Authorize Users for Entities

How to Install the Hardware Interface Service › Start the Hardware Interface Service › User Security › Authorize Users for Entities

Authorize Users for Entities

The following resources enable you to authorize users to access the entities in the topology model:

[prefix.]ENTITY.LCL.CURRENT (the CURRENT group)
[prefix.]ENTITY.LCL.SAME (the SAME group)
[prefix.]ENTITY.OTHER (the OTHER group)

prefix is the optional resource name prefix as specified by the HWISAFPF parameter.

An entity is assigned to a resource in the following way:

The Enterprise and Installation entities are not assigned to any group but are always read-only.
An entity on which the service is executing is assigned to the CURRENT group. The current Ensemble, CPC, and LPAR entities are assigned to the CURRENT group.
The children of an entity in the CURRENT group are assigned to the SAME group.
Other entities are assigned to the OTHER group.

The following examples grant user authorities using different security products:

USER1 has the authority to work with all entities.
USER2 has the authority to work with the local entities.
USER3 has the authority to work with the local Enterprise, CPC, and LPAR entities.
USER4 has the authority to work with the child entities of the local Enterprise, CPC, and LPAR.
USER5 has the authority to work with other entities.

The examples use the FACILITY resource class (HWISAFCL=FACILITY) and the HI$RV resource name prefix (HWISAFPF=HI$RV).

Example: Grant User Authorities Using CA ACF2 for z/OS

To define the security resources and grant users access to the entities, issue CA ACF2 for z/OS commands in TSO, for example:

[ACF]
SET RESOURCE(FAC)
COMPILE *
$KEY(HI$RV) TYPE(FAC)
ENTITY.- UID(USER1) SERVICE(READ) ALLOW
ENTITY.LCL.- UID(USER2) SERVICE(READ) ALLOW
ENTITY.LCL.CURRENT UID(USER3) SERVICE(READ) ALLOW
ENTITY.LCL.SAME UID(USER4) SERVICE(READ) ALLOW
ENTITY.OTHER UID(USER5) SERVICE(READ) ALLOW

STORE
[END]

Example: Grant User Authorities Using CA Top Secret for z/OS

To define the security resources and grant users access to the entities, issue CA Top Secret for z/OS commands in TSO, for example:

TSS ADDTO(acid) IBMFAC(HI$RV)
TSS PERMIT(USER1) IBMFAC(HI$RV.ENTITY.) ACCESS(READ)
TSS PERMIT(USER2) IBMFAC(HI$RV.ENTITY.LCL.) ACCESS(READ)
TSS PERMIT(USER3) IBMFAC(HI$RV.ENTITY.LCL.CURRENT) ACCESS(READ)
TSS PERMIT(USER4) IBMFAC(HI$RV.ENTITY.LCL.SAME) ACCESS(READ)
TSS PERMIT(USER5) IBMFAC(HI$RV.ENTITY.OTHER) ACCESS(READ)

Example: Grant User Authorities Using RACF

To define the security resources and grant users access to the entities, issue RACF commands in TSO, for example:

RDEFINE FACILITY HI$RV.ENTITY.* UACC(NONE)
RDEFINE FACILITY HI$RV.ENTITY.LCL.* UACC(NONE)
RDEFINE FACILITY HI$RV.ENTITY.LCL.CURRENT UACC(NONE)
RDEFINE FACILITY HI$RV.ENTITY.LCL.SAME UACC(NONE)
RDEFINE FACILITY HI$RV.ENTITY.OTHER UACC(NONE)
SETROPTS RACLIST(FACILITY) REFRESH
PERMIT HI$RV.ENTITY.* CLASS(FACILITY) ID(USER1) ACCESS(READ)
PERMIT HI$RV.ENTITY.LCL.* CLASS(FACILITY) ID(USER2) ACCESS(READ)
PERMIT HI$RV.ENTITY.LCL,CURRENT CLASS(FACILITY) ID(USER3) ACCESS(READ)
PERMIT HI$RV.ENTITY.LCL.SAME CLASS(FACILITY) ID(USER4) ACCESS(READ)
PERMIT HI$RV.ENTITY.OTHER CLASS(FACILITY) ID(USER5) ACCESS(READ)