Roles in z/OS security

Mainframe environments tend to be well-structured, with formal roles, such as systems programmer, security administrator, and auditor, that are assigned to separate individuals. This separation of duties is a cornerstone of security and mainframe management. In essence, Ability should not exceed Authority.

A significant difference to note, when deploying a mainframe as opposed to a distributed server environment, is the way in which job definitions and roles are defined and how the IT staff is assigned duties, as explained here:

In a distributed environment, people often handle multiple duties in the interest of efficiency. For example, an operator who has the authority to shut down the system might also have the ability to delete user IDs.
However, giving staff the authorization for many tasks, while in one sense efficient, opens the door for abusing this power. For example, a database administrator who sold a corporation's information to its competition might have the ability to hide these actions from auditors.
In a mainframe environment, by contrast, skills are generally more focused on a specific responsibility. That is, there tends to be more separation of duties. Each mainframe support person is a specialist, yet mainframes usually operate with fewer support personnel relative to the size of the user community because of the centralized nature of mainframe management tools. The efficiency derives from the platform architecture, not from people sharing duties.

In the past, it was the mainframe system programmer who, working with management, decided the overall security policy and procedures. Today companies are seeking higher levels of security, so they often appoint a separate security manager. The system programmer might not have direct responsibility for security, other than advising the security manager about new products. Separation of duties is necessary to prevent any one individual from having uncontrolled access to the system.