Request Format

SEAR provides the following standardized JSON schema for issuing security requests to RACF.

Parameters (JSON Keys)

 

  • "operation"
    A string value describing the Security Management Function to perform. The following table describes all of the valid values for "operation".

     

    Only the "alter" and "extract" Operations are allowed for the "racf-options" Admin Type.

     

    Only the "alter", "extract", and "delete" Operations are allowed for the "permission" Admin Type.

     

    Operation Description
    "add" Add/Create a new security profile.
    "alter" Alter an existing security profile.
    "extract" Extract a security profile’s data.
    "delete" Delete a security profile.

  • "admin_type"
    A string value describing the type of Security Administration Request to issue. The following table describes all of the valid values for "admin_type".

     

    The "permission" Admin Type is NOT allowed for "extract" Operations.

     

    Admin Type Description
    "user" Used for User administration.
    "group" Used for Group administration.
    "group-connection" Used for Group Connection administration.
    "resource" Used for General Resource Profile administration.
    "dataset" Used for Data Set administration.
    "racf-options" Used for RACF Options administration.
    "permission" Used for Permission administration.

  • "profile_name"
    A string value identifying a Security Profile to Add, Alter, Extract, or Delete.

     

    "profile_name" is NOT allowed to be used with the "racf-options" Admin Type due to RACF Options being a Singleton for which there is NO concept of multiple discrete “profiles” that can be created, deleted, and managed._

     

    _"class_name" MUST be used to indicate which Class Name the specified Security Profile is associated with for the "resource" and "permission" Admin Types.

     

  • "traits"
    An object describing the Traits/Attributes to Add/Modify in "add" and "alter" Operations. See Traits for more detail about how to specify Traits for "add" and "alter" Operations, and what Traits are supported for each Admin Type.

     

    _"traits" is NOT allowed to be used with "extract" and "delete" Operations.

     

  • "class_name"
    A string value identifying a Class Name that the specified Security Profile is associated with.

     

    _"class_name" is required for and only allowed for the "resource" and "permission" Admin Types.

     

  • "volume"
    A string value identifying a Volume.

     

    _Only the "dataset" and "permission" Admin Types can be used with "volume", and only for "add", "alter", and "delete" Operations.

     

    _Note that for the "permission" Admin Type, this parameter will only take effect if the "class_name" parameter is set to "DATASET".

     

  • "generic"
    A string value identifying a Security Profile as Generic or Not Generic.

     

    _Only the "dataset" and "permission" Admin Types can be used with "generic", and only for "add", "alter", and "delete" Operations.

     

    _Note that for the "permission" Admin Type, this parameter will only take effect if the "class_name" parameter is set to "DATASET".

     

    "generic" may only be set to "yes" or "no".

     

  • "run_as_userid"
    A string value identifying a z/OS Userid to perform the Security Operation as.

     

    In order to use "run_as_userid", the caller must have at least UPDATE access to the <userid>.IRRSMO00 General Resource Profile in the SURROGAT Class, where <userid> represents the z/OS Userid to perform Security Operations as. More information about IRRSMO00 Authorizations can be found here.

     

    "run_as_userid" is NOT allowed for "extract" Operations.

💻 Request Examples

 

_These examples are NOT comprehensive and are primarily meant to show users the general structure of "add", "alter", "extract" and "delete" requests.

 

The following SEAR Request JSON creates new new z/OS Userid called ERIPLEY with the following Traits:

  • A Name of "Ellen Ripley".
  • An OMVS UID of 24.
  • An OMVS Home Directory of "/u/ERIPLEY".

JSON 

{
  "operation": "add",
  "admin_type": "user",
  "profile_name": "ERIPLEY",
  "traits": {
    "base:name": "Ellen Ripley",
    "omvs:uid": 24,
    "omvs:home_directory": "/u/ERIPLEY"
  }
}

The following SEAR Request JSON alters an exsting z/OS Userid called ESATTLER by Changing/Setting the Name Trait to "Ellie Sattler".

JSON 

{
  "operation": "alter",
  "admin_type": "user",
  "profile_name": "ESATTLER",
  "traits": {
    "base:name": "Ellie Sattler"
  }
}

The following SEAR Request JSON deletes an exsting z/OS Userid called MRAINES.

JSON 

{
  "operation": "delete",
  "admin_type": "user",
  "profile_name": "MRAINES"
}

The following SEAR Request JSON extracts the Profile Data for a z/OS Userid called CDEARING.

JSON 
{
  "operation": "extract",
  "admin_type": "user",
  "profile_name": "CDEARING"
}