Hello
We want to create roles in our zSecure for using zSecure. Unfortunately, the documentation is very poor in this regard. The only role that is covered is that of the helpdesk. And that is only via the Visual Server. However, we do not use the Visual Server (nor do we intend to in the future) and work via the ISPF interface.
Can anyone help me?
We want to set up the following roles:
Admin – RACF administrators with all rights
Auditor – The person who is supposed to audit us but is not allowed to make any changes.
User administrator – Restricted to certain areas only (Group Special)
External employees – Employees who support us but do not have full system SPECIAL access.
Many thanks 
Stephan

hi Stephan, 

a way that you can consider to accomplish these job roles for your types of zSecure users is as flollows: 

• Set up a RACF group for each of the zSecure job roles that you mention
• Connect the current zSecure users to the group that matches with their job role
• Permit each role group with the appropriate zSecure-related resources that you want them to be able to use:
  • XFACILIT resources CKR.OPTION.** can be used to control which zSecure Menu options you want to allow/deny access to for each job role
  • XFACILIT resources CKR.ACTION.** can be used to control which zSecure Action commands you want to allow/deny access to for each job role
  • READ access is required for the users to be allowed to process the input resources that zSecure supports (for example, RACF primary, RACF backup(s) RACF copy, RACF unload, SMF live reocrds, SMF dumped records, CKFREEZE data sets, Accesss monitor data sets, locally defined data sets (if used))
• Besides these authorizations, your users need the appropriate RACF authority (SPECIAL, OPERATIONS, AUDITOR, ROAUDIT, class authorizations, and/or access to IRR.** FACILITY class resources. But since these are existing users, I assume that the zSecure users already have (most of) these RACF authorizations.

Hope this helps.

Hello
We want to create roles in our zSecure for using zSecure. Unfortunately, the documentation is very poor in this regard. The only role that is covered is that of the helpdesk. And that is only via the Visual Server. However, we do not use the Visual Server (nor do we intend to in the future) and work via the ISPF interface.
Can anyone help me?
We want to set up the following roles:
Admin – RACF administrators with all rights
Auditor – The person who is supposed to audit us but is not allowed to make any changes.
User administrator – Restricted to certain areas only (Group Special)
External employees – Employees who support us but do not have full system SPECIAL access.
Many thanks 
Stephan

Hello John,
Thank you very much for your quick and competent reply. As you correctly identified, the standard definitions already exist in RACF. I am just confused by the different profiles in zSecure in XFACILITY, or rather, the description is somewhat inadequate for someone who is self-taught like me (it would be nice if, as in other IBM manuals, there were more practical examples). We have set up profiles in XFACILITY (not by me) where I am not even sure if they are needed. There are also profiles that, according to the manual, are for the Visual Server, which we do not use at all. Even if you look at the XFACILITY class in the RACF Access Monitor, profiles are used where I still don't understand why. As I said, the manual is not particularly helpful in this regard. Are there any 'secret' documents where you can learn about this at a simpler level?

Thank you for your support.
Best regards
Stephan

hi Stephan, 

a way that you can consider to accomplish these job roles for your types of zSecure users is as flollows: 

• Set up a RACF group for each of the zSecure job roles that you mention
• Connect the current zSecure users to the group that matches with their job role
• Permit each role group with the appropriate zSecure-related resources that you want them to be able to use:
  • XFACILIT resources CKR.OPTION.** can be used to control which zSecure Menu options you want to allow/deny access to for each job role
  • XFACILIT resources CKR.ACTION.** can be used to control which zSecure Action commands you want to allow/deny access to for each job role
  • READ access is required for the users to be allowed to process the input resources that zSecure supports (for example, RACF primary, RACF backup(s) RACF copy, RACF unload, SMF live reocrds, SMF dumped records, CKFREEZE data sets, Accesss monitor data sets, locally defined data sets (if used))
• Besides these authorizations, your users need the appropriate RACF authority (SPECIAL, OPERATIONS, AUDITOR, ROAUDIT, class authorizations, and/or access to IRR.** FACILITY class resources. But since these are existing users, I assume that the zSecure users already have (most of) these RACF authorizations.

Hope this helps.

Hello
We want to create roles in our zSecure for using zSecure. Unfortunately, the documentation is very poor in this regard. The only role that is covered is that of the helpdesk. And that is only via the Visual Server. However, we do not use the Visual Server (nor do we intend to in the future) and work via the ISPF interface.
Can anyone help me?
We want to set up the following roles:
Admin – RACF administrators with all rights
Auditor – The person who is supposed to audit us but is not allowed to make any changes.
User administrator – Restricted to certain areas only (Group Special)
External employees – Employees who support us but do not have full system SPECIAL access.
Many thanks 
Stephan

Hello John,
Thank you very much for your quick and competent reply. As you correctly identified, the standard definitions already exist in RACF. I am just confused by the different profiles in zSecure in XFACILITY, or rather, the description is somewhat inadequate for someone who is self-taught like me (it would be nice if, as in other IBM manuals, there were more practical examples). We have set up profiles in XFACILITY (not by me) where I am not even sure if they are needed. There are also profiles that, according to the manual, are for the Visual Server, which we do not use at all. Even if you look at the XFACILITY class in the RACF Access Monitor, profiles are used where I still don't understand why. As I said, the manual is not particularly helpful in this regard. Are there any 'secret' documents where you can learn about this at a simpler level?

Thank you for your support.
Best regards
Stephan

hi Stephan, 

a way that you can consider to accomplish these job roles for your types of zSecure users is as flollows: 

• Set up a RACF group for each of the zSecure job roles that you mention
• Connect the current zSecure users to the group that matches with their job role
• Permit each role group with the appropriate zSecure-related resources that you want them to be able to use:
  • XFACILIT resources CKR.OPTION.** can be used to control which zSecure Menu options you want to allow/deny access to for each job role
  • XFACILIT resources CKR.ACTION.** can be used to control which zSecure Action commands you want to allow/deny access to for each job role
  • READ access is required for the users to be allowed to process the input resources that zSecure supports (for example, RACF primary, RACF backup(s) RACF copy, RACF unload, SMF live reocrds, SMF dumped records, CKFREEZE data sets, Accesss monitor data sets, locally defined data sets (if used))
• Besides these authorizations, your users need the appropriate RACF authority (SPECIAL, OPERATIONS, AUDITOR, ROAUDIT, class authorizations, and/or access to IRR.** FACILITY class resources. But since these are existing users, I assume that the zSecure users already have (most of) these RACF authorizations.

Hope this helps.

Hello
We want to create roles in our zSecure for using zSecure. Unfortunately, the documentation is very poor in this regard. The only role that is covered is that of the helpdesk. And that is only via the Visual Server. However, we do not use the Visual Server (nor do we intend to in the future) and work via the ISPF interface.
Can anyone help me?
We want to set up the following roles:
Admin – RACF administrators with all rights
Auditor – The person who is supposed to audit us but is not allowed to make any changes.
User administrator – Restricted to certain areas only (Group Special)
External employees – Employees who support us but do not have full system SPECIAL access.
Many thanks 
Stephan

Hi Stephan,

I don't have completely clear what XFACILITY profiles you might have a question about. :/

The C2R prefix is for zSecure Visual functionality (and now also used in the Web UI that replaces it).

The B8R prefix is for the RACF-Offline component of zSecure Admin.

The CKF prefix is for controlling the zSecure Collect for z/OS (CKFCOLL) program, which builds the system snapshot file (CKFREEZE).

The CKG prefix is for the CKGRACF component of zSecure Admin. In particular, you can define a user's ability to use CKGRACF commands to update the RACF database at a granular level. The CKGRACF scope is also part of the overall scope of various scoping functionalities in the product.
There are some details here: https://www.ibm.com/docs/en/szs/3.1.0?topic=manual-ckgracf-quick-reference

There are several CKN* prefixes for working the with zSecure Server (CKNSERVE), which connects to other systems for remote command execution (and remote reading) etc.

CKR is the general zSecure prefix (also used for CKRCARLA operation).
There are CKR.ACTION and CKR.OPTION resources for defining what is shown / can be used in the ISPF UI, see 
https://www.ibm.com/docs/en/szs/3.1.0?topic=controls-resources-that-configure-which-options-are-shown and 
https://www.ibm.com/docs/en/szs/3.1.0?topic=iic-resources-that-configure-which-line-commands-are-allowed
CKR.CKRCARLA.APF controls if CKRCARLA can be run with APF authorization.
The CKR.CKXLOG.** resources are for controlling the use of the Command Logger (CKXLOG) component of zSecure Admin.
CKR.READALL determines if you can see everything in the RACF database, or if the program should run in restricted mode when you don't have a read permit to the database (and hide things that are no in your scope).

CKX is for the Command Executor (CKX) component.

C2X is for the RACF Exit Activator (C2X) component.

C4R is the zSecure Command Verifier prefix.

Let me know how I can help you further...

Regards,

Hello John,
Thank you very much for your quick and competent reply. As you correctly identified, the standard definitions already exist in RACF. I am just confused by the different profiles in zSecure in XFACILITY, or rather, the description is somewhat inadequate for someone who is self-taught like me (it would be nice if, as in other IBM manuals, there were more practical examples). We have set up profiles in XFACILITY (not by me) where I am not even sure if they are needed. There are also profiles that, according to the manual, are for the Visual Server, which we do not use at all. Even if you look at the XFACILITY class in the RACF Access Monitor, profiles are used where I still don't understand why. As I said, the manual is not particularly helpful in this regard. Are there any 'secret' documents where you can learn about this at a simpler level?

Thank you for your support.
Best regards
Stephan

hi Stephan, 

a way that you can consider to accomplish these job roles for your types of zSecure users is as flollows: 

• Set up a RACF group for each of the zSecure job roles that you mention
• Connect the current zSecure users to the group that matches with their job role
• Permit each role group with the appropriate zSecure-related resources that you want them to be able to use:
  • XFACILIT resources CKR.OPTION.** can be used to control which zSecure Menu options you want to allow/deny access to for each job role
  • XFACILIT resources CKR.ACTION.** can be used to control which zSecure Action commands you want to allow/deny access to for each job role
  • READ access is required for the users to be allowed to process the input resources that zSecure supports (for example, RACF primary, RACF backup(s) RACF copy, RACF unload, SMF live reocrds, SMF dumped records, CKFREEZE data sets, Accesss monitor data sets, locally defined data sets (if used))
• Besides these authorizations, your users need the appropriate RACF authority (SPECIAL, OPERATIONS, AUDITOR, ROAUDIT, class authorizations, and/or access to IRR.** FACILITY class resources. But since these are existing users, I assume that the zSecure users already have (most of) these RACF authorizations.

Hope this helps.

Hello
We want to create roles in our zSecure for using zSecure. Unfortunately, the documentation is very poor in this regard. The only role that is covered is that of the helpdesk. And that is only via the Visual Server. However, we do not use the Visual Server (nor do we intend to in the future) and work via the ISPF interface.
Can anyone help me?
We want to set up the following roles:
Admin – RACF administrators with all rights
Auditor – The person who is supposed to audit us but is not allowed to make any changes.
User administrator – Restricted to certain areas only (Group Special)
External employees – Employees who support us but do not have full system SPECIAL access.
Many thanks 
Stephan

Hello Jeroen,
Thank you very much for your help.
I will extract some profiles from our database and from the RACF Access Monitor over the course of next week and would like to get back to you with them, if that is okay. Under the same thread?
Best regards
Stephan

Hi Stephan,

I don't have completely clear what XFACILITY profiles you might have a question about. :/

The C2R prefix is for zSecure Visual functionality (and now also used in the Web UI that replaces it).

The B8R prefix is for the RACF-Offline component of zSecure Admin.

The CKF prefix is for controlling the zSecure Collect for z/OS (CKFCOLL) program, which builds the system snapshot file (CKFREEZE).

The CKG prefix is for the CKGRACF component of zSecure Admin. In particular, you can define a user's ability to use CKGRACF commands to update the RACF database at a granular level. The CKGRACF scope is also part of the overall scope of various scoping functionalities in the product.
There are some details here: https://www.ibm.com/docs/en/szs/3.1.0?topic=manual-ckgracf-quick-reference

There are several CKN* prefixes for working the with zSecure Server (CKNSERVE), which connects to other systems for remote command execution (and remote reading) etc.

CKR is the general zSecure prefix (also used for CKRCARLA operation).
There are CKR.ACTION and CKR.OPTION resources for defining what is shown / can be used in the ISPF UI, see 
https://www.ibm.com/docs/en/szs/3.1.0?topic=controls-resources-that-configure-which-options-are-shown and 
https://www.ibm.com/docs/en/szs/3.1.0?topic=iic-resources-that-configure-which-line-commands-are-allowed
CKR.CKRCARLA.APF controls if CKRCARLA can be run with APF authorization.
The CKR.CKXLOG.** resources are for controlling the use of the Command Logger (CKXLOG) component of zSecure Admin.
CKR.READALL determines if you can see everything in the RACF database, or if the program should run in restricted mode when you don't have a read permit to the database (and hide things that are no in your scope).

CKX is for the Command Executor (CKX) component.

C2X is for the RACF Exit Activator (C2X) component.

C4R is the zSecure Command Verifier prefix.

Let me know how I can help you further...

Regards,

Hello John,
Thank you very much for your quick and competent reply. As you correctly identified, the standard definitions already exist in RACF. I am just confused by the different profiles in zSecure in XFACILITY, or rather, the description is somewhat inadequate for someone who is self-taught like me (it would be nice if, as in other IBM manuals, there were more practical examples). We have set up profiles in XFACILITY (not by me) where I am not even sure if they are needed. There are also profiles that, according to the manual, are for the Visual Server, which we do not use at all. Even if you look at the XFACILITY class in the RACF Access Monitor, profiles are used where I still don't understand why. As I said, the manual is not particularly helpful in this regard. Are there any 'secret' documents where you can learn about this at a simpler level?

Thank you for your support.
Best regards
Stephan

hi Stephan, 

a way that you can consider to accomplish these job roles for your types of zSecure users is as flollows: 

• Set up a RACF group for each of the zSecure job roles that you mention
• Connect the current zSecure users to the group that matches with their job role
• Permit each role group with the appropriate zSecure-related resources that you want them to be able to use:
  • XFACILIT resources CKR.OPTION.** can be used to control which zSecure Menu options you want to allow/deny access to for each job role
  • XFACILIT resources CKR.ACTION.** can be used to control which zSecure Action commands you want to allow/deny access to for each job role
  • READ access is required for the users to be allowed to process the input resources that zSecure supports (for example, RACF primary, RACF backup(s) RACF copy, RACF unload, SMF live reocrds, SMF dumped records, CKFREEZE data sets, Accesss monitor data sets, locally defined data sets (if used))
• Besides these authorizations, your users need the appropriate RACF authority (SPECIAL, OPERATIONS, AUDITOR, ROAUDIT, class authorizations, and/or access to IRR.** FACILITY class resources. But since these are existing users, I assume that the zSecure users already have (most of) these RACF authorizations.

Hope this helps.

Hello
We want to create roles in our zSecure for using zSecure. Unfortunately, the documentation is very poor in this regard. The only role that is covered is that of the helpdesk. And that is only via the Visual Server. However, we do not use the Visual Server (nor do we intend to in the future) and work via the ISPF interface.
Can anyone help me?
We want to set up the following roles:
Admin – RACF administrators with all rights
Auditor – The person who is supposed to audit us but is not allowed to make any changes.
User administrator – Restricted to certain areas only (Group Special)
External employees – Employees who support us but do not have full system SPECIAL access.
Many thanks 
Stephan

Hello John,
Thank you very much for your quick and competent reply. As you correctly identified, the standard definitions already exist in RACF. I am just confused by the different profiles in zSecure in XFACILITY, or rather, the description is somewhat inadequate for someone who is self-taught like me (it would be nice if, as in other IBM manuals, there were more practical examples). We have set up profiles in XFACILITY (not by me) where I am not even sure if they are needed. There are also profiles that, according to the manual, are for the Visual Server, which we do not use at all. Even if you look at the XFACILITY class in the RACF Access Monitor, profiles are used where I still don't understand why. As I said, the manual is not particularly helpful in this regard. Are there any 'secret' documents where you can learn about this at a simpler level?

Thank you for your support.
Best regards
Stephan

hi Stephan, 

a way that you can consider to accomplish these job roles for your types of zSecure users is as flollows: 

• Set up a RACF group for each of the zSecure job roles that you mention
• Connect the current zSecure users to the group that matches with their job role
• Permit each role group with the appropriate zSecure-related resources that you want them to be able to use:
  • XFACILIT resources CKR.OPTION.** can be used to control which zSecure Menu options you want to allow/deny access to for each job role
  • XFACILIT resources CKR.ACTION.** can be used to control which zSecure Action commands you want to allow/deny access to for each job role
  • READ access is required for the users to be allowed to process the input resources that zSecure supports (for example, RACF primary, RACF backup(s) RACF copy, RACF unload, SMF live reocrds, SMF dumped records, CKFREEZE data sets, Accesss monitor data sets, locally defined data sets (if used))
• Besides these authorizations, your users need the appropriate RACF authority (SPECIAL, OPERATIONS, AUDITOR, ROAUDIT, class authorizations, and/or access to IRR.** FACILITY class resources. But since these are existing users, I assume that the zSecure users already have (most of) these RACF authorizations.

Hope this helps.

Hello
We want to create roles in our zSecure for using zSecure. Unfortunately, the documentation is very poor in this regard. The only role that is covered is that of the helpdesk. And that is only via the Visual Server. However, we do not use the Visual Server (nor do we intend to in the future) and work via the ISPF interface.
Can anyone help me?
We want to set up the following roles:
Admin – RACF administrators with all rights
Auditor – The person who is supposed to audit us but is not allowed to make any changes.
User administrator – Restricted to certain areas only (Group Special)
External employees – Employees who support us but do not have full system SPECIAL access.
Many thanks 
Stephan

Hi Stephan, 

Perhaps, you are already aware of this documentation, but just in case you do not.

Here's a link to more detailed information regarding "Resources that configure which options are shown" in chapter "Security setup for zSecure", section "ISPF interface controls" of the zSecure Installation and Deployment guide: https://www.ibm.com/docs/en/szs/3.1.0?topic=controls-resources-that-configure-which-options-are-shown.

I have no knowledge of other 'secret' documents that could clarify any remaining questions that you might have about this topic!

Regards,

Hello John,
Thank you very much for your quick and competent reply. As you correctly identified, the standard definitions already exist in RACF. I am just confused by the different profiles in zSecure in XFACILITY, or rather, the description is somewhat inadequate for someone who is self-taught like me (it would be nice if, as in other IBM manuals, there were more practical examples). We have set up profiles in XFACILITY (not by me) where I am not even sure if they are needed. There are also profiles that, according to the manual, are for the Visual Server, which we do not use at all. Even if you look at the XFACILITY class in the RACF Access Monitor, profiles are used where I still don't understand why. As I said, the manual is not particularly helpful in this regard. Are there any 'secret' documents where you can learn about this at a simpler level?

Thank you for your support.
Best regards
Stephan

hi Stephan, 

a way that you can consider to accomplish these job roles for your types of zSecure users is as flollows: 

• Set up a RACF group for each of the zSecure job roles that you mention
• Connect the current zSecure users to the group that matches with their job role
• Permit each role group with the appropriate zSecure-related resources that you want them to be able to use:
  • XFACILIT resources CKR.OPTION.** can be used to control which zSecure Menu options you want to allow/deny access to for each job role
  • XFACILIT resources CKR.ACTION.** can be used to control which zSecure Action commands you want to allow/deny access to for each job role
  • READ access is required for the users to be allowed to process the input resources that zSecure supports (for example, RACF primary, RACF backup(s) RACF copy, RACF unload, SMF live reocrds, SMF dumped records, CKFREEZE data sets, Accesss monitor data sets, locally defined data sets (if used))
• Besides these authorizations, your users need the appropriate RACF authority (SPECIAL, OPERATIONS, AUDITOR, ROAUDIT, class authorizations, and/or access to IRR.** FACILITY class resources. But since these are existing users, I assume that the zSecure users already have (most of) these RACF authorizations.

Hope this helps.

Hello
We want to create roles in our zSecure for using zSecure. Unfortunately, the documentation is very poor in this regard. The only role that is covered is that of the helpdesk. And that is only via the Visual Server. However, we do not use the Visual Server (nor do we intend to in the future) and work via the ISPF interface.
Can anyone help me?
We want to set up the following roles:
Admin – RACF administrators with all rights
Auditor – The person who is supposed to audit us but is not allowed to make any changes.
User administrator – Restricted to certain areas only (Group Special)
External employees – Employees who support us but do not have full system SPECIAL access.
Many thanks 
Stephan

Hello
We want to create roles in our zSecure for using zSecure. Unfortunately, the documentation is very poor in this regard. The only role that is covered is that of the helpdesk. And that is only via the Visual Server. However, we do not use the Visual Server (nor do we intend to in the future) and work via the ISPF interface.
Can anyone help me?
We want to set up the following roles:
Admin – RACF administrators with all rights
Auditor – The person who is supposed to audit us but is not allowed to make any changes.
User administrator – Restricted to certain areas only (Group Special)
External employees – Employees who support us but do not have full system SPECIAL access.
Many thanks 
Stephan

Hi Stephan,

Since we announced last December that zSecure Visual will be end of marketing this September, I hope no one intends to start with that in future.
The same levels that are used in zSecure Visual can also be used in the zSecure Admin web interface that we introduced with zSecure Admin 3.1.1 last October.

Under ISPF, there are some simple sets of administration tasks in the RA.H (Helpdesk) and RA.Q (Quick admin) menus.

Regards,
Jeroen

Hello
We want to create roles in our zSecure for using zSecure. Unfortunately, the documentation is very poor in this regard. The only role that is covered is that of the helpdesk. And that is only via the Visual Server. However, we do not use the Visual Server (nor do we intend to in the future) and work via the ISPF interface.
Can anyone help me?
We want to set up the following roles:
Admin – RACF administrators with all rights
Auditor – The person who is supposed to audit us but is not allowed to make any changes.
User administrator – Restricted to certain areas only (Group Special)
External employees – Employees who support us but do not have full system SPECIAL access.
Many thanks 
Stephan

Hello
We want to create roles in our zSecure for using zSecure. Unfortunately, the documentation is very poor in this regard. The only role that is covered is that of the helpdesk. And that is only via the Visual Server. However, we do not use the Visual Server (nor do we intend to in the future) and work via the ISPF interface.
Can anyone help me?
We want to set up the following roles:
Admin – RACF administrators with all rights
Auditor – The person who is supposed to audit us but is not allowed to make any changes.
User administrator – Restricted to certain areas only (Group Special)
External employees – Employees who support us but do not have full system SPECIAL access.
Many thanks 
Stephan