in a previous step act on the job, such as by viewing the job log.

Ícone que indica o tipo de tópico Tópico de Tarefa



Ícone de registro de data e hora Última atualização: July 9, 2016 7:54
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=tgrid_bgsecure_group_zos
Nome do arquivo: tgrid_bgsecure_group_zos.html