z/OS User Management With Ansible
This blog assumes you have a basic understanding of Ansible; however, knowledge of Ansible is not required to enjoy this blog. We are using Red Hat Ansible Tower®'s upstream project, AWX. The information covered in this blog is applicable for both AWX and Red Hat Ansible Tower®.
User management is an essential and universal role for system programmers. In enterprise environments, user management needs to be handled efficiently, securely and consistently.
Combining the features of Red Hat Ansible Tower® and Red Hat Ansible Certified Content for IBM Z®, system programmers can quickly set up and configure an automated user management system.
We can leverage Ansible's extensive module ecosystem to automate tasks of all sizes. Many Ansible modules designed for x86 systems work out of the box with z/OS Unix System Services. Z-specific functions, such as TSO command execution and data set operations, are provided by Red Hat Ansible Certified Content for IBM Z®.
The following Z-specific Ansible modules prove particularly valuable when automating user management on z/OS:
Ansible can be used from a command line interface, which proves useful when building and testing automation using Ansible playbooks; however, once automation is ready to be used at scale, Red Hat Ansible Tower® becomes essential.
Red Hat Ansible Tower® provides enterprise features such as credential management, inventory management, role-based access control and scheduled tasks. We can use Red Hat Ansible Tower® to manage the execution and configuration of our Ansible playbooks. Red Hat Ansible Tower® also provides a powerful REST API if a custom front-end is desired.
We have developed a set of example playbooks to assist system programmers in configuring their own user management systems. The playbooks can be found in the new Z Ansible Collection Samples Repository, which provides Red Hat Ansible Certified Content for IBM Z® users a centralized location to find (and soon contribute) playbook samples.
User Management Scenario
This scenario includes 2 personas:
Deb's current project requires that she do her development on a particular z/OS system. Deb does not have a User ID on the z/OS system, so she must request a new User ID.
Deb logs in to her organization's Red Hat Ansible Tower® instance and launches a job to add a new User ID.
Deb proceeds to select the inventory for the specific system she needs access to.
Red Hat Ansible Tower® prompts Deb for information related to her request. She provides her full name, desired User ID and email address.
Deb reviews the details of her request and submits the request for approval.
Deb then waits for approval from Zach, the Red Hat Ansible Tower® and z/OS system programmer.
Zach logs on to Red Hat Ansible Tower® and sees an unread notification.
Zach reviews the User ID request from Deb and approves the request.
After Zach gives his approval, the add-user playbook is executed. The add-user playbook is responsible for adding and configuring the new user. The playbook performs the following tasks:
- Ensure the desired User ID is available.
- Generate temporary password or passphrase.
- Use zos_tso_command module to create User ID, permit access to resources and connect new user to desired groups.
- Define alias for new user.
- Create generic profile for new user.
- Create ISPPROF data set for new user.
- Create and mount ZFS data set in new user's OMVS home directory.
- (Optional) Use zos_copy module to copy files and templates to data sets or OMVS directories.
- (Optional) attempt to make ZFS mount persistent across IPLs.
- Email temporary password/passphrase info if desired.
A few minutes later, Deb receives an email in her inbox containing her new credentials. Deb logs in to the system, updates her password and starts working on her project.
Interested in leveraging Ansible to automate user management in your environment? Get started quickly using our sample user management playbooks!
Looking for a guided experience to get started using Ansible with z/OS? Check out the Ansible Z Trial!