Security structures for z/OSMF
Using z/OSMF requires sufficient authority in z/OS®. Specifically, on the z/OS system to be managed, the resources to be accessed on behalf of users (data sets, operator commands, and so on) are secured through the external security manager at your installation, such as RACF®. Your installation's security administrator must create the authorizations in your external security manager. To assist your security administrator, z/OSMF provides sample jobs in SYS1.SAMPLIB and the information in this document. Your security administrator can use the sample jobs to create the groups, user IDs, and resource profiles for your z/OSMF configuration. Later, these z/OSMF constructs require more permissions to a number of existing groups, user IDs, and resources on your system.
- IZUNUSEC, to help you set up basic security for a z/OSMF nucleus configuration.
- Individual IZUxxSEC jobs for the core services
- IZUSEC job that consolidates the security set-up for both the z/OSMF nucleus and the core services
- Individual IZUxxSEC jobs for the optional services.
Also listed are the resource authorizations that your installation must define outside of the configuration process.
- Class activations that z/OSMF requires
- SAF profile prefix for z/OSMF resources
- User IDs that z/OSMF creates during configuration
- Security groups that z/OSMF creates during configuration
- Resource authorizations for the Security Configuration Assistant service
- Resource authorizations for the z/OSMF core functions
- Resource authorizations for hardware compression
- Resource authorizations for hardware cryptography
- Resource authorizations for Common Information Model
- Resource authorizations for Capacity Provisioning Manager
- Resource authorizations for common event adapter (CEA)
- Resource authorizations for the z/OS compliance REST interface
- Resource authorizations for the z/OS console REST interface
- Resource authorizations for the z/OS data set and file REST interface
- Resource authorizations for the z/OS jobs REST interface
- Resource authorizations for the Capacity Provisioning service
- Resource authorizations for the Network Configuration Assistant service
- Resource authorizations for the Incident Log service
- Resource authorizations for the ISPF service
- Resource authorizations for the Resource Monitoring service
- Resource authorizations for the Software Deployment service
- Resource authorizations for the Sysplex Management service
- Resource authorizations for the Workload Management service
- Resource authorizations for the IBM zERT Network Analyzer service
- Resource authorizations for the z/OS Management Services Catalog service
- Resource authorizations for the Storage Management service
Class activations that z/OSMF requires
Class | Purpose | RACF commands for activating |
---|---|---|
ACCTNUM | Controls access to the account number used for the procedure for the z/OSMF REST interfaces. |
|
APPL | Controls access to the z/OSMF application
domain. This access is required by:
If there is no matching profile in the APPL class, RACF allows the user to access the application. |
|
EJBROLE | Controls the user’s ability to connect to the z/OSMF core functions and tasks. z/OSMF defines a resource name for each core function and task. |
|
FACILITY | Controls the user’s access to profiles when the user performs an action. This access is required by the z/OSMF started task user ID (IZUSVR, by default). Examples include the profiles that are used to control privileges in the z/OS UNIX environment. |
|
JESSPOOL | Allows the user to retrieve messages from the system log (SYSLOG). |
|
LOGSTRM | Allows the user to retrieve messages from the operations log (OPERLOG). |
|
OPERCMDS | Allows the user to create an EMCS console by using the z/OS Operator Consoles task. |
|
SERVAUTH | Controls the user’s ability to use CEA TSO/E address space services.
In z/OSMF, this access is required by:
|
|
SERVER | Allows the z/OSMF started task user ID to request services from z/OS system components, such as the System Authorization Facility (SAF), workload management (WLM), and SVCDUMP services. |
|
STARTED | Assigns an identity to the z/OSMF started task during the processing of an MVS™ START command. By default, the started task runs under the IZUSVR user ID. |
|
TSOAUTH | Allows the user to create an EMCS console by using the z/OS Operator Consoles task. |
|
TSOPROC | Controls access to the procedure for the z/OSMF REST interfaces. |
|
ZMFAPLA | Controls the user’s ability to use the z/OSMF core functions
and tasks. z/OSMF
defines a resource name for each core function and task.
|
|
ZMFCLOUD | Allows the user to use the z/OSMF core functions and tasks that are
related to IBM® Cloud Provisioning. z/OSMF defines a resource
name for each core function and task for IBM Cloud
Provisioning. For more information, see Configure the Cloud Provisioning services. The ZMFCLOUD class requires the RACLIST option. |
|
If your installation uses an external security manager other than RACF, ask your security administrator to create equivalent commands for your environment.
SAF profile prefix for z/OSMF resources
During the configuration process, your security administrator runs the IZUxxSEC jobs to secure z/OSMF resources. In these jobs, your installation specifies a System Authorization Facility (SAF) profile prefix to be used for naming z/OSMF resources. The SAF prefix is prepended to the names of z/OSMF resource profiles, and is used in some of the RACF commands that are contained in the IZUxxSEC jobs.
In
the examples in this document, the SAF prefix is shown as
<SAF-prefix>
. By default, the SAF prefix is
IZUDFLT
. If your installation selects to use a different value, substitute the
value in the examples.
User IDs that z/OSMF creates during configuration
User ID | Purpose | Default UID | Created by |
---|---|---|---|
IZUGUEST | User ID for performing unauthenticated work, such as guest user access to the Welcome page. | 9011 | IZUSEC job |
IZUSVR | User ID for the z/OSMF started tasks, which are named IZUANG1 and IZUSVR1, by default. | 9010 | IZUSEC job |
Security groups that z/OSMF creates during configuration
The IZUSEC job creates a base set of security groups for your z/OSMF configuration. These groups are necessary for giving users the proper level of access to z/OSMF and z/OS system resources.
Your security team might determine that the existing group names would be preferred. If so, you can use your existing group names in place of the supplied z/OSMF default group names. For example, you might already have a group that is aligned with administrators; if so, you can use that group, instead of the z/OSMF default group for administrators, IZUADMIN.
Group | Purpose | Created by |
---|---|---|
IZUADMIN | Security group for the z/OSMF administrator role. Any user IDs connected to this group are considered to be z/OSMF administrators. | IZUSEC job |
IZUUSER | Security group for the z/OSMF user role. | IZUSEC job |
IZUSECAD | Security group for the z/OS security administrator role in z/OSMF. | IZUSEC job |
IZUUNGRP | Security group for the z/OSMF unauthenticated user ID. | IZUSEC job |
Resource authorizations for the Security Configuration Assistant service
Resource class | Resource name | Who needs access? | Type of access required | Why |
---|---|---|---|---|
SERVER | BBG.SECCLASS.ACCTNUM | IZUSVR | READ | Grant the server permission to perform authorization checks against the ACCTNUM profile in the SERVER class. |
SERVER | BBG.SECCLASS.APPL | IZUSVR | READ | Grant the server permission to perform authorization checks against the APPL profile in the SERVER class. |
SERVER | BBG.SECCLASS.CSFSERV | IZUSVR | READ | Grant the server permission to perform authorization checks against the CSFSERV profile in the SERVER class. |
SERVER | BBG.SECCLASS.EJBROLE | IZUSVR | READ | Grant the server permission to perform authorization checks against the EJBROLE profile in the SERVER class. |
SERVER | BBG.SECCLASS.FACILITY | IZUSVR | READ | Grant the server permission to perform authorization checks against the FACILITY profile in the SERVER class. |
SERVER | BBG.SECCLASS.JESSPOOL | IZUSVR | READ | Grant the server permission to perform authorization checks against the JESSPOOL profile in the SERVER class. |
SERVER | BBG.SECCLASS.LOGSTRM | IZUSVR | READ | Grant the server permission to perform authorization checks against the LOGSTRM profile in the SERVER class. |
SERVER | BBG.SECCLASS.OPERCMDS | IZUSVR | READ | Grant the server permission to perform authorization checks against the OPERCMDS profile in the SERVER class. |
SERVER | BBG.SECCLASS.RDATALIB | IZUSVR | READ | Grant the server permission to perform authorization checks against the RDATALIB profile in the SERVER class. |
SERVER | BBG.SECCLASS.SERVAUTH | IZUSVR | READ | Grant the server permission to perform authorization checks against the SERVAUTH profile in the SERVER class. |
SERVER | BBG.SECCLASS.SERVER | IZUSVR | READ | Grant the server permission to perform authorization checks against the SERVER profile in the SERVER class. |
SERVER | BBG.SECCLASS.STARTED | IZUSVR | READ | Grant the server permission to perform authorization checks against the STARTED profile in the SERVER class. |
SERVER | BBG.SECCLASS.TSOAUTH | IZUSVR | READ | Grant the server permission to perform authorization checks against the TSOAUTH profile in the SERVER class. |
SERVER | BBG.SECCLASS.TSOPROC | IZUSVR | READ | Grant the server permission to perform authorization checks against the TSOPROC profile in the SERVER class. |
SERVER | BBG.SECCLASS.UNIXPRIV | IZUSVR | READ | Grant the server permission to perform authorization checks against the UNIXPRIV profile in the SERVER class. |
SERVER | BBG.SECCLASS.ZMFAPLA | IZUSVR | READ | Grant the server permission to perform authorization checks against the ZMFAPLA profile in the SERVER class. |
SERVER | BBG.SECCLASS.ZMFCLOUD | IZUSVR | READ | Grant the server permission to perform authorization checks against the ZMFCLOUD profile in the SERVER class. |
ZMFAPLA | <SAF-prefix> .ZOSMF.
CONFIGURATION.SECURITY_ASSISTANT |
IZUADMIN
|
READ | Allow the user to access the Security Configuration Assistant task. See Table Notes 1 and 2. |
- User authorizations to functions, tasks, and links are controlled through the system authorization facility (SAF) profile prefix. By default, the SAF prefix is IZUDFLT.
- Users require READ access to at least the profile
<SAF-prefix>
.ZOSMF to do work in z/OSMF. Without this authorization, the user is treated as an authenticated guest. That is, the user can log in to z/OSMF and display the Welcome page, but cannot access the z/OSMF functions and tasks.
Resource authorizations for the z/OSMF core functions
Resource class | Resource name | Who needs access? | Type of access required | Why |
---|---|---|---|---|
ACCTNUM | IZUACCT | IZUADMIN IZUUSER | READ | Allows callers to access the account number that is used for the procedure for the z/OSMF REST interfaces. |
APPL | <SAF-prefix> |
IZUADMIN IZUGUEST IZUUSER IZUSECAD |
READ | Allow access to the z/OSMF application domain. If there is no matching profile in the APPL class, RACF allows the user to access the application. |
CERT | DefaultzOSMFCert.<SAF-prefix> |
Owned by the IZUSVR user ID | N/A | Needed for secure communications between the browser and the z/OSMF server. |
CERT | zOSMFCA | N/A | N/A | Certificate authority that is needed for secure communications between the browser and the z/OSMF server. |
CSFSERV | CSF* profiles | IZUSVR | READ | z/OS Integrated Cryptographic Service Facility (ICSF) callable services. If your installation uses hardware cryptography with ICSF, you must permit the z/OSMF server user ID to these services, as described in Resource authorizations for hardware cryptography. |
DATASET | your_stack_include_dataset | IZUSVR | ALTER | Allows the z/OSMF server to write to the configured include data sets when a network resource is provisioned or de-provisioned. There is one include data set per stack defined for IBM Cloud Provisioning. This definition is applicable only when your installation uses discrete or generic profiles to protect data set access. |
DATASET | your_stack_dynamic_update_dataset | IZUSVR | ALTER | Allows the z/OSMF server to write to the configured dynamic updates data sets when a network resource is provisioned or de-provisioned. One dynamic update data set per stack can be defined for IBM Cloud Provisioning. This definition is applicable only when your installation uses a discrete or generic profiles to protect data set access. |
EJBROLE | <SAF-prefix> .IzuManagementFacility.izuUsers |
IZUADMIN
IZUUSER |
READ | Allow the user to log on to z/OSMF and view the Welcome page. |
EJBROLE | <SAF-prefix> .IzuManagementFacilityHelpApp.izuUsers |
IZUADMIN
IZUUSER |
READ | Allow the user to connect to the z/OSMF online help system. |
EJBROLE | <SAF-prefix> .IzuManagementFacilityImportUtility.izuUsers |
IZUADMIN
IZUUSER |
READ | Allow the user to use the Import Manager task to import services, event types, event handlers, and links into z/OSMF. |
EJBROLE | <SAF-prefix> .IzuManagementFacilityRestConsoles.izuUsers |
IZUADMIN
IZUUSER |
READ | Allow the user to connect to the z/OS console REST interface. |
EJBROLE | <SAF-prefix> .IzuManagementFacilityRestFiles.izuUsers |
IZUADMIN
IZUUSER |
READ | Allow the user to connect to the z/OS data set and file REST interface. |
EJBROLE | <SAF-prefix> .IzuManagementFacilityRestJobs.izuUsers |
IZUADMIN
IZUUSER |
READ | Allow the user to connect to the z/OS jobs REST interface. |
EJBROLE | <SAF-prefix> .IzuManagementFacilityTsoServices.izuUsers |
IZUADMIN | READ | Allow the user of the Operator Consoles task to start or reconnect to address spaces on other systems in the sysplex. |
EJBROLE | <SAF-prefix> .IzuManagementFacilityWorkflow.izuUsers |
IZUADMIN
IZUUSER IZUSECAD |
READ | Allow the user to connect to the Workflows task. |
EJBROLE | <SAF-prefix> .com.ibm.ws.management.security.
resource.allAuthenticatedUsers |
IZUADMIN
IZUUSER |
READ | Allow the user to display information about the IBM Cloud Provisioning and
Management for z/OS REST APIs. For more information about the REST services, see IBM z/OS Management Facility Programming Guide.IBM z/OS Management Facility Programming Guide. |
FACILITY | BBG.SYNC.<SAF-prefix> |
IZUSVR | CONTROL | Allow the z/OSMF server to synchronize any RunAs identity with the OS identity. |
FACILITY | BPX.CONSOLE | IZUSVR | READ | Allow the user to filter z/OS UNIX messages. Specifically, this setting suppresses the BPXM023I message prefix from any write-to-operator (WTO) messages that z/OSMF writes to the console. |
FACILITY | BPX.WLMSERVER | IZUSVR | READ | Allows the z/OSMF server to use WLM functions to create and manage work requests. |
FACILITY | HWI.APPLNAME.HWISERV | IZUADMIN | READ | Grant the administrator groups access to BCPii services. |
FACILITY | HWI.TARGET.<netid.nau> | IZUADMIN | READ | Allow the administrator to access the BCPii request type of CPC. |
FACILITY | HWI.TARGET.<netid.nau>.<imagename> | IZUADMIN | READ | Allow the administrator to access the BCPii request type of LPAR. |
FACILITY | IRR.DIGTCERT.LISTRING | IZUSVR | READ | Allow the started task user ID to list and get the certificate keyring. |
FACILITY | IRR.RUSERMAP | IZUSVR | READ | Allow the started task user ID to use the R_usermap service. This authorization is required for the z/OSMF notification function. The z/OSMF server uses the R_usermap service to determine the application user identity associated with a RACF user ID, or to determine the RACF user ID associated with an application user identity or digital certificate. |
KEYRING | IZUKeyring.<SAF-prefix> |
IZUSVR | N/A | Needed for secure communications. |
OPERCMDS | MVS.MCSOPER.IZU@* |
IZUADMIN
IZUUSER |
READ | Allow the user to operate an extended MCS console. |
OPERCMDS | MVS.VARY.TCPIP.OBEYFILE | IZUSVR | CONTROL | Allows the z/OSMF server to issue the VARY TCPIP OBEYFILE command for IBM Cloud Provisioning. This definition is applicable only when your installation utilizes the OPERCMDS class to restrict access to the VARY TCPIP OBEYFILE command. |
OPERCMDS | MVS.MCSOPER.ZCDPLM* | IZUSVR | READ | Allows the z/OSMF server to issue various operator commands for IBM Cloud Provisioning. The console name for this extended MCS
console is the text string ZCDPLM , which is appended with the MVS sysclone value of the system of the z/OSMF instance. |
OPERCMDS | MVS.DISPLAY.XCF | IZUSVR | READ | Allows the z/OSMF server to issue the DISPLAY XCF operator
command for IBM Cloud Provisioning. This definition is
applicable only when your installation utilizes the OPERCMDS class to restrict access to the
DISPLAY XCF operator command. |
OPERCMDS | MVS.ROUTE.CMD<sysname> | IZUSVR | READ | Allows the z/OSMF server to issue the ROUTE operator command for IBM Cloud Provisioning and Management for z/OS. This definition is applicable only if the installation uses this profile to restrict the use of the ROUTE command. |
SERVAUTH | CEA.CEATSO.TSOREQUEST |
IZUADMIN
IZUUSER |
READ | Allow the HTTP client applications on your z/OS system to start and manage TSO/E address spaces. |
SERVAUTH | CEA.CEATSO.TSOREQUEST | IZUSVR | READ | Allow the z/OSMF server to start and manage TSO/E address space services. |
SERVAUTH | CEA.SIGNAL.ENF86 | IZUSVR (z/OSMF started task ID) | READ | Allow callers to access the CEA service responsible for signal event 86 across sysplex. |
SERVAUTH | CEA.SIGNAL.ENF83 | IZUSVR | READ | Allow the z/OSMF server to use ENF83 to indicate its status to other systems in the sysplex. |
SERVAUTH | EZB.INITSTACK.sysname.tcpname | IZUSVR | READ | Allows the z/OSMF server to access the TCP/IP stack during TCP/IP
initialization. This authorization is needed if the TCP/IP profile activates Application Transparent Transport Layer Security (AT-TLS). |
SERVAUTH | EZB.NETWORKUTILS.CLOUD.mvsname | IZUSVR | READ | Allows the z/OSMF started task user ID issue operator commands for IBM Cloud Provisioning. mvsname is the name of the system on which the z/OSMF server is running. |
SERVAUTH | EZB.NETSTAT.<mvsname>.<tcpname> | IZUSVR | READ | Allows the z/OSMF started task user ID to issue the NETSTAT
command. Otherwise, the z/OSMF server fails on initialization. This definition is applicable only when your installation has configured an AT-TLS policy. |
SERVAUTH | EZB.NETSTAT.<mvsname>.<tcpprocname>.CONFIG | IZUSVR | Allows the Network Configuration Assistant task to issue the command NETSTAT CONFIG. This definition is applicable only when your installation uses the SERVAUTH class to restrict usage of the NETSTAT command. When this definition is applicable, IZUSVR must be authorized for each stack defined for IBM Cloud Provisioning and Management for z/OS. | |
SERVAUTH | EZB.NETSTAT.<mvsname>.<tcpprocname>.VIPADCFG | IZUSVR | READ | Allows the z/OSMF started task user ID to issue the NETSTAT VIPADCFG command. This definition is applicable only when your installation uses the SERVAUTH class to restrict usage of the NETSTAT command. When this definition is applicable, the z/OSMF started task user ID must be authorized for each stack that is defined for IBM Cloud Provisioning. |
SERVER | BBG.ANGEL | IZUSVR | READ | Allow the z/OSMF server to access the angel process. |
SERVER | BBG.ANGEL.IZUANG1 | IZUSVR | READ | Allow the z/OSMF server to access the z/OSMF named angel process. |
SERVER | BBG.ANGEL.proc-name | IZUSVR | READ | Allows the z/OSMF server to use z/OS authorized services. |
SERVER | BBG.AUTHMOD.BBGZSAFM | IZUSVR | READ | Allow the z/OSMF server to access the SAF authorized registry. |
SERVER | BBG.AUTHMOD.BBGZSAFM.SAFCRED | IZUSVR | READ | Allow the z/OSMF server to access the SAF authorization services. |
SERVER | BBG.AUTHMOD.BBGZSAFM.TXRRS | IZUSVR | READ | Allow the z/OSMF server to access the transaction services. |
SERVER | BBG.AUTHMOD.BBGZSAFM.ZOSDUMP | IZUSVR | READ | Allow the z/OSMF server to access the SVC dump services. |
SERVER | BBG.AUTHMOD.BBGZSAFM.ZOSWLM | IZUSVR | READ | Allow the z/OSMF server to access the WLM services. |
SERVER | BBG.SECCLASS.ZMFAPLA | IZUSVR | READ | Allow the z/OSMF server to authorize checks for the ZMFAPLA class. |
SERVER | BBG.SECPFX.<SAF-prefix> |
IZUSVR | READ | Allow the z/OSMF server to make authentication calls against the APPL-ID. |
STARTED | IZUINSTP.IZUINSTP | IZUADMIN | N/A |
Defines the started task for the z/OSMF dependent address space, which is used to determine whether z/OS UNIX and TCP/IP are available. The job name must be IZUINSTP. Otherwise, the z/OSMF dependent address space is not initialized during z/OSMF autostart processing. |
STARTED | IZUSVR1.jobname | IZUADMIN | N/A | Define the started task for the z/OSMF server process. |
STARTED | IZUANG1.jobname | IZUADMIN | N/A | Define the started task for the z/OSMF angel process. |
TSOAUTH | CONSOLE |
IZUADMIN
IZUUSER |
READ | Allow the user to issue the TSO/E CONSOLE command to activate the extended MCS console. |
TSOPROC | IZUFPROC | IZUADMIN IZUUSER | READ | Allows callers to access the procedure for the z/OSMF REST interfaces. |
ZMFAPLA | <SAF-prefix> .ZOSMF |
IZUADMIN
IZUGUEST IZUUSER IZUSECAD |
READ | Designates the user as a z/OSMF user, rather than
an unauthenticated guest user. This authorization is the minimum requirement for allowing a user to
do more than log in to z/OSMF and view the
Welcome page. Without this authorization, the logged-in user is treated as an authenticated guest.
Use the other ZMFAPLA resource names that follow in this table to create specific controls for each core function and task. See Table Notes 1 and 2. |
ZMFAPLA | <SAF-prefix> .ZOSMF.GENERAL.SETTINGS |
IZUADMIN | READ | Allow the user to access the Task Settings task. |
ZMFAPLA | <SAF-prefix> .ZOSMF.ADMINTASKS.APPLINKING |
IZUADMIN | READ | Allow the user to access the Application Linking Manager task. |
ZMFAPLA | <SAF-prefix> .ZOSMF.ADMINTASKS.DIAGNOSTIC_ASSISTANT |
IZUADMIN | READ | Allow the user to access the z/OSMF Diagnostic Assistant task. |
ZMFAPLA | <SAF-prefix>.ZOSMF.ADMINTASKS.IMPORTMANAGER | IZUADMIN | READ | Allow the user to access the Import Manager task. |
ZMFAPLA | <SAF-prefix> .ZOSMF.ADMINTASKS.LINKSTASK |
IZUADMIN | READ | Allow the user to access the Links task. |
ZMFAPLA | <SAF-prefix> .ZOSMF.ADMINTASKS.LOGGER |
IZUADMIN | READ | Allow the user to manage the settings that control the behavior and content of the z/OSMF logs. This capability is used only in service situations. |
ZMFAPLA | <SAF-prefix> .ZOSMF.ADMINTASKS.UI_LOG _MANAGEMENT |
IZUADMIN | READ | Allow the user to manage the settings that control the behavior of the user interface (UI) portion of z/OSMF logging. This capability is used only in service situations. |
ZMFAPLA | <SAF-prefix> .ZOSMF.ADMINTASKS.USAGESTATISTICS |
IZUADMIN | READ | Allow the user to collect usage statistics about z/OSMF. |
ZMFAPLA | <SAF-prefix> .ZOSMF.LINK.linkName |
IZUADMIN IZUUSER | READ | Allow the user to view an installation-specified link. See Table Notes 3 and 4. |
ZMFAPLA | <SAF-prefix> .ZOSMF.LINK.SHOPZSERIES |
IZUADMIN
IZUUSER |
READ | Allow the user to view the ShopzSeries web site link. |
ZMFAPLA | <SAF-prefix> .ZOSMF.LINK.SUPPORT_FOR_Z_OS |
IZUADMIN IZUUSER | READ | Allow the user to view the Support for z/OS web site link. |
ZMFAPLA | <SAF-prefix> .ZOSMF.LINK.SYSTEM_Z_REDBOOKS |
IZUADMIN
IZUUSER |
READ | Allow the user to view the IBM Redbooks® web site link. |
ZMFAPLA | <SAF-prefix> .ZOSMF.LINK.WSC_FLASHES _TECHDOCS |
IZUADMIN
IZUUSER |
READ | Allow the user to view the WSC Flashes and Techdocs web site link. |
ZMFAPLA | <SAF-prefix> .ZOSMF.LINK.Z_OS_BASICS
_INFORMATION_CENTER |
IZUADMIN
IZUUSER |
READ | Allow the user to view the z/OS Basic Skills Information Center web site link. |
ZMFAPLA | <SAF-prefix> .ZOSMF.LINK.Z_OS_HOME_PAGE |
IZUADMIN
IZUUSER |
READ | Allow the user to view the z/OS Home Page web site link. |
ZMFAPLA | <SAF-prefix> .ZOSMF.LINK.Z_OS_INTERNET_LIBRARY |
IZUADMIN
IZUUSER |
READ | Allow the user to view the z/OS Library web site link. |
ZMFAPLA | <SAF-prefix> .ZOSMF.NOTIFICATION.MODIFY |
IZUADMIN IZUUSER | READ | Allow the user to compose a notification. |
ZMFAPLA | <SAF-prefix> .ZOSMF.NOTIFICATION.SETTINGS |
IZUADMIN IZUUSER | READ | Allow the user to define an mail account for receiving notifications from z/OSMF. This action is performed through the Notification Settings task of z/OSMF. |
ZMFAPLA | <SAF-prefix> .ZOSMF.NOTIFICATION.SETTINGS.ADMIN |
IZUADMIN | READ | Allow the user to access the Notification Settings task of z/OSMF |
ZMFAPLA | <SAF-prefix> .ZOSMF.SEND.IBM.FEEDBACK |
IZUADMIN
IZUUSER |
READ | Allow the user to send feedback data to IBM by using the Provide IBM Feedback option in the z/OSMF desktop. |
ZMFAPLA | <SAF-prefix> .ZOSMF.SETTINGS.FTP_SERVERS |
IZUADMIN
IZUUSER |
READ | Allow the user to access the FTP Servers task. |
ZMFAPLA | <SAF-prefix> .ZOSMF.SETTINGS.FTP_SERVERS.VIEW |
IZUADMIN
IZUUSER |
READ | Allow the user to access the FTP Servers task View function. |
ZMFAPLA | <SAF-prefix> .ZOSMF.SETTINGS.FTP_SERVERS.MODIFY |
IZUADMIN | READ | Allow the user to access the z/OSMF Task Settings task Modify function. |
ZMFAPLA | <SAF-prefix> .ZOSMF.SETTINGS.SYSTEMS |
IZUADMIN IZUUSER | READ | Allow the user to access the Systems task. |
ZMFAPLA | <SAF-prefix> .ZOSMF.SETTINGS.SYSTEMS.AES.MODIFY |
IZUADMIN | READ | Allow the user to enable or disable AES encryption for the LTPA password. |
ZMFAPLA | <SAF-prefix> .ZOSMF.SETTINGS.SYSTEMS.VIEW |
IZUADMIN
IZUUSER |
READ | Allow the user to access the Systems task View function. |
ZMFAPLA | <SAF-prefix> .ZOSMF.SETTINGS.SYSTEMS.MODIFY |
IZUADMIN | READ | Allow the user to access the z/OSMF Task Settings task Modify function. |
ZMFAPLA | <SAF-prefix> .ZOSMF.VARIABLES.SYSTEM.ADMIN |
IZUADMIN | READ | Allows the user to access the system variables in the Systems task. |
ZMFAPLA | <SAF-prefix> .ZOSMF.WORKFLOW.ADMIN |
IZUADMIN | READ | Allow the user to change the assigned owner of a workflow. |
ZMFAPLA | <SAF-prefix> .ZOSMF.WORKFLOW.EDITOR |
IZUADMIN IZUUSER
|
READ | Allow the user to access the Workflow Editor task. |
ZMFAPLA | <SAF-prefix> .ZOSMF.WORKFLOW.RUNASUSER |
IZUUSER | READ | Allow the user to be defined as the runAsUser ID in a workflow instance that does not originate from z/OS Management Services Catalog or IBM Cloud Provisioning and Management for z/OS. |
ZMFAPLA | <SAF-prefix> .ZOSMF.WORKFLOW.SIGNER |
IZUADMIN | READ | Allow the user to be granted the runAsUser step signer role. |
ZMFAPLA | <SAF-prefix> .ZOSMF.WORKFLOW.WORKFLOWS |
IZUADMIN
IZUSECAD IZUUSER |
READ | Allow the user to access the z/OSMF
Workflows
task. See Table Note 5. |
- User authorizations to functions, tasks, and links are controlled through the system authorization facility (SAF) profile prefix. By default, the SAF prefix is IZUDFLT.
- Users require READ access to at least the profile
<SAF-prefix>
.ZOSMF to do work in z/OSMF. Without this authorization, the user is treated as an authenticated guest. That is, the user can log in to z/OSMF and display the Welcome page, but cannot access the z/OSMFz/OSMF functions and tasks. - In a default z/OSMF configuration, all users are granted authority to all links through a
wildcarded profile:
<SAF-prefix>
.ZOSMF.LINK.* * - You must provide a SAF resource name prefix for any links that you add to z/OSMF. You can control
access to specific links by specifying a unique resource name for the link, for example, by
including the link name as part of the resource name. For example:
IZUDFLT.ZOSMF.LINK.mylink
For more information about defining links to z/OSMF, see Adding links to z/OSMF.
- A user with access to the Workflows task can access any of the workflows that are displayed in the Workflows task. By default, the z/OSMF defined security groups IZUADMIN, IZUSECAD, and IZUUSER have access to the Workflows task.
- If your installation uses hardware cryptography with z/OS Integrated Cryptographic Service Facility (ICSF), be aware that services such as CSFRNGL, CSFDSV, CSFOWH, CSFIQF, and others, might be protected through profiles that are established in your external security manager, such as RACF. In some cases, z/OSMF uses these services; therefore, you must permit the z/OSMF started task user ID to these profiles. For more information, see Resource authorizations for hardware cryptography.
- All z/OSMF users must have a TSO segment that is defined in your installation’s security database. Failure to have a TSO segment causes some z/OSMF functions not to work.
Resource authorizations for hardware compression
XAT1 IZUSVRU IZUSVR1 RACF ACCESS violation for IZUSVRU:
(READ,NONE) on FACILITY FPZ.ACCELERATOR.COMPRESSION
You can ignore the message.
Resource class | Resource name | Who needs access? | Type of access required | Why |
---|---|---|---|---|
FACILITY | FPZ.ACCELERATOR.COMPRESSION | IZUSVR | READ | Enable the z/OSMF server to run with IBM zEnterprise Data Compression (zEDC). |
Resource authorizations for hardware cryptography
Resource class | Resource name | Who needs access? | Type of access required | Why |
---|---|---|---|---|
CSFSERV | CSFIQF | IZUSVR | READ | ICSF query facility callable service. |
CSFSERV | CSFENC | IZUSVR | READ | Encipher callable service. |
CSFSERV | CSFCVE | IZUSVR | READ | Cryptographic variable encipher callable service. |
CSFSERV | CSFDEC | IZUSVR | READ | Decipher callable service. |
CSFSERV | CSFSAE | IZUSVR | READ | Symmetric algorithm encipher callable service. |
CSFSERV | CSFSAD | IZUSVR | READ | Symmetric algorithm decipher callable service. |
CSFSERV | CSFOWH | IZUSVR | READ | One-way hash generate callable service. |
CSFSERV | CSFRNG | IZUSVR | READ | Random number generate callable service. |
CSFSERV | CSFRNGL | IZUSVR | READ | Random number generate long callable service. |
CSFSERV | CSFPKG | IZUSVR | READ | PKA key generate callable service. |
CSFSERV | CSFDSG | IZUSVR | READ | Digital signature generate service. |
CSFSERV | CSFDSV | IZUSVR | READ | Digital signature verify callable service. |
CSFSERV | CSFPKT | IZUSVR | READ | PKA key generate callable service. |
CSFSERV | CSFRKL | IZUSVR | READ | Retained key list callable service. |
CSFSERV | CSFPKX | IZUSVR | READ | PKA Public Key Extract callable service. |
CSFSERV | CSFPKE | IZUSVR | READ | PKA encrypt callable service. |
CSFSERV | CSFPKD | IZUSVR | READ | PKA decrypt callable service. |
CSFSERV | CSFPKI | IZUSVR | READ | PKA key import callable service. |
CSFSERV | CSFCKM | IZUSVR | READ | Multiple clear key import callable service. |
CSFSERV | CSFKGN | IZUSVR | READ | Multiple clear key import callable service. |
CSFSERV | CSFEDH | IZUSVR | READ | ECC Diffie-Hellman callable service. |
Resource authorizations for Common Information Model
If your z/OSMF configuration includes tasks that use the Common Information Model (CIM) server on the host z/OS system, users of the services require the proper level of access to CIM server resources.
- Capacity Provisioning
- Incident Log
- Workload Management
- The asynchronous job notifications function of z/OSMF, which is described in Configuring your system for asynchronous job notifications.
CIM includes the CFZSEC job to help you create these authorizations. See the topic on CIM server quick setup and verification in z/OS Common Information Model User's Guide. IBM supplies the CFZSEC job in SYS1.SAMPLIB. If your installation does not plan to run the CFZSEC job, ensure that z/OSMF users, and, if you are configuring the Workload Management service, the z/OSMF server user ID, have UPDATE access to the CIMSERV profile in the WBEM class. If necessary, refresh the WBEM class.
For more information about CIM authorization requirements, see Configuring the CIM server for your system.
Group | Purpose | Default group ID (GID) | Created by |
---|---|---|---|
CFZADMGP | Security group for the CIM administrator role. | 9502 | Member CFZSEC in SYS1.SAMPLIB. |
CFZUSRGP | Security group for the CIM user role. This group grants a user access to all resources that are managed through CIM. Depending on how granular you want to control user access to CIM, your installation might have created more groups to allow access to only a subset of resources that are managed through CIM. | 9503 | Member CFZSEC in SYS1.SAMPLIB. |
With the IZUAUTH job, your security administrator can supply the names of the CIM groups, based on your selection of optional services. These values include the names of the CIM administrators group (by default, CFZADMGP) and the CIM users group (by default, CFZUSRGP). The IZUAUTH job contains commands for connecting users to the groups and thus, depend on the groups to exist.
Resource authorizations for Capacity Provisioning Manager
If your z/OSMF configuration includes the Capacity Provisioning service, users of the service must be defined and authorized for all resources that are accessed by the Provisioning Manager. IBM provides the CPOSEC1 and CPOSEC2 jobs in SYS1.SAMPLIB to help you create these authorizations when you set up a Capacity Provisioning domain. For more information, see the topic on setting up a Capacity Provisioning domain in z/OS MVS Capacity Provisioning User's Guide.
Provisioning Manager setting | Default value |
---|---|
Domain name | DOMAIN1 |
Started task procedure name | CPOSERV |
High-level qualifier for runtime data set | CPO |
Provisioning Manager user | CPOSRV |
With the IZUCPSEC job, your security administrator can supply the names of the security groups that your installation created for authorizing users to the Provisioning Manager on your system. The IZUAUTH job contains commands for connecting users to the groups and thus, depend on the groups to exist.
Group | Purpose | Default group ID (GID) | Created by |
---|---|---|---|
CPOCTRL | Security group for users of the Capacity Provisioning task Edit function. | None; your installation must specify a GID for this group. | Member CPOSEC1 in SYS1.SAMPLIB. |
CPOQUERY | Security group for users of the Capacity Provisioning task View function. | None; your installation must specify a GID for this group. | Member CPOSEC1 in SYS1.SAMPLIB. |
Resource authorizations for common event adapter (CEA)
If your z/OSMF configuration includes tasks that use the common event adapter (CEA) component on the z/OS host system, users of the services require the proper level of access to CEA resources. IBM provides the CEASEC job in SYS1.SAMPLIB to help you create these authorizations.
- Incident Log
- ISPF
- Sysplex Management
CEA has security profiles in the SERVAUTH class for protecting different portions of its processing. When you run the IZUILSEC job, you permit the z/OSMF groups to the CEA resources.
For more information, see the topic on customizing for CEA in z/OS Planning for Installation.
Resource authorizations for the z/OS compliance REST interface
In z/OS V2R4 and later, the process of collecting compliance data is assisted with the introduction of SMF type 1154. This record type is used to collect system settings and other forms of compliance data. On receiving an event notification facility (ENF) code 86 signal from the z/OS compliance REST interface, selected z/OS components and products collect and write compliance data to their associated SMF 1154 subtype records.
For more information about SMF record type 1154 and its associated mapping macros and subtypes, see z/OS MVS System Management Facilities (SMF).
Resource class | Resource name | Who needs access? | Type of access required | Why |
---|---|---|---|---|
EJBROLE | <SAF-prefix>. IzuManagementFacilityRestCompliance.izuUs ers |
IZUADMIN IZUUSER | READ | Allows callers to connect to the z/OS compliance REST interface. |
SERVAUTH | CEA.SIGNAL.ENF86 |
IZUSVR started task ID | READ | Allow callers to access the CEA service responsible for the signal event 86 across the sysplex. |
Resource authorizations for the z/OS console REST interface
- z/OS console REST interface
- z/OS Operator Consoles
- IBM Cloud Provisioning and Management for z/OS, when using templates that issue operator commands or check for unsolicited command responses.
- Storage management services, when activating an SCDS or getting an SCDS activation result.
- READ access to the MVS.MCSOPER.consolename resource in the OPERCMDS class, where consolename is the name of the EMCS console that is used to issue the command.
- READ access to the CONSOLE resource in the TSOAUTH class.
- READ access to the
<SAF_PREFIX>.IzuManagementFacilityRestConsoles.izuUsers
resource in the EJBROLE class. Or, READ access to the<SAF_PREFIX>.*.izuUsers
profile in the EJBROLE class.
- READ access to the resource account in the ACCTNUM class, where account is the value that is specified in the COMMON_TSO ACCT option in parmlib member IZUPRMxx.
- READ access to the resource CEA.CEATSO.TSOREQUEST in the SERVAUTH class.
- READ access to the resource proc in the TSOPROC class, where proc is the value that is specified with the COMMON_TSO PROC option in parmlib member IZUPRMxx.
Also, the z/OSMF started task user ID, which is IZUSVR by default, requires READ access to the resource CEA.CEATSO.TSOREQUEST in the SERVAUTH class.
COMMON_TSO ACCT(IZUACCT) REGION(50000) PROC(IZUFPROC)
Ensure that your settings are configured before the z/OS console REST interface is used. Otherwise, the default values (shown here) are used.
The attributes of the EMCS
console that is started by z/OSMF are controlled by the OPERPARM settings of the user profile
<consolename>. Thus, for example, if a user wants the z/OS Operator
Consoles task to create a console named console1
, a user profile named
console1
must exist and contain an OPERPARM segment with the appropriate
settings.
Most IBM Cloud Provisioning and Management for z/OS templates use the
defcn Console REST API endpoint, which expects a predefined console name. The
convention is to use userid plus "CN", where the value for
userid is truncated to the first six characters. For example, if the user ID is
IBMUSER, the defcn value is expected to be IBMUSECN
.
- AUTH
- Specifies the command authority for the console.
- ROUTCODE
- Specifies the routing codes for the console, which affects which messages can be received by the console. The default value is NONE, which prevents the console from receiving any messages.
- MSCOPE
- Specifies the system message scope in the sysplex.
For more information about setting these attributes, see the commented sections in SAMPLIB jobs IZUGCSEC and IZUPRSEC. For information about creating OPERPARM segments for users, see z/OS MVS Planning: Operations.
In addition to the local system (the system on which z/OSMF is installed), users can enter system commands on other systems in the sysplex. To do so, users require READ access to the resource MVS.ROUTE.CMD.<sysname> in the OPERCMDS class.
- To retrieve messages from OPERLOG, users require READ access to the resource SYSPLEX.OPERLOG in the LOGSTRM class.
- To retrieve messages from SYSLOG, users require READ access to the resource
node-id.+MASTER+.SYSLOG.*.*
in the JESSPOOL class, where node-id is the NJE node ID of the JES2 or JES3 subsystem.
Resource class | Resource name | Who needs access? | Type of access required | Why |
---|---|---|---|---|
N/A | User profile <consolename> with the appropriate OPERPARM segment. | N/A | N/A | The attributes of the EMCS console that is started by the z/OS Operator Consoles task are controlled by the OPERPARM setting of user profile <consolename>. The setting of OPERPARM can restrict which messages are received by the EMCS console and limit the commands that the EMCS console can issue. |
ACCTNUM | IZUACCT | Users of the z/OS console services REST interface. | READ | Allow the user to access the account number for the procedure for the z/OS console services. |
EJBROLE | <SAF-prefix> .IzuManagementFacilityRestConsoles .izuUsers |
Users of:
|
READ | Allow the user to use the z/OS console services to issue operator commands. |
EJBROLE | <SAF-prefix> .IzuManagementFacilityTsoServices .izuUsers | IZUADMIN | READ | Allow the user of the Operator Consoles task to start or reconnect to address spaces on other systems in the sysplex. |
JESSPOOL | node-id.+MASTER+ .SYSLOG.*.* | Users of the z/OS Operator Consoles task. | READ | Allows the user to retrieve messages from SYSLOG by using the z/OS Operator
Consoles task. node-id is the NJE node ID of the JES2 or JES3 subsystem. |
LOGSTRM | SYSPLEX.OPERLOG | Users of the z/OS Operator Consoles task. | READ | Allows the user to retrieve messages from OPERLOG by using the z/OS Operator Consoles task. |
OPERCMDS | MVS.MCSOPER.consolename | Users of the z/OS console services REST interface. | READ | Allow the user to operate the specified extended MCS console. |
OPERCMDS | MVS.ROUTE.CMD.<sysname> | Users of the z/OS Operator Consoles task. | READ | Allows the user to use the ROUTE command to route commands to another system in sysplex, which is indicated by sysname. Otherwise, the user is limited to entering commands on the local system (the system on which z/OSMF is installed). |
SERVAUTH | CEA.CEATSO.TSOREQUEST | Users of the z/OS console services REST interface. | READ | Allow the user to access the CEA TSO/E address space services. This setting allows HTTP client applications on your z/OS system to start and manage TSO/E address spaces. |
SERVAUTH | CEA.CEATSO.TSOREQUEST | IZUSVR | READ | Allows the z/OSMF server to access the CEA TSO/E address space services. This setting allows the z/OSMF server to start and manage TSO/E address space services. |
TSOAUTH | CONSOLE | Users of the z/OS console services REST interface. | READ | Allow the user to issue the TSO/E CONSOLE command to activate the extended MCS console. |
TSOPROC | IZUFPROC | IZUADMIN IZUUSER | READ | Allow the user to access the procedure for the z/OS console services. |
ZMFAPLA | <SAF-prefix>.ZOSMF.CONSOLES. ZOSOPER | Users of the z/OS Operator Consoles task. | READ | Allows the user to view and access the z/OS Operator Consoles task in the z/OSMF desktop interface. |
Resource authorizations for the z/OS data set and file REST interface
For more information about the z/OS data set and file REST interface services, see IBM z/OS Management Facility Programming Guide.
Resource class | Resource name | Who needs access? | Type of access required | Why |
---|---|---|---|---|
ACCTNUM | IZUACCT | IZUADMIN IZUUSER | READ | Allows callers to access the account number that is used for the procedure for the z/OS data set and file REST interface services. |
EJBROLE | <SAF-prefix> .IzuManagementFacilityRestFiles.izuUsers |
IZUADMIN IZUUSER | READ | Allows callers to connect to the z/OS data set and file REST interface. |
SERVAUTH | CEA.CEATSO.TSOREQUEST | IZUADMIN IZUUSER | READ | Allows callers to access the CEA TSO/E address space services. This setting allows HTTP client applications on your z/OS system to start and manage TSO/E address spaces. |
SERVAUTH | CEA.CEATSO.TSOREQUEST | IZUSVR | READ | Allows the z/OSMF server to access the CEA TSO/E address space services. This setting allows the z/OSMF server to start and manage TSO/E address space services. |
TSOPROC | IZUFPROC | IZUADMIN IZUUSER | READ | Allows callers to access the procedure for the z/OS data set and file REST interface services. |
Resource authorizations for the z/OS jobs REST interface
Resource class | Resource name | Who needs access? | Type of access required | Why |
---|---|---|---|---|
SERVAUTH | CEA.CONNECT | CFZSRV | READ | If your installation uses the z/OS jobs REST interface, this setting is needed for interactions with the common event adapter (CEA) component. |
SERVAUTH | CEA.SUBSCRIBE.* | CFZSRV | READ | If your installation uses the z/OS jobs REST interface, this setting allows HTTP client applications on your z/OS system to receive asynchronous job notifications. |
SERVAUTH | CEA.SUBSCRIBE.ENF_0078* | CFZSRV | READ | If your installation uses the z/OS jobs REST interface, this setting allows HTTP client applications on your z/OS system to receive asynchronous job notifications. |
Operation | JESJOBS resource | Access required |
---|---|---|
Hold a job | HOLD.nodename.userid.jobname | UPDATE |
Release a job | RELEASE.nodename.userid.jobname | UPDATE |
Change the job class | MODIFY.nodename.userid.jobname | UPDATE |
Cancel a job | CANCEL.nodename.userid.jobname | ALTER |
Delete a job (cancel a job and purge its output) | CANCEL.nodename.userid.jobname | ALTER |
For more information about the z/OS jobs REST interface services, see IBM z/OS Management Facility Programming Guide.
If run asynchronously, the z/OS jobs REST interface services also require that the caller’s user ID is authorized to the CIM server and permitted to the JES2-JES3Jobs CIM provider. CIM includes jobs (CFZSEC and CFZRCUST) to help you configure the CIM server, including security authorizations and file system customization. For more information, see the topic on CIM server quick setup and verification in z/OS Common Information Model User's Guide. IBM supplies the CFZSEC job in SYS1.SAMPLIB.
Resource authorizations for the Capacity Provisioning service
Resource class | Resource name | Who needs access? | Type of access required | Why |
---|---|---|---|---|
EJBROLE | <SAF-prefix> .IzuManagementFacilityCapacityProvisioning.izuUsers |
IZUADMIN
IZUUSER |
READ | Allow the user to connect to the Capacity Provisioning task. |
ZMFAPLA | <SAF-prefix> .ZOSMF.CAPACITY_PROVISIONING.CAPACITY_
PROVISIONING.EDIT |
IZUADMIN | READ | Allow the user to display and access the Capacity Provisioning task Edit function. |
ZMFAPLA | <SAF-prefix> .ZOSMF.CAPACITY_PROVISIONING.CAPACITY_
PROVISIONING.EDIT.DOMAIN |
IZUADMIN | READ | Allow the user to use the Capacity Provisioning task Edit function to edit a Capacity Provisioning domain. |
ZMFAPLA | <SAF-prefix> .ZOSMF.CAPACITY_PROVISIONING.CAPACITY_
PROVISIONING.EDIT.POLICY |
IZUADMIN | READ | Allow the user to use the Capacity Provisioning task Edit function to edit a Capacity Provisioning policy. |
ZMFAPLA | <SAF-prefix> .ZOSMF.CAPACITY_PROVISIONING.CAPACITY_
PROVISIONING.VIEW |
IZUADMIN
IZUUSER |
READ | Allow the user to access the Capacity Provisioning task View function. |
- The Capacity Provisioning service requires the CIM server; thus, you must also create the authorizations that are described in Resource authorizations for Common Information Model.
- Users of the Capacity Provisioning service must be authorized for resources that are accessed by the Provisioning Manager. IBM provides the CPOSEC1 and CPOSEC2 jobs in SYS1.SAMPLIB to help you create these authorizations. For more information, see the topic on setting up a Capacity Provisioning domain in z/OS MVS Capacity Provisioning User's Guide.
Resource authorizations for the Network Configuration Assistant service
Resource class | Resource name | Who needs access? | Type of access required | Why |
---|---|---|---|---|
EJBROLE | <SAF-prefix> .IzuConfigurationAssistant.izuUsers |
IZUADMIN
IZUUSER |
READ | Allow the user to connect to the Network Configuration Assistant task. |
ZMFAPLA | <SAF-prefix> .ZOSMF.CONFIGURATION_
ASSISTANT.CONFIGURATION_ASSISTANT |
IZUADMIN
IZUUSER |
READ | Allow the user to access the Network Configuration Assistant task. |
Resource authorizations for the Incident Log service
Resource class | Resource name | Who needs access? | Type of access required | Why |
---|---|---|---|---|
ALIAS | CEA | N/A | N/A | If your installation has a user catalog set-up instead of using the master catalog, you might need to define CEA alias to the user catalog. |
DATASET | CEA.* |
IZUADMIN
IZUUSER |
ALTER | Allow the user to create data sets with the CEA high-level qualifier (HLQ). |
DATASET | your_master_catalog |
IZUADMIN
IZUUSER |
UPDATE | If your installation has master catalog setup, you might need to permit a user to the master catalog data set class. |
EJBROLE | <SAF-prefix> .IzuManagementFacilityIncidentLog.izuUsers |
IZUADMIN
IZUUSER |
READ | Allow the user to connect to the Incident Log task. |
JESSPOOL | node-id.+MASTER+.SYSLOG.*.* | CEA | READ | If your installation is using the system log (SYSLOG) as the source for
diagnostic log snapshots, the CEA user ID requires READ access to the JESSPOOL class. This
authorization allows the JES subsystem to access SYSLOG on behalf of the common event adapter (CEA)
component. node-id is the NJE node ID of the JES2 or JES3 subsystem. |
SERVAUTH | CEA.CEADOCONSOLECMD |
IZUADMIN
IZUUSER |
READ | Allow the calling program to issue operator commands to accomplish its function. |
SERVAUTH | CEA.CEADOCMD |
IZUADMIN
IZUUSER |
READ | Allow the user to cancel the FTP job. |
SERVAUTH | CEA.CEAGETPS |
IZUADMIN
IZUUSER |
READ | Allow the user to obtain information about the FTP job. |
SERVAUTH | CEA.CEAPDWB.CEACHECKSTATUS |
IZUADMIN
IZUUSER |
READ | Allow the user to check status and return incident information. |
SERVAUTH | CEA.CEAPDWB.CEADELETEINCIDENT |
IZUADMIN
IZUUSER |
READ | Allow the user to delete selected incidents, including the dumps, all diagnostic snapshot files, and the corresponding sysplex dump directory entry. |
SERVAUTH | CEA.CEAPDWB.CEAGETINCIDENT |
IZUADMIN
IZUUSER |
READ | Allow the user to obtain data that is associated with a specific incident. |
SERVAUTH | CEA.CEAPDWB.CEAGETINCIDENTCOLLECTION |
IZUADMIN
IZUUSER |
READ | Allow the user to obtain collection of incident data for all incidents that match a filter. |
SERVAUTH | CEA.CEAPDWB.CEAPREPAREINCIDENT |
IZUADMIN
IZUUSER |
READ | Allow the user to prepare data for FTP (locate and compress/terse). |
SERVAUTH | CEA.CEAPDWB.CEASETINCIDENTINFO |
IZUADMIN
IZUUSER |
READ | Allow the user to set information that is associated with the incident, such as the Notes field. |
SERVAUTH | CEA.CEAPDWB.CEASETPROBLEMTRACKINGNUMBER |
IZUADMIN
IZUUSER |
READ | Allow the user to set a problem ID, such as a PMR number, or problem management tracking ID. |
SERVAUTH | CEA.CEAPDWB.CEAUNSUPPRESSDUMP |
IZUADMIN
IZUUSER |
READ | Allow user to allow a dump that is marked for suppression through DAE to be taken. |
ZMFAPLA | <SAF-prefix> .ZOSMF.INCIDENT_LOG.INCIDENT_LOG |
IZUADMIN
IZUUSER |
READ | Allow the user to access the Incident Log task. |
- The Incident Log service requires the CIM server; thus, you must also create the authorizations that are described in Resource authorizations for Common Information Model.
- Users of the Incident Log service must be authorized for resources that are accessed by the common event adapter (CEA) component of z/OS. IBM provides the CEASEC job in SYS1.SAMPLIB to help you create these authorizations. For more information, see Resource authorizations for common event adapter (CEA).
Resource authorizations for the ISPF service
Resource class | Resource name | Who needs access? | Type of access required | Why |
---|---|---|---|---|
EJBROLE | <SAF-prefix> .IzuManagementFacilityISPF.izuUsers |
IZUADMIN
IZUUSER |
READ | Allow the user to connect to the ISPF task. |
SERVAUTH | CEA.CEATSO.TSOREQUEST |
IZUADMIN
IZUUSER |
READ | Allow the user to access the CEATSOREQUEST API so that the user’s session can be managed through the ISPF task. |
SERVAUTH | CEA.CEATSO.TSOREQUEST |
IZUSVR
|
READ | Allow the z/OSMF server to access the CEATSOREQUEST API. |
ZMFAPLA | <SAF-prefix> .ZOSMF.ISPF.ISPF |
IZUADMIN
IZUUSER |
READ | Allow the user to access the ISPF task. |
Resource authorizations for the Resource Monitoring service
Resource class | Resource name | Who needs access? | Type of access required | Why |
---|---|---|---|---|
EJBROLE | <SAF-prefix> .IzuManagementFacilityResourceMonitoring.izuUsers |
IZUADMIN IZUUSER | READ | Allow the user to connect to the Resource Monitoring and System Status tasks. |
ZMFAPLA | <SAF-prefix> .ZOSMF.RESOURCE_MONITORING.PERFDESKS |
IZUADMIN IZUUSER | READ | Allow the user to access the Resource Monitoring task. |
ZMFAPLA | <SAF-prefix> .ZOSMF.RESOURCE_MONITORING.OVERVIEW |
IZUADMIN IZUUSER | READ | Allow the user to access the System Status task. |
Resource authorizations for the Software Deployment service
Resource class | Resource name | Who needs access? | Type of access required | Why |
---|---|---|---|---|
EJBROLE | <SAF-prefix> .IzuManagementFacilitySoftwareDeployment.izuUsers |
IZUADMIN
IZUUSER |
READ | Allow the user to connect to the Software Management task. |
ZMFAPLA | <SAF-prefix> .ZOSMF.SOFTWARE_DEPLOYMENT.SOFTWARE_
MANAGEMENT |
IZUADMIN
IZUUSER |
READ | Allow the user to access the Software Management task. |
ZMFAPLA | <SAF-prefix> .ZOSMF.SOFTWARE_
DEPLOYMENT.DATA.objectType.objectSuffixFor more information about the possible values for objectType and objectSuffix, see Creating access controls for the Software Management task. |
IZUADMIN
IZUUSER |
CONTROL | Allow the user to access the Software Management task objects. |
ZMFAPLA | <SAF-prefix> .ZOSMF.SOFTWARE_DEPLOYMENT.SOFTWARE_
MANAGEMENT.PRODUCT _INFO_FILE.RETRIEVE |
IZUADMIN | READ | Allow the user to access the Software Management task Product Information File Retrieve function. |
ZMFAPLA | <SAF-prefix> .ZOSMF.SOFTWARE_DEPLOYMENT.SOFTWARE_
MANAGEMENT.CATEGORIES.MODIFY |
IZUADMIN | READ | Allow the user to add, copy, modify, or remove Software Management categories. |
ZMFAPLA | <SAF-prefix> .ZOSMF.SOFTWARE_DEPLOYMENT.SOFTWARE_
MANAGEMENT.SWUPDATE |
IZUADMIN
IZUUSER |
READ | Allow the user to access the Software Update task. |
UNIXPRIV | SUPERUSER.FILESYS.MOUNT |
IZUADMIN
IZUUSER |
UPDATE | Allow the user to create workflow instances from workflow definition files that reside in UNIX file systems that are not currently mounted. |
UNIXPRIV | SUPERUSER.FILESYS.USERMOUNT | IZUADMIN, IZUUSER | READ | Allow the user to mount a temporary work space UNIX file system data set
created and used by the Deployment Unzip job and the Export job. Note: You can read about the
SUPERUSER.FILESYS.USERMOUNT (and SUPERUSER.FILESYS.MOUNT) resource here: https://www.ibm.com/docs/en/zos/2.4.0?topic=security-using-unixpriv-class-profiles
|
FACILITY |
STGADMIN.ADR.COPY.INCAT
STGADMIN.ADR.DUMP.INCAT |
IZUADMIN
IZUUSER |
READ | Allow the user access to the COPY and DUMP commands for program ADRDSSU. The
COPY and DUMP commands are used by Deployment and Export JCL that is generated by Software Management. Note: INCAT is
used only when source data sets are not cataloged in the current active catalog environment. This is
an unlikely scenario.
See Table Note 1. |
- If a resource profile is defined, then READ access is required. If a resource profile is not
defined, then all users have access to that resource. More specifically:
- If a profile for a resource is not defined, then the user can use the resource.
- If a profile for a resource is defined and the user has at least READ access, then the user can use the resource.
- If a profile for a resource is defined and the user does not have at least READ access, then the user cannot use the resource.
Resource authorizations for the Sysplex Management service
The Sysplex Management service requires access to local resources on your z/OS system.
Resource class | Resource name | Who needs access? | Type of access required | Why |
---|---|---|---|---|
EJBROLE | <SAF-prefix> .IzuManagementFacilitySysplexManagement.izuUsers |
IZUADMIN
IZUUSER |
READ | Allow the user to connect to the Sysplex Management task. |
FACILITY | MVSADMIN.XCF.CFRM | IZUADMIN | READ or UPDATE | Allow the user to use the CFRM Policy Editor to edit CFRM policies. Assign UPDATE access authority to users who must alter or maintain the policy. Assign READ access authority to users who can view the policy, but not change it. |
SERVAUTH | CEA.XCF.CDS |
IZUADMIN
IZUUSER |
READ | Allow the user to access the couple data set for the Sysplex Management task. |
SERVAUTH | CEA.XCF.CF |
IZUADMIN
IZUUSER |
READ | Allow the user to access the coupling facility for the Sysplex Management task. |
SERVAUTH | CEA.XCF.FLOW.<sysname> |
IZUADMIN
IZUUSER |
READ | Allow the user to access the sysplex resources on remote systems for the
Sysplex Management task. Replace |
SERVAUTH | CEA.XCF.STRUCTURE |
IZUADMIN
IZUUSER |
READ | Allow the user to access the coupling facility structures for the Sysplex Management task. |
SERVAUTH | CEA.XCF.SYSPLEX |
IZUADMIN
IZUUSER |
READ | Allow the user to access the sysplex general information and systems for the Sysplex Management task. |
ZMFAPLA | <SAF-prefix> .ZOSMF.SYSPLEX |
IZUADMIN
IZUUSER |
READ | Allow the user to access the Sysplex Management task. |
ZMFAPLA | <SAF-prefix> .ZOSMF.SYSPLEX.LOG |
IZUADMIN or a particular z/OS user ID. | READ | Allow the user to use the Sysplex Management task to clean up the command log table and specify clean-up settings. |
ZMFAPLA | <SAF-prefix> .ZOSMF.SYSPLEX.MODIFY |
IZUADMIN | READ | Allow the user to use the Sysplex Management task to modify sysplex resources. This authorization also allows the user to use the CFRM Policy Editor to update Sysplex CFRM administrative policy information. |
Resource authorizations for the Workload Management service
Resource class | Resource name | Who needs access? | Type of access required | Why |
---|---|---|---|---|
EJBROLE | <SAF-prefix> .IzuManagementFacilityWorkloadManagement.izuUsers |
IZUADMIN
IZUUSER |
READ | Allow the user to connect to the Workload Management task. |
FACILITY | MVSADMIN.WLM.POLICY | IZUSVR | READ | Allow the z/OSMF server to access the WLM policies. |
ZMFAPLA | <SAF-prefix> .ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_
MANAGEMENT.ENWRP |
IZUADMIN WLM resource pool administration group |
READ | For z/OS Cloud Provisioning, allow the user to access the WLM Resource Pooling (WRP) functions of z/OSMF. Using a WRP definition, the user can associate cloud information (tenant name, domain ID, template type, service levels supported) with WLM elements (report classes and classification rules). |
ZMFAPLA | <SAF-prefix> .ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_
MANAGEMENT.VIEW |
IZUADMIN
IZUUSER |
READ | Allow the user to access the Workload Management View function. |
ZMFAPLA | <SAF-prefix> .ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_
MANAGEMENT.MODIFY |
IZUADMIN | READ | Allow the user to access the Workload Management Modify function. |
ZMFAPLA | <SAF-prefix> .ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_
MANAGEMENT.INSTALL |
IZUADMIN | READ | Allow the user to access the Workload Management Install function. |
Resource authorizations for the IBM zERT Network Analyzer service
The IBM zERT Network Analyzer service provides access to sensitive network security information. Only users authorized to manage this data should be allowed to access the IBM zERT Network Analyzer service. The IZUNASEC job includes sample RACF commands to create the group IZUZNA. The IZUZNA group should be used to control access to the IBM zERT Network Analyzer service.
Your security team might determine that existing group names would be preferred. If so, you can use your existing group names in place of the supplied z/OSMF default group names. For example, you might already have a group that is aligned with network security administrators; if so, you could use that group instead of the default group enabling access to the IBM zERT Network Analyzer service, IZUZNA.
Resource class | Resource name | Who needs access? | Type of access required | Why |
---|---|---|---|---|
EJBROLE | <SAF-prefix> .IzuZertNetworkAnalyzer.izuUsers |
IZUZNA
|
READ | Allow the user to connect to the IBM zERT Network Analyzer task. |
EJBROLE | <SAF-prefix>
.com.ibm.ws.management.security.resource. Administrator |
IZUSVR | READ | Allow the IBM zERT Network Analyzer to run the required WebSphere Liberty administrative actions. |
ZMFAPLA | <SAF-prefix> .ZOSMF |
IZUZNA | READ | Designates the user as a z/OSMF user |
ZMFAPLA | <SAF-prefix> .ZOSMF.ZERT_NETWORK_ANALYZER |
IZUZNA | READ | Allow a user to access the IBM zERT Network Analyzer task. |
Resource authorizations for the z/OS Management Services Catalog service
The security configuration requirements for z/OS Management Services Catalog are described in the sections that follow. These sections describe the resources that must be defined, and the groups that must be permitted to the resources. Typically, these permissions are created by your security administrator.
Role | Recommended group | Capabilities |
---|---|---|
User | IZUUSER |
Users have access to the Catalog, Activity, and History pages. Users can submit services from the Catalog, manage queued and active service submissions in Activity, and access completed and terminated service submissions in History. Users can see service submissions from other users and administrators. A service submission that has been started but is not yet submitted is saved in My drafts and cannot be seen by other users or administrators. Users can control their notification preferences using Settings. |
Administrator | IZUADMIN |
Administrators have additional authority that grants them access to the Administration page and the plug-in Global settings page. Administrators can manage existing services, create new services, and request approval to publish new services to the Catalog. Administrators can manage the plug-in's Global settings and take actions on service submissions that are created by other users. |
Publishing approver | IZUMSPAP |
The publishing approver role authorizes a user ID to be assigned as an approver of services that are requested to be published in the Catalog. User IDs given this role must be that of a real user that can review and approve requests to publish services so that they are available on the Catalog page. Approvers are assigned by an administrator in the Publishing approvals table of Global Settings. Approvers have access to the Administration page and all services for which they are an approver. |
RunAsUser step approver | IZUMSRAP |
A user ID must have this role if a service's underlying workflow definition file requires the user ID to approve the use of a runAsUser step. User IDs given this role must be that of a real user that can review and approve the use of the runAsUser step. Do not use functional or application IDs as approvers. A runAsUser step is a step in the workflow that is performed by a specific user ID that might not be the user that runs the workflow. The user ID that the step is performed as is not necessarily the same as the user ID that approves the step. Every runAsUser step has an assigned user ID to approve it. This user ID's approval is required to publish the service in the Catalog. RunAsUser step approvers have access to the Administration page and all services for which they are an approver. |
RunAsUser user ID | IZUMSRAU |
This role is required for any user ID assigned as the runAsUser for a runAsUser step in a workflow definition. Authorization to this role is checked when you create a new service from a workflow definition that contains runAsUser steps. It is also checked when the Workflows task runs a runAsUser step for workflow instances that are created by service submissions. This role does not grant any access to z/OS Management Services Catalog. |
Resource class | Resource name | Who needs access? | Type of access required | Why |
---|---|---|---|---|
EJBROLE | <SAF-prefix>
.IzuManagementFacilityManagementServicesCatalog.izuUsers |
|
READ | Allow the user to open the Management Services Catalog desktop app. |
ZMFAPLA | <SAF-prefix> .ZOSMF.MGMT_SERVICES.MGMT_SERVICES |
|
READ | Allow the user to open the Management Services Catalog desktop app. |
ZMFAPLA | <SAF-prefix>.ZOSMF.MGMT_SERVICES.ADMIN |
|
READ | Grants the administrator role to the user. |
ZMFAPLA | <SAF-prefix>.ZOSMF.MGMT_SERVICES.USER |
|
READ | Grants the user role to the user. |
ZMFAPLA | <SAF-prefix>.ZOSMF.MGMT_SERVICES.PUBLISH.APPROVER |
|
READ | Grants the publishing approver role to the user. |
ZMFAPLA | <SAF-prefix>.ZOSMF.MGMT_SERVICES.RUNASUSER.APPROVER |
|
READ | Grants the runAsUser step approver role to the user. |
ZMFAPLA | <SAF-prefix>.IZUDFLT.ZOSMF.MGMT_SERVICES.RUNASUSER |
|
READ | Grants authority to the user ID to be used as the runAsUser user ID in any workflow instance created by a service. |
Resource authorizations for the Storage Management service
Resource class | Resource name | Who needs access? | Type of access required | Why |
---|---|---|---|---|
ZMFAPLA | <SAF-prefix>.ZOSMF.STORAGE.SG.VOLUME |
|
UPDATE | Allow the user to add volumes to storage group. |
ZMFAPLA | <SAF-prefix>. ZOSMF.STORAGE.SCDS |
|
UPDATE | Allow the user to validate or activate the SCDS specified. |
OPERCMDS | MVS.SETSMS.SMS |
|
UPDATE | Allow the user to activate the SCDS by using the SETSMS SCDS("scds-name")
command. |