Configure the Security Configuration Assistant service
To use the z/OSMF Security Configuration Assistant, configure it as described in this topic.
Description
The Security Configuration Assistant provides a visual framework for examining the different elements of z/OSMF security. The Security Configuration Assistant layout consists of tabbed sections and tabular reports that can be expanded or compressed, as needed. This framework provides a comprehensive perspective on your z/OSMF security setup.
You can use the Security Configuration Assistant to check the authorizations for z/OSMF itself, including the nucleus, core and optional services, and advanced configuration options. You can also check the security setup for other products on your system for which you have installed the required security descriptor files.
Dependencies on other z/OSMF services
None.
Security setup
To assist you with performing the security setup, IBM provides the sample security job IZUSASEC in SYS1.SAMPLIB. For a summary of the required profile authorizations, see Resource authorizations for the Security Configuration Assistant service.
- Ensure that only the appropriate security administrators or system programmers are
authorized to use the Security Configuration Assistant. As shipped from IBM, the IZUSASEC sample job
grants authority to users in the IZUADMIN security group. If you do not want to enable all users in
the IZUADMIN group to run the tool, edit the job and specify the permitted user ID or group. In the
job, this authorization is created with the following PERMIT statement:
PERMIT IZUDFLT.ZOSMF.CONFIGURATION.SECURITY_ASSISTANT + CLASS(ZMFAPLA) ACCESS(READ) ID(IZUADMIN)
- The job includes JCL for authorizing a user ID to a number of BBG security profiles. Be aware that the BBG.SECCLASS.xx SERVER profiles should be permitted only to the z/OSMF started task user ID.
- Before you use the Security Configuration Assistant, verify that the z/OSMF server started task
user ID:
- Has READ access to the z/OSMF SAF prefix in the APPL resource class. By default, the resource is
IZUDFLT(APPL)
and the z/OSMF server user ID is IZUSVR. - Is connected to the z/OSMF administrator security group, which is IZUADMIN by default.
- Has READ access to the z/OSMF SAF prefix in the APPL resource class. By default, the resource is
- Make a copy of this job.
- Review and edit the job, if necessary.
- Submit the job as a batch job on your z/OS system.
Ensure that the IZUSASEC job completes with return code 0000
. To verify, check
the results of the job execution in the job log, for example, by using SDSF.
Host system customization
None.
Optional extensions to this service
You can check the security configuration for external products on your z/OS system. This option requires that you obtain and install a security descriptor file from the product vendor. For more information, see Creating security descriptor files for the Security Configuration Assistant task.