IBM Z and LinuxONE - IBM Z - Group home

What’s new in IBM Cloud Provisioning & Management for z/OS (06/01/2018)

By Hiren Shah posted Fri November 22, 2019 07:09 PM


As a result of requests from customers to simplify security setup, IBM Cloud Provisioning and Management for z/OS (cloud provisioning) delivered major enhancements with PTFs UI55996, UI55973 (z/OS V2R3) and PTFs UI56001, UI55978 (z/OS V2R2). These enhancements not only provide a better user experience with setting up the cloud provisioning environment but also simplify management of cloud provisioning infrastructure. To learn about enhancements that were previously delivered, refer to the blog at

  • Simplified security setup:
    Before this enhancement, to configure IBM Cloud Provisioning and Management for z/OS, the security administrator was required to identify a user with “Landlord” role and perform initial security setup for a ‘default’ domain. After starting the z/OSMF server, the z/OS system programmer with the “Landlord” role then completed the remaining definition using the z/OSMF UI. This included identifying the domain administrator and security administrator for the ‘default’ domain. Once these steps were completed, then only middleware system programmer can proceed with creating software service template. We heard from our customers that they wanted a simpler process for getting started with the cloud provisioning environment. In particular, they didn’t want to be immediately faced with understanding and defining the “Landlord” role. We responded by simplifying the security setup for ‘default’ domain and describing cloud provisioning roles that map to existing roles in z/OS administration. To learn about the various roles associated with cloud provisioning refer to our content solution page at

    With the simplified security setup, z/OS middleware system programmers such as CICS administrators, and Db2 administrators can now create and test software service templates independently, without requiring any intervention by z/OS system programmers or security administrators to perform additional setup. We also simplified the security setup for the ‘default’ tenant of the ‘default’ domain. Any user who is in the z/OSMF user group (IZUUSER) will be able to provision the templates that are published in the ‘default’ domain. When more granular and well isolated multi-tenant cloud environment is needed, z/OS administrators with “landlord” access can set up non-default cloud domains and additional security definitions associated with non-default domain will be automatically defined by cloud provisioning when domain is setup for automatic security definition.

    If you have not used IBM Cloud Provisioning and Management for z/OS before, the following is a summary of how you can set up the environment using the new simplified security setup.

  1. Update the IZUPRMxx parmlib member with a new CLOUD_SEC_ADMIN property to specify the security administrator user ID. This user ID must have RACF “Special” or equivalent privileges.
  2. Make sure that the middleware system programmers who will be creating provisioning template are connected to the z/OSMF Administrator group (normally IZUADMIN).
  3. Security administrator runs the IZUPRSEC job to set up security for cloud provisioning and management before starting z/OSMF server.
  4. Create and test the IVP (Installation verification program) template that is shipped with z/OSMF (found in /usr/lpp/zosmf/sample/cpm-sample-ivp). Refer to to learn how to create a template.

  • Swagger support:
The Swagger specification (also known as OpenAPI specification) provides a standardized way to document REST APIs. IBM Cloud Provisioning and Management for z/OS provides many REST APIs to drive provisioning interfaces programmatically. With this enhancement, we are providing documentation of all cloud provisioning and management REST APIs through the Swagger UI. The following image shows the layout of cloud provisioning and management REST APIs in the Swagger UI. The Swagger UI also supports driving the APIs with a user supplied request body. This greatly simplifies and speeds up development and testing. For more information about this support refer to the blog at

  • Sharing of provisioned instances:
Before this enhancement, only the user who provisioned the software service could access the provisioned instance through the software service registry. However, it is common in a dev/ops environment that one person in a team provisions the software service (template) and other team members can operate on the provisioned instance. To support this requirement, we provide an option in a resource pool that can be configured by the software service provider (the domain administrator). When this new option (shown in the image below) is set, any instance of the template can be shared by users that are in the same tenant as the user who provisioned the instance. Any user can perform actions such as start or stop on the instance. However. the ‘deprovision’ action can be performed only by the user who provisioned the instance – this prevents accidental removal of the instance while other users are using the instance.

  • Workflow Editor enhancements:
Workflow authors who use the Workflow Editor to build workflows don’t need to move JCL, REXX exec or shell scripts from data sets to the zFS file system. With this enhancement, the Workflow Editor allows file templates to reference JCLs, REXX execs or shell scripts that are in data sets or in the zFS file system (shown in the image below).

  • Parallel-steps workflow: 

z/OSMF workflow engine now supports parallel-steps workflow with PTF UI54443 (z/OS V2R3) or UI55241 (z/OS V2R2). When a parallel-steps workflow is started, the Workflows task locates all the automated steps with Ready status, and attempts to run these steps concurrently. When users provision a software service template that uses this feature, they see an improvement in provisioning.