Managing user access to z/OSMF tasks and links
Your installation determines which z/OS users can perform the z/OSMF tasks, and creates authorizations for the users.
If you use RACF to manage system security, the z/OSMF configuration process provides a basic set of security definitions. Specifically, z/OSMF provides IZUxxSEC sample jobs in the SYS1.SAMPLIB data set with sample RACF commands that your security administrator can use to manage z/OSMF resources and which users have access to them.
- Creating the necessary profiles in various resource classes needed to enable z/OSMF tasks on your system
- Creating groups and permitting those groups to the resource class profiles created above. The IZUSEC sample job creates the groups IZUADMIN and IZUUSER, which correspond to the administrator and user roles. It also creates the group IZUSECAD, which is used to allow a person such as your z/OS security administrator to perform the security-related steps in the Workflows task.
If your installation uses a security management product other than RACF, you must create equivalent commands for your security management product. If so, you can refer to the IZUxxSEC jobs for the authorizations that are needed. For the security structures that are created by the IZUxxSEC jobs, see Security configuration requirements for z/OSMF.
Your security administrator can use the job SYS1.SAMPLIB(IZUAUTH) to authorize users to tasks and links. When used as provided, the IZUAUTH job connects the supplied user ID to the z/OSMF user group (IZUUSER). The job also contains commented commands for connecting the user to the z/OSMF administrator group and the z/OS Security Administrator group. Each group is permitted to a default set of z/OSMF resources (tasks and links). For the specific group permissions, see Security configuration requirements for z/OSMF.
You can create more user groups as needed, for example, one group per z/OSMF task. Note, however, that the IZUAUTH job is based on the default group assignments. If you create more groups, you must add commands for those groups to the IZUAUTH job.
Depending on the plug-ins to be added, your installation might need to create more authorizations to various system resources. Your security administrator can use the commands in the IZUAUTH job for authorizing users to z/OSMF and to the z/OS components used in z/OSMF operations. A change to your security setup will likely require an applicable refresh of your security product and a restart of the z/OSMF server for the changes to take effect.
Figure 2 shows the relationship between users, groups, and z/OSMF resource profiles in a typical z/OSMF security environment. To conserve space, this figure includes only a subset of the available tasks. In the figure, the group names and profiles are shown with the z/OSMF defaults. For the complete set of profiles that are created during the z/OSMF configuration process, and the groups that are permitted to the z/OSMF resources by default, see Security configuration requirements for z/OSMF.
The ZMFAPLA class requires the RACLIST option. If you change the profiles, you must refresh the ZMFAPLA class to have the changes take effect.
A user connected to the z/OSMF administrator group or the z/OSMF user group might be connected to other security groups. To allow such users to access z/OSMF without having to log in under a specific group, it is recommended that you have list-of-groups authority checking (GRPLIST option) active. For more information, see z/OS Security Server RACF Security Administrator's Guide.
<SAF-prefix>.ZOSMF.SOFTWARE_DEPLOYMENT.SOFTWARE_MANAGEMENT.PRODUCT_INFO_FILE.RETRIEVEFor more information, see Creating access controls for the Software Management task.