Request Format

SEAR provides the following standardized JSON schema for issuing security requests to RACF.

Parameters (JSON Keys)

  • "operation"
    A string value describing the Security Management Function to perform. The following table describes all of the valid values for "operation".

     

    Only the "alter" and "extract" Operations are allowed for the "racf-options" Admin Type.

    Only the "alter", "extract", and "delete" Operations are allowed for the "permission" Admin Type.

     

    Operation Description
    "add" Add/Create a new security profile.
    "alter" Alter an existing security profile.
    "extract" Extract a security profile’s data.
    "delete" Delete a security profile.

  • "admin_type"
    A string value describing the type of Security Administration Request to issue. The following table describes all of the valid values for "admin_type".

     

    The "permission" Admin Type is NOT allowed for "extract" Operations.

     

    Admin Type Description
    "user" Used for User administration.
    "group" Used for Group administration.
    "group-connection" Used for Group Connection administration.
    "resource" Used for General Resource Profile administration.
    "dataset" Used for Data Set administration.
    "racf-options" Used for RACF Options administration.
    "permission" Used for Permission administration.

  • "profile_name"
    A string value identifying a Security Profile to Add, Alter, Extract, or Delete.

     

    "profile_name" is NOT allowed to be used with the "racf-options" Admin Type due to RACF Options being a Singleton for which there is NO concept of multiple discrete “profiles” that can be created, deleted, and managed.

    "class_name" MUST be used to indicate which Class Name the specified Security Profile is associated with for the "resource" and "permission" Admin Types.

     

  • "traits"
    An object describing the Traits/Attributes to Add/Modify in "add" and "alter" Operations. See Traits for more detail about how to specify Traits for "add" and "alter" Operations, and what Traits are supported for each Admin Type.

     

    "traits" is NOT allowed to be used with "extract" and "delete" Operations.

     

  • "class_name"
    A string value identifying a Class Name that the specified Security Profile is associated with.

     

    "class_name" is required for and only allowed for the "resource" and "permission" Admin Types.

     

  • "volume"
    A string value identifying a Volume.

     

    Only the "dataset" and "permission" Admin Types can be used with "volume", and only for "add", "alter", and "delete" Operations.

    _Note that for the "permission" Admin Type, this parameter will only take effect if the "class_name" parameter is set to "DATASET".

     

  • "generic"
    A string value identifying a Security Profile as Generic or Not Generic.

     

    Only the "dataset" and "permission" Admin Types can be used with "generic", and only for "add", "alter", and "delete" Operations.

    Note that for the "permission" Admin Type, this parameter will only take effect if the "class_name" parameter is set to "DATASET".

    "generic" may only be set to "yes" or "no".

     

  • "run_as_userid"
    A string value identifying a z/OS Userid to perform the Security Operation as.

     

    In order to use "run_as_userid", the caller must have at least UPDATE access to the <userid>.IRRSMO00 General Resource Profile in the SURROGAT Class, where <userid> represents the z/OS Userid to perform Security Operations as. More information about IRRSMO00 Authorizations can be found in the IBM docs.

    "run_as_userid" is NOT allowed for "extract" Operations.

Request Examples

Below you can see a few examples, they are NOT comprehensive and are primarily meant to show users the general structure of "add", "alter", "extract" and "delete" requests.

Creating a new userid

The following SEAR Request JSON creates new new RACF Userid called ERIPLEY with the following Traits:

  • A Name of "Ellen Ripley".
  • An OMVS UID of 24.
  • An OMVS Home Directory of "/u/ERIPLEY".
{
  "operation": "add",
  "admin_type": "user",
  "profile_name": "ERIPLEY",
  "traits": {
    "base:name": "Ellen Ripley",
    "omvs:uid": 24,
    "omvs:home_directory": "/u/ERIPLEY"
  }
}

Altering a user

The following SEAR Request JSON alters an existing RACF Userid called ESATTLER by Changing/Setting the Name Trait to "Ellie Sattler".

{
  "operation": "alter",
  "admin_type": "user",
  "profile_name": "ESATTLER",
  "traits": {
    "base:name": "Ellie Sattler"
  }
}

Deleting a user

The following SEAR Request JSON deletes an existing RACF Userid called MRAINES.

{
  "operation": "delete",
  "admin_type": "user",
  "profile_name": "MRAINES"
}

Extracting user information

The following SEAR Request JSON extracts the Profile Data for a RACF Userid called CDEARING.

{
  "operation": "extract",
  "admin_type": "user",
  "profile_name": "CDEARING"
}