Push-to-client developer groups

z/OS® Explorer clients can pull client configuration files and upgrade information from the host when they connect, ensuring that all clients have common settings and that they are up-to-date.

The client administrator can create multiple client configuration sets and multiple client update scenarios to fit the needs of different developer groups. This allows users to receive a customized setup, based on criteria like membership of an LDAP group or permit to a security profile.

When using definitions in your security database as selection mechanism (the SAF value is specified for directives in pushtoclient.properties), z/OS Explorer verifies access permits to the profiles listed in Table 1 to determine which developer groups the user belongs to, and whether a user is allowed to reject updates.

Table 1. Push-to-client SAF information
FACILITY profile Fixed length Required access Result
FEK.PTC.CONFIG.ENABLED.
  sysname.devgroup
 23 READ Client accepts configuration updates for the specified group
FEK.PTC.PRODUCT.
  ENABLED.sysname.devgroup
 24 READ Client accepts product updates for the specified group
FEK.PTC.REJECT.CONFIG.
  UPDATES.sysname[.devgroup]
 30 READ User can reject configuration updates
FEK.PTC.REJECT.PRODUCT.
  UPDATES.sysname[.devgroup]
 31 READ User can reject product updates
Note: z/OS Explorer assumes that a user has no access authorization when your security software indicates it cannot determine whether or not a user has access authorization to a profile. An example of this is when the profile is not defined.

The devgroup value matches the group name assigned to a specific group of developers. Note that the group name is visible on z/OS Explorer clients.

The sysname value matches the system name of the target system.

The “Fixed length” column documents the length of the fixed part of the related security profile.

By default, z/OS Explorer expects the FEK.* profiles to be in the FACILITY security class. Note that profiles in the FACILITY class are limited to 39 characters. If the sum of the length of the fixed profile part (FEK.PTC.<key>) and the length of the site-specific profile part (sysname or sysname.devgroup) exceeds this number you can place the profiles in another class and instruct z/OS Explorer to use this class instead. To do so, uncomment _RSE_FEK_SAF_CLASS in rse.env and provide the desired class name, for example XFACILIT.

Note that the client administrator must be on the access list of the FEK.PTC.*.ENABLED.* profiles to define and manage the related push-to-client metadata. This implies that the profiles must be defined with (at least) the client administrator on the access list before push-to-client with group support can be implemented.

See “(Optional) pushtoclient.properties, Host-based client control” in the Host Configuration Guide (SC27-8437) for more information about enabling multiple group support. See Push-to-client considerations for more information about push-to-client concepts and implementation.