Proxy users credential management

Edit online

A proxy user can connect to subsystems and can submit jobs on behalf of a logged-in user. A proxy user can only be a service user. Only a certificate-based proxy user is supported.

Important: To use a proxy user, it is mandatory to create a proxy user profile.
Proxy user validation is based on the following parameters that identify the certificate in a key ring: keyringOwner, keyringName, and certificateLabel. The validation is performed by checking whether the logged-in user has 'READ' access to a SAF resource name based on the parameters that identify the certificate in a key ring. The corresponding SAF resource name is structured as follows: 
IZP.<PROFILE_QUALIFIER>.PROXY.CERT.<RING_OWNER>.<RING_NAME>.<CERTIFICATE_LABEL>
where,
PROFILE_QUALIFIER
A value for components.izp.security.profileQualifier OR blank. For more information, refer to Enabling support for profile qualifier.
RING_OWNER
The owner of the key ring where the certificate label of the proxy user resides.
RING_NAME
The name of the key ring where the certificate label of the proxy user resides.
CERTIFICATE_LABEL
A certificate label is associated with the client certificate of the proxy user.

For example, in IZP.PROXY.CERT.IBMUSER.UMSRING.PROXYUSER1, the IBMUSER is the ring owner, UMSRING is the ring name, and PROXYUSER1 is the certificate label.

Notes:
  • The SAF resource access check is not based on the ‘name’ of the proxy user. However, the ‘name’ must be unique within the UMS configuration database. This may or may not be the user ID associated with the specified certificate.
  • A ‘userid’ can correspond to different SAF user IDs with credentials across different SAF databases (for example, on different sysplexes). The UMS configuration database can include items (for example, subsystems) that are managed by SAF databases other than the SAF databases that applies to the system where UMS is running.
  • The UMS security model emphasizes that External Security Manager (ESM) administrators must control the access of proxy users. Therefore, UMS controls access by using identifiers that are known to the z/OS operating system, SAF implementation, or both.
    • The ‘name’ of the proxy user within UMS is known only to UMS and is not visible to z/OS or the SAF implementation.
    • The keyringOwner, keyringName, and keyringLabel are identifiers known to z/OS and the SAF implementation independently of UMS.