(ZOS) Controlling application environments with RACF server class profiles

The Resource Access Control Facility (RACF ) server class profiles are used to control dynamic application environments. Dynamic application environments are displayed and controlled separately from static application environments.

To set up both the three-part or four-part RACF server class profiles for the application server or cluster for our dynamic application environment, the user ID for the servant must be given read access to both of the profiles.

The Resource Access Control Facility (RACF) server class profiles are used to:

1. Permit the unauthorized WebSphere Application Server servant access to controller services
2. Control dynamic application environments, which are displayed and controlled differently from static application environments

Choose between two SERVER class profiles. You need one of these profiles, and which profile we need correlates to dynamic application environment (DAE) support.

Tasks

• Use the profile for dynamic application environments.

  When Dynamic Application Environments are supported, use:

  RDEFINE SERVER CB.<server>.<cluster>.<cell>  UACC(NONE)
  PERMIT <SR_userid> ACC(READ)
  

• Use the profile for static application environments.

  When Dynamic application environments are not supported (static application environments), use:

  RDEFINE SERVER CB.<server>.<cluster>    UACC(NONE)
  PERMIT < SR_userid> ACC(READ)
  

Three-part profile

The existing three-part profile has the form:

<subsystem_type>.<subsystem_name>.<application_environment_name>

where:

• <subsystem_type> is CB
• <subsystem_name> is the application server short name.
• <application_environment_name> is the application server generic short name, as specified in the WebSphere Application Server variables. If the server resides in a cluster, the name specified here must match the cluster short name. If the server does not reside in a cluster, the name must match the name specified on the ClusterTransitionName custom property for the server .

The four-part profile adds the cell name to avoid ambiguities with existing profile names. The four-part profile has the form:

<subystem_type>.<subsystem_name>.<application_environment_name>.<cell>

where:

• cell is the short name of the cell containing this application server.

Three-part profile names:

• CB.T5SRV1.T5CL1 (the application server with the short name T5SRV1 and generic short name T5CL1)
• CB.*.T5CL1 (all application servers in the generic short name of T5CL1)
• CB.*.* (any application server in the sysplex)

Four-part profile names:

• CB.T5SRV1.T5CL1.T5CELL (the application server with the short name T5SRV1, and generic short name T5CL1 that resides in the cell T5CELL)
• CB.*.T5CL1.T5CELL (all servers in the generic short name of T5CL1 in the T5CELL)
• CB.*.*.T5CELL (any server in the cell named T5CELL)

If we do not want to discriminate between any of the application servers, we can eliminate all the specified profiles and use a generic form to cover the three and four-part names for all the servers in the sysplex:

• CB.*.T5*
• CB.*.T5*.*

Secure specific application servers