Define Mainframe Access Web API to the Security Subsystem

You can view and administer the MFA Server using the Enterprise Server Common Web Administration (ESCWA) interface. To do this you will need to give users permission to access it by defining a new class to your Security Subsystem.

There is a sample job that contains the template RACF commands required to achieve this in hlq.MFA.CNTL(MFACDT). You will need to customize this and replace the two lines that have RDEFINE xxxx and yyyy with the User IDs that you wish to grant access to.

The sample JCL is for RACF, if you are using another security product such as CA-ACF2 or CA-Top Secret you will need to make similar modifications to your security system definitions.

The typical steps for RACF are:

  1. Define a new class (in the sample this is $MFM) in your security subsystem that has a unique POSIT number (in the sample this is 26) using REDEFINE CDT.
  2. Activate RACLIST processing on the new class using SETROPTS RACLIST.
  3. Activate the new general resource class using SETROPTS CLASSACT.
  4. Activate generic profile checking for the new class using SETROPTS GENERIC.
  5. Refresh the CDT profile using SETROPTS RACLIST REFRESH.
  6. Define a new general resource profile, in the sample MFM.RESTCMD, in the new class using RDEFINE.
  7. For each user you want to give access to, determine if they require READ or ALTER and add them to the access list for the new profile access using PERMIT.
  8. Refresh the new class using RACLIST.

By default, if a user has not been given permissions then they will not be able to access any of the administrative Web API endpoints. The table below outlines the required permissions for individual operations:

Operation Required Permission
List Tasks READ
List Statistics READ
Get Trace Level READ
List Users READ
Set Trace Level ALTER
Terminate User ALTER