SAF-based group selection

SAF (Security Access Facility) is an interface to access any z/OS® security product. z/OS Explorer can use this interface to query your security product and retrieve push-to-client related information.

When using definitions in your security database as selection mechanism (the SAF value is specified for directives in pushtoclient.properties), z/OS Explorer verifies access permits to the profiles listed in Table 1 to determine which developer groups the user belongs to, and whether a user is allowed to reject updates.

Table 1. Push-to-client SAF information
FACILITY profile Fixed length Required access Result
FEK.PTC.CONFIG.ENABLED.
  sysname.devgroup
 23 READ Client accepts configuration updates for the specified group
FEK.PTC.PRODUCT.ENABLED.
  sysname.devgroup
 24 READ Client accepts product updates for the specified group
FEK.PTC.REJECT.CONFIG.
  UPDATES.sysname
 30 READ User can reject configuration updates when the workspace is bound to the default group
FEK.PTC.REJECT.CONFIG. UPDATES.sysname.devgroup 30 READ User can reject configuration updates when the workspace is bound to the specified group
FEK.PTC.REJECT.PRODUCT.
  UPDATES.sysname
 31 READ User can reject product updates when the workspace is bound to the default group
FEK.PTC.REJECT.PRODUCT. UPDATES.sysname.devgroup 31 READ User can reject product updates when the workspace is bound to the specified group
Note: z/OS Explorer assumes a user has no access authorization when your security software indicates it cannot determine whether or not a user has access authorization to a profile. An example of this is when the profile is not defined.

The devgroup value matches the group name assigned to a specific group of developers. Note that the group name is visible on z/OS Explorer clients.

The sysname value matches the system name of the target system.

A user can select to bind a workspace to the default group for configuration updates if config.enabled in pushtoclient.properties is set to SAF or LDAP. If config.enabled is set to TRUE, the workspace is automatically bound to the default group.

A user can select to bind a workspace to the default group for product updates if product.enabled in pushtoclient.properties is set to SAF or LDAP. If product.enabled is set to TRUE, the workspace is automatically bound to the default group.

The “Fixed length” column documents the length of the fixed part of the related security profile.

By default, z/OS Explorer expects the FEK.* profiles to be in the FACILITY security class. Note that profiles in the FACILITY class are limited to 39 characters. If the sum of the length of the fixed profile part (FEK.PTC.<key>.) and the length of the site-specific profile part (sysname or sysname.devgroup) exceeds this number, you can place the profiles in another class and instruct z/OS Explorer to use this class instead. To do that, uncomment _RSE_FEK_SAF_CLASS in rse.env and provide the desired class name, for example XFACILIT.

The following topics are covered in this section: