Creating the EQQADMIN class to associate a RACF® user ID
About this task
You can use the resource class EQQADMIN to:
- Associate a RACF user ID to the Dynamic Workload Console user ID with which you connect to the Z connector.
- Automatically obtain a RACF user ID based on the Dynamic Workload Console user ID with which you connect to the Z connector.
After you have defined and activated the resource class EQQADMIN in RACF, it is required
that you enable its usage by setting the
AUTOMAPPING APPLDATA
parameter. According
to this setting, you also decide if the automatic mapping is either enabled or disabled:- Enabling the automatic way to obtain a RACF user ID from the Dynamic Workload Console user ID
In this way, a RACF user ID is automatically returned based on the Dynamic Workload Console user ID without the host name.RDEFINE EQQADMIN AUTOMAPPING APPLDATA(‘YES’)
- Disabling the automatic way to obtain a RACF user ID from the Dynamic Workload Console user ID
This means that all the users in the EQQADMIN class must be exactly defined, as follows:RDEFINE EQQADMIN AUTOMAPPING APPLDATA(‘NO’)
RDEFINE EQQADMIN DWC_userID@Hostname APPLDATA(‘RACF_userID’)
The following example shows the results when you set EQQADMIN to
AUTOMAPPING
APPLDATA('YES')
. In RACF you have authorized the users ROOT
and
ROBINSON
to use HCL Workload Automation for Z, and you have
defined the EQQADMIN class as
follows:RDEFINE EQQADMIN AUTOMAPPING APPLDATA(‘YES’)
RDEFINE EQQADMIN admin@EU-HWS-LNX73.xyz.com APPLDATA(‘ROOT’)
If you connect with the Dynamic Workload Console user:
admin@EU-HWS-LNX73.xyz.com
- An exact match is found in EQQADMIN and the RACF user
ROOT
is returned. robinson@EU-HWS-LNX73.xyz.com
- No exact match is found in EQQADMIN, therefore according to
AUTOMAPPING APPLDATA('YES')
the user IDROBINSON
is returned as RACF user ID. robinson.richard@EU-HWS-LNX73.xyz.com
- No exact match is found in EQQADMIN, therefore according to
AUTOMAPPING APPLDATA('YES')
the user IDROBINSON.RICHARD
is returned as RACF user ID. However,ROBINSON.RICHARD
exceeds the maximum length of 8 characters allowed for a user, as a consequence an error message is issued about user not found or not valid. TheAUTOMAPPING
parameter never truncates the length of a user name.
To create the resource class EQQADMIN and map it to a RACF®
user ID, perform the following steps:
- Make sure that your operating system has the Security Server feature.
- Create the resource class EQQADMIN for mapping the administrator ID and host name
to the RACF® user
ID:
RDEFINE CDT EQQADMIN UACC(NONE) CDTINFO(DEFAULTUACC(NONE) DEFAULTRC(8) FIRST(ALPHA,NUMERIC) MAXLENGTH(246) OTHER(ALPHA,NUMERIC,NATIONAL,SPECIAL) POSIT(28) OPER(NO) RACLIST(ALLOWED) GENLIST(ALLOWED)
Note: You might need to modify the value ofPOSIT
, if already used by your installation process. For detailed information, see the IBM RACF manual. - Using the EQQADMIN class, map the administrator ID to the RACF® user ID. The RACF® user ID is associated with the administrator defined at the workstation. Any administrative action is thereby traceable to the user issuing the request.
- Define a profile in the supplied EQQADMIN class for each administrator who is able to access
Dynamic Workload Console. Note: In the following tasks, which are for mapping the administrator to RACF® user IDs, it is recommended that each administrator maps to a unique RACF® user ID.
- Activate the EQQADMIN class by issuing the following command:
SETROPTS CLASSACT (EQQADMIN)
- In the EQQADMIN class, use the following string to define a unique RACF® user ID for each administrator who will perform Dynamic Workload Console operations:
For example, for a user with the identifier SCOT at the host pelican, you would useuserID@hostname
SCOT@pelican
. - Enter the following command to define a general resource profile in the EQQADMIN class to
associate the administrator with a RACF® user ID (in this
example, SCOT):
RDEFINE EQQADMIN SCOT@hostname APPLDATA('SCOT')
Note: The stringSCOT@hostname
is not case sensitive. - Refresh the EQQADMIN class with the following command:
SETROPTS RACLIST(EQQADMIN) REFRESH
If you experience problems using special characters to define a profile in the EQQADMIN class, use the following command instead:SETROPTS GENERIC(EQQADMIN) REFRESH
If you are using a dynamic CDT, refresh also the CDT class:SETROPTS RACLIST(CDT) REFRESH
Also, use the percent sign (%) instead of the special character. For example, for the Italian
code page, the character @ (hex'B5') is not accepted by RACF®.
Therefore, use SCOT%pelican
instead of SCOT@pelican
.
When searching a list of EQQADMIN profiles for a match, RACF® looks for the most similar generic profile.