Configure the Security Configuration Assistant service

To use the z/OSMF Security Configuration Assistant, configure it as described in this topic.

Description

The Security Configuration Assistant provides a visual framework for examining the different elements of z/OSMF security. The Security Configuration Assistant layout consists of tabbed sections and tabular reports that can be expanded or compressed, as needed. This framework provides a comprehensive perspective on your z/OSMF security setup.

You can use the Security Configuration Assistant to check the authorizations for z/OSMF itself, including the nucleus, core and optional services, and advanced configuration options. Start of changeYou can also check the security setup for other products on your system for which you have installed the required security descriptor files.End of change

Dependencies on other z/OSMF services

None.

Security setup

To assist you with performing the security setup, IBM provides the sample security job IZUSASEC in SYS1.SAMPLIB. For a summary of the required profile authorizations, see Resource authorizations for the Security Configuration Assistant service.

Carefully review the contents of job IZUSASEC before you submit it. Observe the following considerations:
  • Start of changeEnsure that only the appropriate security administrators or system programmers are authorized to use the Security Configuration Assistant. As shipped from IBM, the IZUSASEC sample job grants authority to users in the IZUADMIN security group. If you do not want to enable all users in the IZUADMIN group to run the tool, edit the job and specify the permitted user ID or group. In the job, this authorization is created with the following PERMIT statement:
    PERMIT IZUDFLT.ZOSMF.CONFIGURATION.SECURITY_ASSISTANT +
            CLASS(ZMFAPLA) ACCESS(READ) ID(IZUADMIN)
    End of change
  • The job includes JCL for authorizing a user ID to a number of BBG security profiles. Be aware that the BBG.SECCLASS.xx SERVER profiles should be permitted only to the z/OSMF started task user ID.
  • Before you use the Security Configuration Assistant, verify that the z/OSMF server started task user ID:
    • Has READ access to the z/OSMF SAF prefix in the APPL resource class. By default, the resource is IZUDFLT(APPL) and the z/OSMF server user ID is IZUSVR.
    • Is connected to the z/OSMF administrator security group, which is IZUADMIN by default.
To run the IZUSASEC job, do the following:
  1. Make a copy of this job.
  2. Review and edit the job, if necessary.
  3. Submit the job as a batch job on your z/OS system.

Ensure that the IZUSASEC job completes with return code 0000. To verify, check the results of the job execution in the job log, for example, by using SDSF.

Host system customization

None.

Optional extensions to this service

Start of changeYou can check the security configuration for external products on your z/OS system. This option requires that you obtain and install a security descriptor file from the product vendor. For more information, see Creating security descriptor files for the Security Configuration Assistant task.End of change