I am trying to use the Management Services Catalog to convert a workflow to service in the Management Service Catalog.
The workflow is performing RACF security tasks and I would like to run the generated job under privileged RACF USERID.
I thought I would try and use the runAsUser feature. 

In the security tab of the workflow step I have added a runAsUser USERID and also an approver USERID in the approver table.
When I attempt to test or publish the service I have created it says I have runAsUser steps that require approval, however I don't seem to be able generate an approval request despite adding the approver USERID to the appropriate group in RACF.  This prevents me from either testing or publishing the service.

Does anybody have an experience in trying to use the runAsUser feature in either z/OSMF workflows or Management Service Catalog plugin?

I know when I attempt run the workflow with the runAsUser specified the workflow plugin wants to assign the workflow step to the USERID specified in the runAsUser field.
This isn't really what I want - I really want to run the job under a surrogate USERID so the facility in the Management Services Catalog may not give me what I'm looking for anyway.

Thanks

------------------------------
Andrew Davies
Systems Programmer
HCL Technologies
------------------------------

Hi Andrew.  z/OSMF Workflows, itself, does not support run as user workflow steps at this time because there are no controls over the IDs being used.  z/OS Management Services Catalog, as you're probably aware, adds controls to make it safe to allow the use of run as user steps in workflow definitions used for z/OS Management Services Catalog services.  In addition to our controls,  the Workflows engine validates that the workflow instance run as user step is associated with an active z/OS Management Services Catalog submission AND checks that the run as user ID is still authorized to <IZUDFLT>.ZOSMF.MGMT_SERVICES.RUNASUSER before allowing the subject switch to the run as user ID with which the step is run.

When you try to publish that service, as long as the approver ID is authorized to <IZUDFLT>.ZOSMF.MGMT_SERVICES.RUNASUSER.APPROVER and the run as user ID is authorized to <IZUDFLT>.ZOSMF.MGMT_SERVICES.RUNASUSER, the service should move from Unpublished to Pending approval.  The ID specified as the approver must login to z/OSMF (they need to have access to z/OS Management Services Catalog), go into Administration, open the service, click View details on the right side of the blue banner, and approve the service.  If the service requires no other approvals, it should move to the Ready to publish status.  Now you can go ahead and publish the service so it becomes available in the Catalog.

You cannot test run a service that has run as user steps until the run as user approvers approva all the run as user steps.  Then you can test run the service while it is in Ready to publish status.  If you have publish approvers enabled, the service will remain in Pending approval status but you should be able to test run it.

You may ask, "But why?!?!".  Security.  The run as user steps need other 'eyes on' by way of approving them before allowing the run as user steps to honor using someone else's ID (which likely has elevated privileges, which is the whole point of using run as user).

------------------------------
John Czukkermann
------------------------------

Original Message:
Sent: Wed June 15, 2022 12:42 AM
From: Andrew Davies
Subject: Management Services Catalog - Run As User

I am trying to use the Management Services Catalog to convert a workflow to service in the Management Service Catalog.
The workflow is performing RACF security tasks and I would like to run the generated job under privileged RACF USERID.
I thought I would try and use the runAsUser feature. 

In the security tab of the workflow step I have added a runAsUser USERID and also an approver USERID in the approver table.
When I attempt to test or publish the service I have created it says I have runAsUser steps that require approval, however I don't seem to be able generate an approval request despite adding the approver USERID to the appropriate group in RACF.  This prevents me from either testing or publishing the service.

Does anybody have an experience in trying to use the runAsUser feature in either z/OSMF workflows or Management Service Catalog plugin?

I know when I attempt run the workflow with the runAsUser specified the workflow plugin wants to assign the workflow step to the USERID specified in the runAsUser field.
This isn't really what I want - I really want to run the job under a surrogate USERID so the facility in the Management Services Catalog may not give me what I'm looking for anyway.

Thanks

------------------------------
Andrew Davies
Systems Programmer
HCL Technologies
------------------------------

Hi John
Thanks for your reply.
I haven't had time to get back to this until now.   I have managed to get this to work now after following your instructions.  My main problem was that I couldn't enable publishing approval in Administrative Settings, as the USERID's I was trying to add to the approver list were always rejected.  That was until I worked out that the names had to be entered in lower case letters only (not sure if this is perhaps a bug).

Something I have observed is that  when you run the service, when entering values for Input variables the generated web page annoyingly seems to want to update a status message at the top of page about the date and time the draft was last saved after each character is typed into a field.  This takes focus away from the field you are typing into, so unless you type into the field slowly and deliberately you tend to overwrite the previous character you entered with the character you just typed.   Do you know if there is some way to disable this 'feature'?  I have uploaded a screen shot with message highlighted so you can see what I'm talking about.

Now a couple of wishlist items.  I guess I need to raise these as a RFE or is it now as an IDEA.

Perhaps I'm trying to use z/OSMF for a function it is not really aimed at, but it would be nice to be able to tailor the job card being inserted into jobs in the service definition itself rather than as a global setting, and also stop the user from being to update the job card when they are about to run the service.  For this particular service I am trying to create,  I have some AT-TLS rules that are triggered on particular job name prefix. I don't really want a user of the service updating the job name.

Also I am wondering whether it's possible to be able to stop read only variables from being presented on the generated web page when the user runs the service.

Thanks

Andrew

------------------------------
Andrew Davies
------------------------------

Original Message:
Sent: Wed June 15, 2022 03:29 PM
From: John Czukkermann
Subject: Management Services Catalog - Run As User

Hi Andrew.  z/OSMF Workflows, itself, does not support run as user workflow steps at this time because there are no controls over the IDs being used.  z/OS Management Services Catalog, as you're probably aware, adds controls to make it safe to allow the use of run as user steps in workflow definitions used for z/OS Management Services Catalog services.  In addition to our controls,  the Workflows engine validates that the workflow instance run as user step is associated with an active z/OS Management Services Catalog submission AND checks that the run as user ID is still authorized to <IZUDFLT>.ZOSMF.MGMT_SERVICES.RUNASUSER before allowing the subject switch to the run as user ID with which the step is run.

When you try to publish that service, as long as the approver ID is authorized to <IZUDFLT>.ZOSMF.MGMT_SERVICES.RUNASUSER.APPROVER and the run as user ID is authorized to <IZUDFLT>.ZOSMF.MGMT_SERVICES.RUNASUSER, the service should move from Unpublished to Pending approval.  The ID specified as the approver must login to z/OSMF (they need to have access to z/OS Management Services Catalog), go into Administration, open the service, click View details on the right side of the blue banner, and approve the service.  If the service requires no other approvals, it should move to the Ready to publish status.  Now you can go ahead and publish the service so it becomes available in the Catalog.

You cannot test run a service that has run as user steps until the run as user approvers approva all the run as user steps.  Then you can test run the service while it is in Ready to publish status.  If you have publish approvers enabled, the service will remain in Pending approval status but you should be able to test run it.

You may ask, "But why?!?!".  Security.  The run as user steps need other 'eyes on' by way of approving them before allowing the run as user steps to honor using someone else's ID (which likely has elevated privileges, which is the whole point of using run as user).

------------------------------
John Czukkermann

Original Message:
Sent: Wed June 15, 2022 12:42 AM
From: Andrew Davies
Subject: Management Services Catalog - Run As User

I am trying to use the Management Services Catalog to convert a workflow to service in the Management Service Catalog.
The workflow is performing RACF security tasks and I would like to run the generated job under privileged RACF USERID.
I thought I would try and use the runAsUser feature. 

In the security tab of the workflow step I have added a runAsUser USERID and also an approver USERID in the approver table.
When I attempt to test or publish the service I have created it says I have runAsUser steps that require approval, however I don't seem to be able generate an approval request despite adding the approver USERID to the appropriate group in RACF.  This prevents me from either testing or publishing the service.

Does anybody have an experience in trying to use the runAsUser feature in either z/OSMF workflows or Management Service Catalog plugin?

I know when I attempt run the workflow with the runAsUser specified the workflow plugin wants to assign the workflow step to the USERID specified in the runAsUser field.
This isn't really what I want - I really want to run the job under a surrogate USERID so the facility in the Management Services Catalog may not give me what I'm looking for anyway.

Thanks

------------------------------
Andrew Davies
Systems Programmer
HCL Technologies
------------------------------

Hi Andrew,  Sorry for the delay in responding, I wasn't planning to take yesterday off, but I did.

That was until I worked out that the names had to be entered in lower case letters only (not sure if this is perhaps a bug).
> This is a bug that whose fix was just merged this morning.  Unfortunately, it will not be in the impending 1.1 release, but fortunately this is not a high usage path either.

Something I have observed is that when you run the service, when entering values for Input variables the generated web page annoyingly seems to want to update a status message at the top of page about the date and time the draft was last saved after each character is typed into a field. This takes focus away from the field you are typing into, so unless you type into the field slowly and deliberately you tend to overwrite the previous character you entered with the character you just typed. Do you know if there is some way to disable this 'feature'? I have uploaded a screen shot with message highlighted so you can see what I'm talking about.
> I know exactly what you are talking about.  That is the autosave that unfortunately is overly aggressive and tries to do so with every typed character.  So it causes no end of frustration to us fast touch typers.  Unfortunately, you're stuck with it for now.  In the impending 1.1 release, we are somewhat less aggressive.  I believe we save on something like a 10 second interval, but you can still experience that annoying behavior of losing characters to the autosave.  We are looking at how we can improve this as part of the next release.

Perhaps I'm trying to use z/OSMF for a function it is not really aimed at, but it would be nice to be able to tailor the job card being inserted into jobs in the service definition itself rather than as a global setting, and also stop the user from being to update the job card when they are about to run the service. For this particular service I am trying to create, I have some AT-TLS rules that are triggered on particular job name prefix. I don't really want a user of the service updating the job name.
> This is a new requirement, so raising it as an IDEA is a good, well, idea. ;-)  I can tell you that it probably won't make the cut for the next release because we have some significant capabilities that are still missing and need to be provided.

Also I am wondering whether it's possible to be able to stop read only variables from being presented on the generated web page when the user runs the service.
> This is something that we call 'hidden variables or hidden inputs'.  We do want to provide the ability in the builder for Administrators to be able to specify an input as hidden.  If it is an optional variable in the workflow definition, then no value would be required.  If it is a required input in the workflow definition, then you would be required to specify a hard-coded value.  I would not want the design for this to take into consideration that the workflow definition might have a default value specified.  I don't think it's good practice to rely on something like that when it is hidden way down in the workflow definition.  This is pretty high in our prioritization, but I cannot promise it will make the 1.2 cut.

I know these aren't quite the answers you are hoping for, but your experience and feedback does help to confirm our thinking on some of the issues you've raised.  Thank you for providing this information!

------------------------------
John Czukkermann
z/OS Management Services Catalog, Product owner
IBM Corporation, Poughkeepsie, NY
czuk@us.ibm.com
------------------------------

Original Message:
Sent: Mon June 20, 2022 05:26 AM
From: Andrew Davies
Subject: Management Services Catalog - Run As User

Hi John
Thanks for your reply.
I haven't had time to get back to this until now.   I have managed to get this to work now after following your instructions.  My main problem was that I couldn't enable publishing approval in Administrative Settings, as the USERID's I was trying to add to the approver list were always rejected.  That was until I worked out that the names had to be entered in lower case letters only (not sure if this is perhaps a bug).

Something I have observed is that  when you run the service, when entering values for Input variables the generated web page annoyingly seems to want to update a status message at the top of page about the date and time the draft was last saved after each character is typed into a field.  This takes focus away from the field you are typing into, so unless you type into the field slowly and deliberately you tend to overwrite the previous character you entered with the character you just typed.   Do you know if there is some way to disable this 'feature'?  I have uploaded a screen shot with message highlighted so you can see what I'm talking about.

Now a couple of wishlist items.  I guess I need to raise these as a RFE or is it now as an IDEA.

Perhaps I'm trying to use z/OSMF for a function it is not really aimed at, but it would be nice to be able to tailor the job card being inserted into jobs in the service definition itself rather than as a global setting, and also stop the user from being to update the job card when they are about to run the service.  For this particular service I am trying to create,  I have some AT-TLS rules that are triggered on particular job name prefix. I don't really want a user of the service updating the job name.

Also I am wondering whether it's possible to be able to stop read only variables from being presented on the generated web page when the user runs the service.

Thanks

Andrew

------------------------------
Andrew Davies

Original Message:
Sent: Wed June 15, 2022 03:29 PM
From: John Czukkermann
Subject: Management Services Catalog - Run As User

Hi Andrew.  z/OSMF Workflows, itself, does not support run as user workflow steps at this time because there are no controls over the IDs being used.  z/OS Management Services Catalog, as you're probably aware, adds controls to make it safe to allow the use of run as user steps in workflow definitions used for z/OS Management Services Catalog services.  In addition to our controls,  the Workflows engine validates that the workflow instance run as user step is associated with an active z/OS Management Services Catalog submission AND checks that the run as user ID is still authorized to <IZUDFLT>.ZOSMF.MGMT_SERVICES.RUNASUSER before allowing the subject switch to the run as user ID with which the step is run.

When you try to publish that service, as long as the approver ID is authorized to <IZUDFLT>.ZOSMF.MGMT_SERVICES.RUNASUSER.APPROVER and the run as user ID is authorized to <IZUDFLT>.ZOSMF.MGMT_SERVICES.RUNASUSER, the service should move from Unpublished to Pending approval.  The ID specified as the approver must login to z/OSMF (they need to have access to z/OS Management Services Catalog), go into Administration, open the service, click View details on the right side of the blue banner, and approve the service.  If the service requires no other approvals, it should move to the Ready to publish status.  Now you can go ahead and publish the service so it becomes available in the Catalog.

You cannot test run a service that has run as user steps until the run as user approvers approva all the run as user steps.  Then you can test run the service while it is in Ready to publish status.  If you have publish approvers enabled, the service will remain in Pending approval status but you should be able to test run it.

You may ask, "But why?!?!".  Security.  The run as user steps need other 'eyes on' by way of approving them before allowing the run as user steps to honor using someone else's ID (which likely has elevated privileges, which is the whole point of using run as user).

------------------------------
John Czukkermann

Original Message:
Sent: Wed June 15, 2022 12:42 AM
From: Andrew Davies
Subject: Management Services Catalog - Run As User

I am trying to use the Management Services Catalog to convert a workflow to service in the Management Service Catalog.
The workflow is performing RACF security tasks and I would like to run the generated job under privileged RACF USERID.
I thought I would try and use the runAsUser feature. 

In the security tab of the workflow step I have added a runAsUser USERID and also an approver USERID in the approver table.
When I attempt to test or publish the service I have created it says I have runAsUser steps that require approval, however I don't seem to be able generate an approval request despite adding the approver USERID to the appropriate group in RACF.  This prevents me from either testing or publishing the service.

Does anybody have an experience in trying to use the runAsUser feature in either z/OSMF workflows or Management Service Catalog plugin?

I know when I attempt run the workflow with the runAsUser specified the workflow plugin wants to assign the workflow step to the USERID specified in the runAsUser field.
This isn't really what I want - I really want to run the job under a surrogate USERID so the facility in the Management Services Catalog may not give me what I'm looking for anyway.

Thanks

------------------------------
Andrew Davies
Systems Programmer
HCL Technologies
------------------------------