Merge branch 'staging' into users/stevenh/support-source

zowe · Jan 27, 2021 · 2dd273c · 2dd273c
2 parents 5ba7c77 + b9e344c
commit 2dd273c
Show file tree

Hide file tree

Showing 2 changed files with 119 additions and 1 deletion.
diff --git a/files/jcl/ZWENOSEC.jcl b/files/jcl/ZWENOSEC.jcl
@@ -89,6 +89,7 @@
 //* Top Secret ONLY -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
 //*                     12345678
 //         SET ADMINDEP=SYSPDEPT     * department owning admin group
+//         SET  ZOWEDEP=             * department owning Zowe resources
 //*                     12345678
 //*
 //* end Top Secret ONLY -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
@@ -203,6 +204,17 @@
   LISTGRP  &ADMINGRP. OMVS
   DELGROUP &ADMINGRP.
 
+/* REMOVE ZOWE RESOURCE CLASS ...................................... */
+/* uncomment commands to below if the ZOWE class has been created    */
+/* by the ZWESECUR job                                               */
+
+/* remove profile in ZOWE class                                      */
+/* RDELETE ZOWE APIML.SERVICES                                       */
+/* remove ZOWE class                                                 */
+/* RDELETE CDT ZOWE                                                  */
+
+  SETROPTS RACLIST(CDT) REFRESH
+
 /* ................................................................. */
 /* only the last RC is returned, this command ensures it is a 0      */
 PROFILE
@@ -297,6 +309,18 @@ SET RULE
 LIST &HLQ.
 DELETE &HLQ.
 *
+
+* Remove ZOWE resource class
+
+* uncomment commands to below if the ZOWE class has been created
+* by the ZWESECUR job
+
+* remove key in ZWE resource type
+* SET RESOURCE(ZWE)
+* DELETE APIML
+* remove ZOWE class mapping
+* SET CONTROL(GSO)
+* DELETE CLASMAP.ZOWE
 $$
 //*
 //*********************************************************************
@@ -382,6 +406,16 @@ TSS REMOVE(STC) PROCNAME(&AUXSTC)
 /* remove group for administrators                                   */
 TSS LIST(&ADMINGRP)
 TSS DELETE(&ADMINGRP)
+
+/* REMOVE ZOWE RESOURCE CLASS ...................................... */
+/* uncomment commands to below if the ZOWE class has been created    */
+/* by the ZWESECUR job                                               */
+
+/* remove resource name in ZOWE class                                */
+/* TSS REMOVE(&ZOWEDEP.) ZOWE(APIML.SERVICES)                        */
+/* remove ZOWE class                                                 */
+/* TSS REMOVE(RDT) RESCLASS(ZOWE)                                    */
+
 /* ................................................................. */
 /* only the last RC is returned, this command ensures it is a 0      */
 PROFILE

diff --git a/workflows/templates/ZWESECUR.vtl b/workflows/templates/ZWESECUR.vtl
@@ -138,6 +138,7 @@
 //         SET ADMINDEP=             * department owning admin group
 //         SET  STCGDEP=             * department owning STC group
 //         SET  STCUDEP=             * department owning STC user IDs
+//         SET  ZOWEDEP=             * department owning Zowe resources
 //         SET  FACACID=             * ACID owning IBMFAC
 //*                     12345678
 #end
@@ -180,6 +181,7 @@
 //         SET ADMINDEP=${ADMINDEP}  * department owning admin group
 //         SET  STCGDEP=${STCGDEP}   * department owning STC group
 //         SET  STCUDEP=${STCUDEP}   * department owning STC user IDs
+//         SET  ZOWEDEP=             * department owning Zowe resources
 //         SET  FACACID=${FACACID}   * ACID owning IBMFAC
 //*                     12345678
 #end
@@ -378,7 +380,7 @@
 
 /* DEFINE ZOWE DATA SET PROTECTION ................................. */
 
-/* - HLQ..SZWEAUTH is an APF authorized data set. It is strongly    */
+/* - HLQ..SZWEAUTH is an APF authorized data set. It is strongly     */
 /*   advised to protect it against updates.                          */
 /* - The sample commands assume that EGN (Enhanced Generic Naming)   */
 /*   is active, which allows the usage of ** to represent any number */
@@ -400,6 +402,38 @@
   LISTGRP &HLQ.
   LISTDSD PREFIX(&HLQ.) ALL
 
+/* DEFINE ZOWE RESOURCE PROTECTION ................................. */
+
+/* - Defines new resource class for Zowe that protects access to     */
+/*   sensitive Zowe resources.                                       */
+/* - Defines resource APIML.SERVICES that controls access to         */
+/*   detailed information about API services to Zowe users.          */
+
+/* define ZOWE resource class                                        */
+/* skip this command if the ZOWE resource class already exists       */
+/* use a unique value in POSIT                                       */
+  RDEFINE CDT ZOWE -
+    UACC(NONE) -
+    CDTINFO(DEFAULTUACC(NONE) -
+      FIRST(ALPHA) -
+      OTHER(ALPHA,NATIONAL,NUMERIC,SPECIAL) -
+      MAXLENGTH(246) -
+      POSIT(607) -
+      RACLIST(DISALLOWED))
+
+  SETROPTS RACLIST(CDT) REFRESH
+  SETROPTS CLASSACT(ZOWE)
+
+/* define resource for information about API services                */
+  RDEFINE ZOWE APIML.SERVICES UACC(NONE)
+
+/* uncomment and replace "user" to permit Zowe users to access       */
+/* the resource:                                                     */
+/* PERMIT APIML.SERVICES CLASS(ZOWE) ID(user) ACCESS(READ)"          */
+
+/* show results                                                      */
+  RLIST ZOWE *
+
 /* ................................................................. */
 /* only the last RC is returned, this command ensures it is a 0      */
 PROFILE
@@ -569,6 +603,34 @@ ADD(- UID(&SYSPROG.) READ(A) EXEC(A) ALLOC(A) WRITE(A))
 *  show results
 LIST &HLQ.
 *
+
+*
+* DEFINE ZOWE RESOURCE PROTECTION .................................
+*
+* - Defines new resource class for Zowe that protects access to
+*   sensitive Zowe resources.
+* - Defines resource APIML.SERVICES that controls access to
+*   detailed information about API services to Zowe users.
+
+* define ZOWE resource type and class mapping
+* skip this section if the ZOWE resource class already exists
+SET CONTROL(GSO)
+INSERT CLASMAP.ZOWE RESOURCE(ZOWE) RSRCTYPE(ZWE)
+F ACF2,REFRESH(CLASMAP),TYPE(GSO)
+CHANGE INFODIR TYPES(R-RZWE)
+F ACF2,REFRESH(INFODIR)
+SET CONTROL(GSO)
+
+* uncomment and replace "user" to permit Zowe users to access
+* the resource:
+* SET RESOURCE(ZWE)
+* RECKEY APIML ADD(SERVICES -
+* UID(user) SERVICE(READ) ALLOW)
+* F ACF2,REBUILD(ZWE)
+
+* show results
+SET RESOURCE(ZWE)
+LIST LIKE(-)
 $$
 //*
 //*********************************************************************
@@ -735,6 +797,28 @@ $$
 /* show results                                                      */
   TSS WHOHAS DATASET(&HLQ.)
 
+/* DEFINE ZOWE RESOURCE PROTECTION ................................. */
+
+/* - Defines new resource class for Zowe that protects access to     */
+/*   sensitive Zowe resources.                                       */
+/* - Defines resource APIML.SERVICES that controls access to         */
+/*   detailed information about API services to Zowe users.          */
+
+/* define ZOWE resource class                                        */
+/* skip this command if the ZOWE resource class already exists       */
+  TSS ADDTO(RDT) RESCLASS(ZOWE) MAXLEN(246) +
+    ACLST(NONE,READ,UPDATE,CONTROL) DEFACC(NONE)
+
+/* define resource for information about API services                */
+  TSS ADDTO(&ZOWEDEP.) ZOWE(APIML.)
+
+/* uncomment and replace "user" to permit Zowe users to access       */
+/* the resource:                                                     */
+/* TSS PERMIT(user) ZOWE(APIML.SERVICES) ACCESS(READ)                */
+
+/* show results                                                      */
+   TSS LIST(RDT) RESCLASS(ZOWE)
+
 /* If any of these started tasks are multiusers address spaces       */
 /* a TSS FACILITY needs to be defined and assigned to the started    */
 /* and should not be using the STC FACILITY . The all acids signing  */