These are questions and answers captured from the Webex chat during the z/OSMF Guild Session 5 on March 16, 2022. Questions were answered by @John Czukkermann, Hiren Shah, Travis Biro & Rolando Perez. If you have further questions, you can respond to this forum or contact any of us directly.
1. Where can I find the materials & links that were shared during Guild Session 5?
2. Couldn't you achieve the same thing (with z/OS Management Services Catalog) in workflows, albeit it is more confusing and not as nice as this experience?
It isn't really the same and z/OS Management Services Catalog isn't meant as a replacement user interface for Workflows, although it does address some of the difficulties associated with using just Workflows. For example, where does one keep all of the workflow definitions you want to use to create workflow instances to run in the Workflows task? Workflows does not support defining logical input dependencies to allow for progressive disclosure of inputs when submitting a service.
Services allows for workflow input customization and end to end automation so tasks can be performed in "services" style with single click, to "run" after providing the input values.3. When would you choose from the plethora of options available for this kind of pattern? Is it the experience given in this plugin which is the unique advantage of this choice.
z/OS Management Services Catalog is designed to provide experienced z/OS system programmers with the tool to share their vast institutional memory and experience with less experienced staff. Utilitarian tasks, for example, can be created in such a way that information that goes beyond command references and is geared toward 'your' environment can be used to teach and lead early-tenure system programmers through performing these tasks. Thus, allowing early-tenure system programmers to be more productive sooner, while still earning their PhD in managing z/OS, with more independence and fewer errors. They will still have to learn the details of z/OS, but some of the early learning could be accomplished with less drain on the experienced system programmer staff. This is like the difference between being given a command reference to accomplish a task or being given the appropriate command, options and site-appropriate values needed to perform the task.4. When a service submission has completed, can we view the results and data set or file contents from the z/OS Management Services Catalog plugin?
You can open the workflow instance that was used to accomplish the service submission in Workflows. This allows you to see all of the workflow steps and what was done. The z/OS Management Services Catalog plugin itself does not attempt to provide that information directly.5. Could we add customizable services in the Service Management Catalog?
Absolutely! That is one of the critical design points for this plugin. You can create your own workflow definition and use that to create your own service. You can specify your own categories as well.6. How easy, or challenging, is it to create one of these?
This is a difficult question to answer because it depends on how much experience you already have with z/OSMF Workflows. You must have a workflow definition in order to create a new service. You can use the Workflow Editor tool to help create workflow definitions. Workflow definitions can be very complex and sophisticated. Most of the difficulty of creating a new service is likely to lie in creating the workflow definition.
7. Given the workflow definition, you will want to think in terms of the staff you are trying to help with the service being created. What is the best way to organize the inputs?
- You can group inputs into pages, much like workflow input categories.
- You can determine if any of those inputs should simply have hard-coded values.
- Should some inputs limited selections based on conventions in your shop.
- What inputs are dependent on the selections of others. You can setup logic to show inputs based on the selection for another input.
8. Is z/OS Management Services Catalog included in the Security Configuration Assistant plugin?
Yes, z/OS Management Services Catalog is included.
9. Is the z/OS Management Services Catalog plugin enabled via PTF for z/OS 2.4??
The following PTFs are the latest service level for z/OS Management Services Catalog:
- z/OS 2.4: UI78976
- z/OS 2.5: UI78988
These require the PTFs for
- Core APAR 39637
- Configuration APAR PH41334
- Workflows APAR PH40841
Note that z/OS Management Services Catalog is not available on z/OS 2.3.10. How do I turn z/OS Management Service Catalog on in z/OS 2.4.
You should refer to the z/OSMF Configuration Guide to learn about the required security setup. The SYS1.SAMPLIB(IZUMSSEC) sample job can be used to accomplish the security setup. Then:
1. Open z/OSMF General Settings 2. Select the services tab and scroll to the bottom of the optional services. Enable z/OS Management Services Catalog. 3. Restart the z/OSMF server and the plugin will be available on the z/OSMF Desktop. If it is not on the desktop, it should be in the App Center and you can drag it to the desktop from there.
11. Don't we have to be careful not to insulate new z/OS system programmers too much, thus hindering them in doing their jobs
Making a task extremely difficult doesn't necessarily facilitate educating new system programmers and making them proficient. It can actually inhibit establishing confidence in their ability to do their jobs. The goal is not to dumb down z/OS management. z/OS Management Services Catalog is designed to facilitate more rapid learning and productive contribution by early-tenure system programmers.
As with everything we do when managing z/OS, things will fail; things will break. Early-tenure system programmers will have to dig into the failures to understand the root causes and learn how to address them. z/OS Management Services Catalog facilitates this by allowing you to open the workflow instance of a service submission and visually inspect what the workfow instance did, ESPECIALLY when the submission failed.
12. Are some of the basic services like what was shown during the presentation available in the catalog by default?
Yes. The initial release of z/OS Management Services Catalog currently ships the following sample services as UNPUBLISHED. They will be visible to administrators via the Administration tab.
- Create a zFS file system
- Expand a zFS file system
- Mount a zFS file system
- Unmount a zFS file system
- Delete a RACF user ID
- Delete an alias from a catalog
- Replace SMP/E RECEIVE ORDER certificate
Our intention is for these samples to serve as examples from which to learn how to create and customize your own services
13. Are these services really artifacts in some catalog or is it literally just an interface sitting on top of workflows?
These services and submissions are artifacts on z/OS Management Services Catalog. Like Cloud Provisioning & Management for z/OS, we leverage Workflows to get the job done. We are not a veneer over the Workflows plugin.
To illustrate, when you create a service, we create a z/OSMF resource that we managed, including creating a protected copy of all of the workflow related files associated with the service. When you submit the service, we use those workflow files to create a new workflow instance. We monitor that workflow instance to determine if it failed or was successful which in turn determines if the submission failed or was successful.
14. Is it bad to think of this like forms?
It isn't bad, but it is inaccurate because think of z/OS Management Services Catalog as simply being forms sells it short on the capabilities it provides and the potential it has in the future.
15. Why does the .xml suffix have to be used (workflows input name)? are there other suffixes?
z/OSMF workflow definitions are XML documents. You could choose to call the files whatever you like, but it could be confusing. It is pretty standard to use a suffix that identifies the form/format of the file's content.
I'd like to point out that the workflow definitions are not required to reside in files. They can reside in sequential and partitioned data sets.
16. Are these changes being made to the service reflected in the underlying workflow definition XML?
When you create a new service from a workflow definition, we make a protected copy of that workflow definition in our persistence. This insulates us from random changes, renaming, relocation of these essentially untrusted files. Once we copy the original workflow definition files, we will not attempt to read or use them again. We do keep the original file/dataset information purely for historical reference.
After we've copied the original files and performed validation, there are some minor internal changes made to our internal copy of the workflow definition. But ALL customization done in the service builder support is saved as part of a service resource maintained in our catalog. The service builder support is not a workflow editor/customization tool. This is consistent with the prior answers where we emphasize that we leverage z/OSMF workflow definitions and the z/OSMF Workflows plugin support to accomplish our mission.
17. For the helloworld 'program' in demo 3, where is helloworld being obtained?
In that particular example, helloworld is not actually a program, but the work that was done by the service is actually in the workflow definition itself.
There are two steps in the workflow definition that do the work. One is used to write to a dataset and another step is used to write to a file.
The dataset step uses the following in-line template that is run as JCL by Workflows:
//STEP010 EXEC PGM=IEFBR14,TIME=5
//NEWPDS02 DD DSN=${instance-dataset_name},
// DISP=(MOD,CATLG,DELETE),UNIT=3390,
// SPACE=(TRK,(5,5,5),RLSE),
// DCB=(BLKSIZE=0,RECFM=FB,LRECL=80)
/*
//STEP1 EXEC PGM=IEBGENER
//SYSPRINT DD SYSOUT=*
//SYSIN DD DUMMY
//*SYSUT1 DD DSN=${instance-dataset_name}(${instance-member_name}),DISP=(OLD)
//SYSUT1 DD *
${instance-greetings}
//SYSUDUMP DD SYSOUT=*
//SYSUT2 DD DSN=${instance-dataset_name}(${instance-member_name}),DISP=(OLD)
/*
The file step uses the following in-line template that is run as shell-JCL by Workflows:
rm ${instance-file_name}
touch ${instance-file_name}
echo ${instance-greetings} >> ${instance-file_name}
18. Can z/OS Management Services Catalog administrators include help documentation for users?
Yes. The service description can be used to provide general guidance about running the service. Each input has its own description in which guidance specific to the input can be provided.
This ability is a critical aspect of the design for this plugin. This is where the experience system programmers that create services and provide guidance to help educate the early-tenure system programmers.
19. When it comes to efficiency/speed, would this be faster than workflows?
This question implies that Workflows are inherently 'slower' than other methods of accomplishing work on z/OS. Workflows provide the ability to compose steps in a series of tasks to orchestrate completing more complex z/OS tasks. Therefore, running a workflow for a complex sequence of tasks should take no longer, processing wise, then it would to perform each of the tasks in the sequence manually.
If you are running workflows that have manual steps, of course they will be slower because people must be involved. z/OS Management Services Catalog only supports automated workflows at this time.
Having said that, z/OS Management Services Catalog submissions actually run a workflow instance. Therefore, they are neither faster or slower, processing wise, than simply running a workflow instance.
You could think of running a service as being more convenient because you don't have to manually create a workflow instance, which requires not only entering inputs, but providing the workflow definition XML file that is needed to create each workflow instance. That workflow definition was provided when the service was created. So to run the service you simply locate it in the catalog, click to start a submission, and enter your inputs.
20. Is it possible for guest users to access certain services? Is there a way to control what users can access different services?
No, not yet. The current support uses ZMFAPLA resource profiles to determine user roles, which controls what a user sees and can do in z/OS Management Services Catalog. We adopted a software defined role-based approach. The roles are controlled by the security manager (RACF/ACF2/TopSecret). The plugin defines what operations can be performed by each role. The current roles are:
- User – Can access the catalog, submit services, monitor and manage submission through Activity/History.
- Administrator – In addition to capabilities of the User role, the Administrator role can create new services and manage the lifecycle of existing services. Additionally, the Administrator role provides the ability for administrators to take action on any submission, even if they did create the submission.
- Publish approver – This role is only in effect if the setting to require approvals to publish services in the catalog is enabled.
Eligible to be assigned as an approver of services that an administrator requests to be published. When publish approval is enabled in settings, only users with this role can be add to the table of eligible publish approvers. When an administrator requests approval to publish a service, they will be prompted to select one or more publish approvers from the list of them identified in settings.
Users with this role will have access to the Administration page and can view only those services for which they are identified as a publish approver. The only actions they can perform on the services available to them are related to approval/rejection of requests to publish services.
- RunAsUser approver – This role is in effect even if publish approvals are disabled. Only users with this role can approve the use of runAsUser steps used in the workflow definition for a service.
The runAsUser approvers are identified in the workflow definition itself. When the service is being created, we validate that any the approvers identified for each runAsUser step in the workflow definition have the runAsUser approver role in z/OS Management Services Catalog.
As with publish approvers, users with this role will have access to the Administration page and can view only those services for which they are identified as a runAsUser approver. The only actions they can perform on the services available to them are related to approval/rejection of requests to publish services.
- RunAsUser – Only users with this role can be specified as the surrogate user ID used to run the associated step in the workflow definition.
The runAsUser IDs are identified in the workflow definition itself. When the service is being created, we validate that the runAsUser ID identified for each runAsUser step in the workflow definition has the runAsUser role in z/OS Management Services Catalog.
21. Do you need to create a workflow definition for each of these services?
Yes and no. A workflow definition is required to create a service. You could have a very general-purpose workflow definition, say one to create any kind of RACF user ID, and use that workflow definition to create discrete services to create a TSO userid, create a CICS user ID, create a functional user ID for some defined purpose, etc.
22. Is the z/OS Management Services Catalog available on Z Trial for z/OSMF?
It is not currently configured on Z Trial.
23. Does z/OS Management Services Catalog support creating a service from a workflow definition that has steps the call another workflow?
No, not yet.
24. Is there a service to send IBM an SCRT report?
z/OS Management Services Catalog does not currently have a sample service to send an SCRT report to IBM. The good news is that you can create a workflow definition to do that relatively easily and create your own service to accomplish this!
Such a workflow definition would be a great addition to Zorow.
------------------------------Rolando Perez------------------------------