SAF-based group selection
SAF (Security Access Facility) is an interface to access any z/OS® security product. z/OS Explorer can use this interface to query your security product and retrieve push-to-client related information.
When using definitions in your security database as selection mechanism
(the SAF value is specified for directives in pushtoclient.properties
), z/OS Explorer verifies
access permits to the profiles listed in Table 1 to determine which developer
groups the user belongs to, and whether a user is allowed to reject
updates.
FACILITY profile | Fixed length | Required access | Result |
---|---|---|---|
FEK.PTC.CONFIG.ENABLED.
sysname.devgroup |
23 | READ | Client accepts configuration updates for the specified group |
FEK.PTC.PRODUCT.ENABLED.
sysname.devgroup |
24 | READ | Client accepts product updates for the specified group |
FEK.PTC.REJECT.CONFIG.
UPDATES.sysname |
30 | READ | User can reject configuration updates when the workspace is bound to the default group |
FEK.PTC.REJECT.CONFIG. UPDATES.sysname.devgroup | 30 | READ | User can reject configuration updates when the workspace is bound to the specified group |
FEK.PTC.REJECT.PRODUCT.
UPDATES.sysname |
31 | READ | User can reject product updates when the workspace is bound to the default group |
FEK.PTC.REJECT.PRODUCT. UPDATES.sysname.devgroup | 31 | READ | User can reject product updates when the workspace is bound to the specified group |
The devgroup
value matches the group name assigned
to a specific group of developers. Note that the group name is visible
on z/OS Explorer clients.
The sysname
value matches the system name of the
target system.
A user can select to bind a workspace to the default group
for configuration updates if config.enabled
in pushtoclient.properties
is
set to SAF
or LDAP
. If config.enabled
is
set to TRUE
, the workspace is automatically bound
to the default group.
A user can select to bind a workspace to the default group
for product updates if product.enabled
in pushtoclient.properties
is
set to SAF or LDAP. If product.enabled
is set to TRUE
,
the workspace is automatically bound to the default group.
The “Fixed length” column documents the length of the fixed part of the related security profile.
By default, z/OS Explorer expects
the FEK.*
profiles to be in the FACILITY
security
class. Note that profiles in the FACILITY
class are
limited to 39 characters. If the sum of the length of the fixed profile
part (FEK.PTC.<key>.
) and the length of the
site-specific profile part (sysname
or sysname.devgroup
)
exceeds this number, you can place the profiles in another class
and instruct z/OS Explorer to
use this class instead. To do that, uncomment _RSE_FEK_SAF_CLASS
in rse.env
and
provide the desired class name, for example XFACILIT.