RTCz: Setting up security with RACF

The RACF® tasks should be performed by your system security administrator.

The Jazz™ Team Server for System z® uses four roles that you must define as RACF EJBROLE profiles for security control. Define the four Jazz Team Server roles in the EJBROLE class.

  1. Define the EJBROLE profiles:
    JazzAdmins
    Jazz repository administrators with full read/write access.
    JazzDWAdmins
    Jazz repository administrators with specific permissions to control the data warehouse on a Jazz Team Server.
    JazzProjectAdmins
    Jazz repository administrators with specific permissions to manipulate project areas, team areas, and process templates.
    JazzGuests
    Users with read-only access to the Jazz repository.
    JazzUsers
    Users with regular read/write access to the Jazz repository.
    Example RACF commands:
    RDEFINE EJBROLE JazzAdmins UACC(NONE)
    RDEFINE EJBROLE JazzDWAdmins UACC(NONE)
    RDEFINE EJBROLE JazzProjectAdmins UACC (NONE)
    RDEFINE EJBROLE JazzGuests UACC(READ)
    RDEFINE EJBROLE JazzUsers UACC(NONE)
  2. Permit the appropriate access to users or groups.
    Example RACF commands:
    Permit JazzAdmins CLASS(EJBROLE) ID(jazAdmns) ACCESS(READ)
    Permit JazzDWAdmins CLASS(EJBROLE) ID(jDwadmns) ACCESS(READ)
    Permit JazzProjectAdmins CLASS(EJBROLE) ID(jPradmns) ACCESS (READ)
    Permit JazzUsers CLASS(EJBROLE) ID(jazzgrp) ACCESS(READ)
  3. Activate the new definitions:
    After the RACF RDEFINE and PERMIT commands you must issue the following command to take them into account:
    SETROPTS RACLIST(EJBROLE) REFRESH 
  4. After completing the remaining steps to configure Jazz Team Server, you must log on as a Jazz Team Server administrator to verify this configuration. Before attempting to verify the configuration, provide at least one user ID or group with read authority to the JazzAdmins profile in the EJBROLE class.
    Note: When you add user IDs to the Jazz Team Server repository, you must also give them read authority to the appropriate RACF profile in the EJBROLE class (JazzAdmins, JazzDWAdmins, JazzProjectAdmins, JazzGuests, JazzUsers).
    Attention: When your password expires, you will no longer be able connect to Jazz, but you will not get an error message that informs you that this has happened. If you cannot connect to Jazz and you think that your password has expired, you must change it by logging in to TSO or Rational® Developer for System z.

Feedback