Security structures for z/OSMF

Using z/OSMF requires sufficient authority in z/OS®. Specifically, on the z/OS system to be managed, the resources to be accessed on behalf of users (data sets, operator commands, and so on) are secured through the external security manager at your installation, such as RACF®. Your installation's security administrator must create the authorizations in your external security manager. To assist your security administrator, z/OSMF provides sample jobs in SYS1.SAMPLIB and the information in this document. Your security administrator can use the sample jobs to create the groups, user IDs, and resource profiles for your z/OSMF configuration. Later, these z/OSMF constructs require more permissions to a number of existing groups, user IDs, and resources on your system.

This appendix describes the security configuration requirements for z/OSMF. Included are the resource authorizations that are created when your installation runs one or more of the following sample security jobs:

IZUNUSEC, to help you set up basic security for a z/OSMF nucleus configuration.
Individual IZUxxSEC jobs for the core services
IZUSEC job that consolidates the security set-up for both the z/OSMF nucleus and the core services
Individual IZUxxSEC jobs for the optional services.

Also listed are the resource authorizations that your installation must define outside of the configuration process.

The security configuration requirements for z/OSMF are described in the sections that follow. Creating these permissions requires the assistance of your security administrator.

Class activations that z/OSMF requires
SAF profile prefix for z/OSMF resources
User IDs that z/OSMF creates during configuration
Security groups that z/OSMF creates during configuration
Resource authorizations for the Security Configuration Assistant service
Resource authorizations for the z/OSMF core functions
Resource authorizations for hardware compression
Resource authorizations for hardware cryptography
Resource authorizations for Common Information Model
Resource authorizations for Capacity Provisioning Manager
Resource authorizations for common event adapter (CEA)
Resource authorizations for the z/OS compliance REST interface
Resource authorizations for the z/OS console REST interface
Resource authorizations for the z/OS data set and file REST interface
Resource authorizations for the z/OS jobs REST interface
Resource authorizations for the Capacity Provisioning service
Resource authorizations for the Network Configuration Assistant service
Resource authorizations for the Incident Log service
Resource authorizations for the ISPF service
Resource authorizations for the Resource Monitoring service
Resource authorizations for the Software Deployment service
Resource authorizations for the Sysplex Management service
Resource authorizations for the Workload Management service
Resource authorizations for the IBM zERT Network Analyzer service
Resource authorizations for the z/OS Management Services Catalog service
Resource authorizations for the Storage Management service

Class activations that z/OSMF requires

For a RACF installation, the security classes that are shown in Table 1 must be active when you configure z/OSMF. Commands for activating the classes (with generic profile checking activated) are included in commented sections in the IZUxxSEC jobs. To allow the commands to be issued when the jobs run, uncomment the sections. Or, ask your security administrator to enter the commands directly, as shown in Table 1.

Table 1. Class activations that z/OSMF requires
Class	Purpose	RACF commands for activating
ACCTNUM	Controls access to the account number used for the procedure for the z/OSMF REST interfaces.	`SETROPTS CLASSACT(ACCTNUM)`
APPL	Controls access to the z/OSMF application domain. This access is required by: Security group for z/OSMF administrators (IZUADMIN, by default) Security group for z/OSMF unauthenticated guest users (IZUGUEST, by default) Security group for the z/OSMF users (IZUUSER, by default) Security group for the z/OS security administrator (IZUSECAD, by default). If there is no matching profile in the APPL class, RACF allows the user to access the application.	`SETROPTS CLASSACT(APPL) SETROPTS RACLIST(APPL) GENERIC(APPL)`
EJBROLE	Controls the user’s ability to connect to the z/OSMF core functions and tasks. z/OSMF defines a resource name for each core function and task.	`SETROPTS CLASSACT(EJBROLE) SETROPTS RACLIST(EJBROLE) GENERIC(EJBROLE)`
FACILITY	Controls the user’s access to profiles when the user performs an action. This access is required by the z/OSMF started task user ID (IZUSVR, by default). Examples include the profiles that are used to control privileges in the z/OS UNIX environment.	`SETROPTS CLASSACT(FACILITY) SETROPTS RACLIST(FACILITY) GENERIC(FACILITY)`
JESSPOOL	Allows the user to retrieve messages from the system log (SYSLOG).	`SETROPTS CLASSACT(JESSPOOL) SETROPTS RACLIST(JESSPOOL)`
LOGSTRM	Allows the user to retrieve messages from the operations log (OPERLOG).	`SETROPTS CLASSACT(LOGSTRM) SETROPTS RACLIST(LOGSTRM)`
OPERCMDS	Allows the user to create an EMCS console by using the z/OS Operator Consoles task.	`SETROPTS CLASSACT(OPERCMDS) SETROPTS RACLIST(OPERCMDS)`
SERVAUTH	Controls the user’s ability to use CEA TSO/E address space services. In z/OSMF, this access is required by: z/OSMF started task user ID (IZUSVR, by default) Callers of the z/OS data set and file REST interface services Users of the ISPF task.	`SETROPTS CLASSACT(SERVAUTH) SETROPTS RACLIST(SERVAUTH) GENERIC(SERVAUTH)`
SERVER	Allows the z/OSMF started task user ID to request services from z/OS system components, such as the System Authorization Facility (SAF), workload management (WLM), and SVCDUMP services.	`SETROPTS CLASSACT(SERVER) SETROPTS RACLIST(SERVER) GENERIC(SERVER)`
STARTED	Assigns an identity to the z/OSMF started task during the processing of an MVS™ START command. By default, the started task runs under the IZUSVR user ID.	`SETROPTS CLASSACT(STARTED) SETROPTS RACLIST(STARTED) GENERIC(STARTED)`
TSOAUTH	Allows the user to create an EMCS console by using the z/OS Operator Consoles task.	`SETROPTS CLASSACT(TSOAUTH) SETROPTS RACLIST(TSOAUTH)`
TSOPROC	Controls access to the procedure for the z/OSMF REST interfaces.	`SETROPTS CLASSACT(TSOPROC)`
ZMFAPLA	Controls the user’s ability to use the z/OSMF core functions and tasks. z/OSMF defines a resource name for each core function and task. Profile names in this class are case-sensitive. The ZMFAPLA class requires the RACLIST option.	`SETROPTS CLASSACT(ZMFAPLA) SETROPTS RACLIST(ZMFAPLA) GENERIC(ZMFAPLA)`
ZMFCLOUD	Allows the user to use the z/OSMF core functions and tasks that are related to IBM® Cloud Provisioning. z/OSMF defines a resource name for each core function and task for IBM Cloud Provisioning. For more information, see Configure the Cloud Provisioning services. The ZMFCLOUD class requires the RACLIST option.	`SETROPTS CLASSACT(ZMFCLOUD) GENERIC(ZMFCLOUD) RACLIST(ZMFCLOUD)`

If your installation uses an external security manager other than RACF, ask your security administrator to create equivalent commands for your environment.

SAF profile prefix for z/OSMF resources

During the configuration process, your security administrator runs the IZUxxSEC jobs to secure z/OSMF resources. In these jobs, your installation specifies a System Authorization Facility (SAF) profile prefix to be used for naming z/OSMF resources. The SAF prefix is prepended to the names of z/OSMF resource profiles, and is used in some of the RACF commands that are contained in the IZUxxSEC jobs.

In the examples in this document, the SAF prefix is shown as <SAF-prefix>. By default, the SAF prefix is IZUDFLT. If your installation selects to use a different value, substitute the value in the examples.

User IDs that z/OSMF creates during configuration

The IZUSEC job creates the user IDs that are described in Table 2.

Table 2. User IDs that z/OSMF creates during the configuration process
User ID	Purpose	Default UID	Created by
IZUGUEST	User ID for performing unauthenticated work, such as guest user access to the Welcome page.	9011	IZUSEC job
IZUSVR	User ID for the z/OSMF started tasks, which are named IZUANG1 and IZUSVR1, by default.	9010	IZUSEC job

Table 2 shows the IBM default values. Your security administrator can specify different user IDs in place of the default user IDs in the IZUSEC job.

Security groups that z/OSMF creates during configuration

The IZUSEC job creates a base set of security groups for your z/OSMF configuration. These groups are necessary for giving users the proper level of access to z/OSMF and z/OS system resources.

Your security team might determine that the existing group names would be preferred. If so, you can use your existing group names in place of the supplied z/OSMF default group names. For example, you might already have a group that is aligned with administrators; if so, you can use that group, instead of the z/OSMF default group for administrators, IZUADMIN.

Table 3 lists the groups that the IZUSEC job creates. The group names can change, based on the values you provide during the configuration process. Table 3 shows the IBM default values.

Table 3. Security groups that z/OSMF creates during the configuration process
Group	Purpose	Created by
IZUADMIN	Security group for the z/OSMF administrator role. Any user IDs connected to this group are considered to be z/OSMF administrators.	IZUSEC job
IZUUSER	Security group for the z/OSMF user role.	IZUSEC job
IZUSECAD	Security group for the z/OS security administrator role in z/OSMF.	IZUSEC job
IZUUNGRP	Security group for the z/OSMF unauthenticated user ID.	IZUSEC job

Resource authorizations for the Security Configuration Assistant service

Table 4 describes the access requirements for the Security Configuration Assistant service. The IZUSASEC job includes sample RACF commands for creating these authorizations on your system. These values can vary, based on the values you use at your installation. Table 4 shows the IBM default values.

Table 4. Security setup requirements for the Security Configuration Assistant service
Resource class	Resource name	Who needs access?	Type of access required	Why
SERVER	BBG.SECCLASS.ACCTNUM	IZUSVR	READ	Grant the server permission to perform authorization checks against the ACCTNUM profile in the SERVER class.
SERVER	BBG.SECCLASS.APPL	IZUSVR	READ	Grant the server permission to perform authorization checks against the APPL profile in the SERVER class.
SERVER	BBG.SECCLASS.CSFSERV	IZUSVR	READ	Grant the server permission to perform authorization checks against the CSFSERV profile in the SERVER class.
SERVER	BBG.SECCLASS.EJBROLE	IZUSVR	READ	Grant the server permission to perform authorization checks against the EJBROLE profile in the SERVER class.
SERVER	BBG.SECCLASS.FACILITY	IZUSVR	READ	Grant the server permission to perform authorization checks against the FACILITY profile in the SERVER class.
SERVER	BBG.SECCLASS.JESSPOOL	IZUSVR	READ	Grant the server permission to perform authorization checks against the JESSPOOL profile in the SERVER class.
SERVER	BBG.SECCLASS.LOGSTRM	IZUSVR	READ	Grant the server permission to perform authorization checks against the LOGSTRM profile in the SERVER class.
SERVER	BBG.SECCLASS.OPERCMDS	IZUSVR	READ	Grant the server permission to perform authorization checks against the OPERCMDS profile in the SERVER class.
SERVER	BBG.SECCLASS.RDATALIB	IZUSVR	READ	Grant the server permission to perform authorization checks against the RDATALIB profile in the SERVER class.
SERVER	BBG.SECCLASS.SERVAUTH	IZUSVR	READ	Grant the server permission to perform authorization checks against the SERVAUTH profile in the SERVER class.
SERVER	BBG.SECCLASS.SERVER	IZUSVR	READ	Grant the server permission to perform authorization checks against the SERVER profile in the SERVER class.
SERVER	BBG.SECCLASS.STARTED	IZUSVR	READ	Grant the server permission to perform authorization checks against the STARTED profile in the SERVER class.
SERVER	BBG.SECCLASS.TSOAUTH	IZUSVR	READ	Grant the server permission to perform authorization checks against the TSOAUTH profile in the SERVER class.
SERVER	BBG.SECCLASS.TSOPROC	IZUSVR	READ	Grant the server permission to perform authorization checks against the TSOPROC profile in the SERVER class.
SERVER	BBG.SECCLASS.UNIXPRIV	IZUSVR	READ	Grant the server permission to perform authorization checks against the UNIXPRIV profile in the SERVER class.
SERVER	BBG.SECCLASS.ZMFAPLA	IZUSVR	READ	Grant the server permission to perform authorization checks against the ZMFAPLA profile in the SERVER class.
SERVER	BBG.SECCLASS.ZMFCLOUD	IZUSVR	READ	Grant the server permission to perform authorization checks against the ZMFCLOUD profile in the SERVER class.
ZMFAPLA	`<SAF-prefix>`.ZOSMF. CONFIGURATION.SECURITY_ASSISTANT	IZUADMIN	READ	Allow the user to access the Security Configuration Assistant task. See Table Notes 1 and 2.

User authorizations to functions, tasks, and links are controlled through the system authorization facility (SAF) profile prefix. By default, the SAF prefix is IZUDFLT.
Users require READ access to at least the profile <SAF-prefix>.ZOSMF to do work in z/OSMF. Without this authorization, the user is treated as an authenticated guest. That is, the user can log in to z/OSMF and display the Welcome page, but cannot access the z/OSMF functions and tasks.

Resource authorizations for the z/OSMF core functions

Table 5 describes the access requirements for the z/OSMF core functions. The IZUSEC job includes sample RACF commands for creating these authorizations on your system. These values can change, based on the values you provide during the configuration process. Table 5 shows the IBM default values.

Table 5. Security setup requirements for z/OSMF core functions
Resource class	Resource name	Who needs access?	Type of access required	Why
ACCTNUM	IZUACCT	IZUADMIN IZUUSER	READ	Allows callers to access the account number that is used for the procedure for the z/OSMF REST interfaces.
APPL	`<SAF-prefix>`	IZUADMIN IZUGUEST IZUUSER IZUSECAD	READ	Allow access to the z/OSMF application domain. If there is no matching profile in the APPL class, RACF allows the user to access the application.
CERT	DefaultzOSMFCert.`<SAF-prefix>`	Owned by the IZUSVR user ID	N/A	Needed for secure communications between the browser and the z/OSMF server.
CERT	zOSMFCA	N/A	N/A	Certificate authority that is needed for secure communications between the browser and the z/OSMF server.
CSFSERV	CSF* profiles	IZUSVR	READ	z/OS Integrated Cryptographic Service Facility (ICSF) callable services. If your installation uses hardware cryptography with ICSF, you must permit the z/OSMF server user ID to these services, as described in Resource authorizations for hardware cryptography.
DATASET	your_stack_include_dataset	IZUSVR	ALTER	Allows the z/OSMF server to write to the configured include data sets when a network resource is provisioned or de-provisioned. There is one include data set per stack defined for IBM Cloud Provisioning. This definition is applicable only when your installation uses discrete or generic profiles to protect data set access.
DATASET	your_stack_dynamic_update_dataset	IZUSVR	ALTER	Allows the z/OSMF server to write to the configured dynamic updates data sets when a network resource is provisioned or de-provisioned. One dynamic update data set per stack can be defined for IBM Cloud Provisioning. This definition is applicable only when your installation uses a discrete or generic profiles to protect data set access.
EJBROLE	`<SAF-prefix>`.IzuManagementFacility.izuUsers	IZUADMIN IZUUSER	READ	Allow the user to log on to z/OSMF and view the Welcome page.
EJBROLE	`<SAF-prefix>`.IzuManagementFacilityHelpApp.izuUsers	IZUADMIN IZUUSER	READ	Allow the user to connect to the z/OSMF online help system.
EJBROLE	`<SAF-prefix>`.IzuManagementFacilityImportUtility.izuUsers	IZUADMIN IZUUSER	READ	Allow the user to use the Import Manager task to import services, event types, event handlers, and links into z/OSMF.
EJBROLE	`<SAF-prefix>`.IzuManagementFacilityRestConsoles.izuUsers	IZUADMIN IZUUSER	READ	Allow the user to connect to the z/OS console REST interface.
EJBROLE	`<SAF-prefix>`.IzuManagementFacilityRestFiles.izuUsers	IZUADMIN IZUUSER	READ	Allow the user to connect to the z/OS data set and file REST interface.
EJBROLE	`<SAF-prefix>`.IzuManagementFacilityRestJobs.izuUsers	IZUADMIN IZUUSER	READ	Allow the user to connect to the z/OS jobs REST interface.
EJBROLE	`<SAF-prefix>`.IzuManagementFacilityTsoServices.izuUsers	IZUADMIN	READ	Allow the user of the Operator Consoles task to start or reconnect to address spaces on other systems in the sysplex.
EJBROLE	`<SAF-prefix>`.IzuManagementFacilityWorkflow.izuUsers	IZUADMIN IZUUSER IZUSECAD	READ	Allow the user to connect to the Workflows task.
EJBROLE	`<SAF-prefix>` .com.ibm.ws.management.security. resource.allAuthenticatedUsers	IZUADMIN IZUUSER	READ	Allow the user to display information about the IBM Cloud Provisioning and Management for z/OS REST APIs. For more information about the REST services, see IBM z/OS Management Facility Programming Guide.IBM z/OS Management Facility Programming Guide.
FACILITY	BBG.SYNC.`<SAF-prefix>`	IZUSVR	CONTROL	Allow the z/OSMF server to synchronize any RunAs identity with the OS identity.
FACILITY	BPX.CONSOLE	IZUSVR	READ	Allow the user to filter z/OS UNIX messages. Specifically, this setting suppresses the BPXM023I message prefix from any write-to-operator (WTO) messages that z/OSMF writes to the console.
FACILITY	BPX.WLMSERVER	IZUSVR	READ	Allows the z/OSMF server to use WLM functions to create and manage work requests.
FACILITY	HWI.APPLNAME.HWISERV	IZUADMIN	READ	Grant the administrator groups access to BCPii services.
FACILITY	HWI.TARGET.`<netid.nau>`	IZUADMIN	READ	Allow the administrator to access the BCPii request type of CPC.
FACILITY	HWI.TARGET.`<netid.nau>`.`<imagename>`	IZUADMIN	READ	Allow the administrator to access the BCPii request type of LPAR.
FACILITY	IRR.DIGTCERT.LISTRING	IZUSVR	READ	Allow the started task user ID to list and get the certificate keyring.
FACILITY	IRR.RUSERMAP	IZUSVR	READ	Allow the started task user ID to use the R_usermap service. This authorization is required for the z/OSMF notification function. The z/OSMF server uses the R_usermap service to determine the application user identity associated with a RACF user ID, or to determine the RACF user ID associated with an application user identity or digital certificate.
KEYRING	IZUKeyring.`<SAF-prefix>`	IZUSVR	N/A	Needed for secure communications.
OPERCMDS	MVS.MCSOPER.IZU@*	IZUADMIN IZUUSER	READ	Allow the user to operate an extended MCS console.
OPERCMDS	MVS.VARY.TCPIP.OBEYFILE	IZUSVR	CONTROL	Allows the z/OSMF server to issue the VARY TCPIP OBEYFILE command for IBM Cloud Provisioning. This definition is applicable only when your installation utilizes the OPERCMDS class to restrict access to the VARY TCPIP OBEYFILE command.
OPERCMDS	MVS.MCSOPER.ZCDPLM*	IZUSVR	READ	Allows the z/OSMF server to issue various operator commands for IBM Cloud Provisioning. The console name for this extended MCS console is the text string `ZCDPLM`, which is appended with the MVS sysclone value of the system of the z/OSMF instance.
OPERCMDS	MVS.DISPLAY.XCF	IZUSVR	READ	Allows the z/OSMF server to issue the `DISPLAY XCF` operator command for IBM Cloud Provisioning. This definition is applicable only when your installation utilizes the OPERCMDS class to restrict access to the `DISPLAY XCF` operator command.
OPERCMDS	MVS.ROUTE.CMD<sysname>	IZUSVR	READ	Allows the z/OSMF server to issue the ROUTE operator command for IBM Cloud Provisioning and Management for z/OS. This definition is applicable only if the installation uses this profile to restrict the use of the ROUTE command.
SERVAUTH	CEA.CEATSO.TSOREQUEST	IZUADMIN IZUUSER	READ	Allow the HTTP client applications on your z/OS system to start and manage TSO/E address spaces.
SERVAUTH	CEA.CEATSO.TSOREQUEST	IZUSVR	READ	Allow the z/OSMF server to start and manage TSO/E address space services.
SERVAUTH	CEA.SIGNAL.ENF86	IZUSVR (z/OSMF started task ID)	READ	Allow callers to access the CEA service responsible for signal event 86 across sysplex.
SERVAUTH	CEA.SIGNAL.ENF83	IZUSVR	READ	Allow the z/OSMF server to use ENF83 to indicate its status to other systems in the sysplex.
SERVAUTH	EZB.INITSTACK.`sysname`.`tcpname`	IZUSVR	READ	Allows the z/OSMF server to access the TCP/IP stack during TCP/IP initialization. This authorization is needed if the TCP/IP profile activates Application Transparent Transport Layer Security (AT-TLS).
SERVAUTH	EZB.NETWORKUTILS.CLOUD.`mvsname`	IZUSVR	READ	Allows the z/OSMF started task user ID issue operator commands for IBM Cloud Provisioning. `mvsname` is the name of the system on which the z/OSMF server is running.
SERVAUTH	EZB.NETSTAT.<mvsname>.<tcpname>	IZUSVR	READ	Allows the z/OSMF started task user ID to issue the NETSTAT command. Otherwise, the z/OSMF server fails on initialization. This definition is applicable only when your installation has configured an AT-TLS policy.
SERVAUTH	EZB.NETSTAT.`<mvsname>`.`<tcpprocname>`.CONFIG	IZUSVR		Allows the Network Configuration Assistant task to issue the command NETSTAT CONFIG. This definition is applicable only when your installation uses the SERVAUTH class to restrict usage of the NETSTAT command. When this definition is applicable, IZUSVR must be authorized for each stack defined for IBM Cloud Provisioning and Management for z/OS.
SERVAUTH	EZB.NETSTAT.<mvsname>.<tcpprocname>.VIPADCFG	IZUSVR	READ	Allows the z/OSMF started task user ID to issue the NETSTAT VIPADCFG command. This definition is applicable only when your installation uses the SERVAUTH class to restrict usage of the NETSTAT command. When this definition is applicable, the z/OSMF started task user ID must be authorized for each stack that is defined for IBM Cloud Provisioning.
SERVER	BBG.ANGEL	IZUSVR	READ	Allow the z/OSMF server to access the angel process.
SERVER	BBG.ANGEL.IZUANG1	IZUSVR	READ	Allow the z/OSMF server to access the z/OSMF named angel process.
SERVER	BBG.ANGEL.`proc-name`	IZUSVR	READ	Allows the z/OSMF server to use z/OS authorized services.
SERVER	BBG.AUTHMOD.BBGZSAFM	IZUSVR	READ	Allow the z/OSMF server to access the SAF authorized registry.
SERVER	BBG.AUTHMOD.BBGZSAFM.SAFCRED	IZUSVR	READ	Allow the z/OSMF server to access the SAF authorization services.
SERVER	BBG.AUTHMOD.BBGZSAFM.TXRRS	IZUSVR	READ	Allow the z/OSMF server to access the transaction services.
SERVER	BBG.AUTHMOD.BBGZSAFM.ZOSDUMP	IZUSVR	READ	Allow the z/OSMF server to access the SVC dump services.
SERVER	BBG.AUTHMOD.BBGZSAFM.ZOSWLM	IZUSVR	READ	Allow the z/OSMF server to access the WLM services.
SERVER	BBG.SECCLASS.ZMFAPLA	IZUSVR	READ	Allow the z/OSMF server to authorize checks for the ZMFAPLA class.
SERVER	BBG.SECPFX.`<SAF-prefix>`	IZUSVR	READ	Allow the z/OSMF server to make authentication calls against the APPL-ID.
STARTED	IZUINSTP.IZUINSTP	IZUADMIN	N/A	Defines the started task for the z/OSMF dependent address space, which is used to determine whether z/OS UNIX and TCP/IP are available. The job name must be IZUINSTP. Otherwise, the z/OSMF dependent address space is not initialized during z/OSMF autostart processing.
STARTED	IZUSVR1.`jobname`	IZUADMIN	N/A	Define the started task for the z/OSMF server process.
STARTED	IZUANG1.`jobname`	IZUADMIN	N/A	Define the started task for the z/OSMF angel process.
TSOAUTH	CONSOLE	IZUADMIN IZUUSER	READ	Allow the user to issue the TSO/E CONSOLE command to activate the extended MCS console.
TSOPROC	IZUFPROC	IZUADMIN IZUUSER	READ	Allows callers to access the procedure for the z/OSMF REST interfaces.
ZMFAPLA	`<SAF-prefix>`.ZOSMF	IZUADMIN IZUGUEST IZUUSER IZUSECAD	READ	Designates the user as a z/OSMF user, rather than an unauthenticated guest user. This authorization is the minimum requirement for allowing a user to do more than log in to z/OSMF and view the Welcome page. Without this authorization, the logged-in user is treated as an authenticated guest. Use the other ZMFAPLA resource names that follow in this table to create specific controls for each core function and task. See Table Notes 1 and 2.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.GENERAL.SETTINGS	IZUADMIN	READ	Allow the user to access the Task Settings task.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.ADMINTASKS.APPLINKING	IZUADMIN	READ	Allow the user to access the Application Linking Manager task.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.ADMINTASKS.DIAGNOSTIC_ASSISTANT	IZUADMIN	READ	Allow the user to access the z/OSMF Diagnostic Assistant task.
ZMFAPLA	<SAF-prefix>.ZOSMF.ADMINTASKS.IMPORTMANAGER	IZUADMIN	READ	Allow the user to access the Import Manager task.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.ADMINTASKS.LINKSTASK	IZUADMIN	READ	Allow the user to access the Links task.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.ADMINTASKS.LOGGER	IZUADMIN	READ	Allow the user to manage the settings that control the behavior and content of the z/OSMF logs. This capability is used only in service situations.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.ADMINTASKS.UI_LOG _MANAGEMENT	IZUADMIN	READ	Allow the user to manage the settings that control the behavior of the user interface (UI) portion of z/OSMF logging. This capability is used only in service situations.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.ADMINTASKS.USAGESTATISTICS	IZUADMIN	READ	Allow the user to collect usage statistics about z/OSMF.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.LINK.`linkName`	IZUADMIN IZUUSER	READ	Allow the user to view an installation-specified link. See Table Notes 3 and 4.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.LINK.SHOPZSERIES	IZUADMIN IZUUSER	READ	Allow the user to view the ShopzSeries web site link.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.LINK.SUPPORT_FOR_Z_OS	IZUADMIN IZUUSER	READ	Allow the user to view the Support for z/OS web site link.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.LINK.SYSTEM_Z_REDBOOKS	IZUADMIN IZUUSER	READ	Allow the user to view the IBM Redbooks® web site link.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.LINK.WSC_FLASHES _TECHDOCS	IZUADMIN IZUUSER	READ	Allow the user to view the WSC Flashes and Techdocs web site link.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.LINK.Z_OS_BASICS _INFORMATION_CENTER	IZUADMIN IZUUSER	READ	Allow the user to view the z/OS Basic Skills Information Center web site link.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.LINK.Z_OS_HOME_PAGE	IZUADMIN IZUUSER	READ	Allow the user to view the z/OS Home Page web site link.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.LINK.Z_OS_INTERNET_LIBRARY	IZUADMIN IZUUSER	READ	Allow the user to view the z/OS Library web site link.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.NOTIFICATION.MODIFY	IZUADMIN IZUUSER	READ	Allow the user to compose a notification.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.NOTIFICATION.SETTINGS	IZUADMIN IZUUSER	READ	Allow the user to define an mail account for receiving notifications from z/OSMF. This action is performed through the Notification Settings task of z/OSMF.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.NOTIFICATION.SETTINGS.ADMIN	IZUADMIN	READ	Allow the user to access the Notification Settings task of z/OSMF
ZMFAPLA	`<SAF-prefix>`.ZOSMF.SEND.IBM.FEEDBACK	IZUADMIN IZUUSER	READ	Allow the user to send feedback data to IBM by using the Provide IBM Feedback option in the z/OSMF desktop.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.SETTINGS.FTP_SERVERS	IZUADMIN IZUUSER	READ	Allow the user to access the FTP Servers task.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.SETTINGS.FTP_SERVERS.VIEW	IZUADMIN IZUUSER	READ	Allow the user to access the FTP Servers task View function.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.SETTINGS.FTP_SERVERS.MODIFY	IZUADMIN	READ	Allow the user to access the z/OSMF Task Settings task Modify function.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.SETTINGS.SYSTEMS	IZUADMIN IZUUSER	READ	Allow the user to access the Systems task.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.SETTINGS.SYSTEMS.AES.MODIFY	IZUADMIN	READ	Allow the user to enable or disable AES encryption for the LTPA password.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.SETTINGS.SYSTEMS.VIEW	IZUADMIN IZUUSER	READ	Allow the user to access the Systems task View function.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.SETTINGS.SYSTEMS.MODIFY	IZUADMIN	READ	Allow the user to access the z/OSMF Task Settings task Modify function.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.VARIABLES.SYSTEM.ADMIN	IZUADMIN	READ	Allows the user to access the system variables in the Systems task.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.WORKFLOW.ADMIN	IZUADMIN	READ	Allow the user to change the assigned owner of a workflow.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.WORKFLOW.EDITOR	IZUADMIN IZUUSER	READ	Allow the user to access the Workflow Editor task.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.WORKFLOW.RUNASUSER	IZUUSER	READ	Allow the user to be defined as the runAsUser ID in a workflow instance that does not originate from z/OS Management Services Catalog or IBM Cloud Provisioning and Management for z/OS.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.WORKFLOW.SIGNER	IZUADMIN	READ	Allow the user to be granted the runAsUser step signer role.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.WORKFLOW.WORKFLOWS	IZUADMIN IZUSECAD IZUUSER	READ	Allow the user to access the z/OSMF Workflows task. See Table Note 5.

User authorizations to functions, tasks, and links are controlled through the system authorization facility (SAF) profile prefix. By default, the SAF prefix is IZUDFLT.
Users require READ access to at least the profile <SAF-prefix>.ZOSMF to do work in z/OSMF. Without this authorization, the user is treated as an authenticated guest. That is, the user can log in to z/OSMF and display the Welcome page, but cannot access the z/OSMFz/OSMF functions and tasks.
In a default z/OSMF configuration, all users are granted authority to all links through a wildcarded profile: <SAF-prefix>.ZOSMF.LINK.* *
You must provide a SAF resource name prefix for any links that you add to z/OSMF. You can control access to specific links by specifying a unique resource name for the link, for example, by including the link name as part of the resource name. For example: IZUDFLT.ZOSMF.LINK.mylink
For more information about defining links to z/OSMF, see Adding links to z/OSMF.
A user with access to the Workflows task can access any of the workflows that are displayed in the Workflows task. By default, the z/OSMF defined security groups IZUADMIN, IZUSECAD, and IZUUSER have access to the Workflows task.
If your installation uses hardware cryptography with z/OS Integrated Cryptographic Service Facility (ICSF), be aware that services such as CSFRNGL, CSFDSV, CSFOWH, CSFIQF, and others, might be protected through profiles that are established in your external security manager, such as RACF. In some cases, z/OSMF uses these services; therefore, you must permit the z/OSMF started task user ID to these profiles. For more information, see Resource authorizations for hardware cryptography.
All z/OSMF users must have a TSO segment that is defined in your installation’s security database. Failure to have a TSO segment causes some z/OSMF functions not to work.

Resource authorizations for hardware compression

If your installation uses IBM zEnterprise® Data Compression (zEDC), the z/OSMF server requires READ access to the FPZ.ACCELERATOR.COMPRESSION resource in the FACILITY class. Otherwise, if this authorization is not in place, the z/OSMF server runs without the use of zEDC. The system issues an error message, such as the following:

XAT1 IZUSVRU  IZUSVR1 RACF ACCESS violation for IZUSVRU: 
(READ,NONE) on FACILITY FPZ.ACCELERATOR.COMPRESSION

You can ignore the message.

Table 6 shows which permissions must be granted to the z/OSMF server user ID. Commands for the creating the permissions are included in commented sections in the IZUSEC job. To issue the commands when the job runs, uncomment the sections.

Table 6. Security setup requirements for IBM zEnterprise Data Compression (zEDC)
Resource class	Resource name	Who needs access?	Type of access required	Why
FACILITY	FPZ.ACCELERATOR.COMPRESSION	IZUSVR	READ	Enable the z/OSMF server to run with IBM zEnterprise Data Compression (zEDC).

Resource authorizations for hardware cryptography

If your installation uses hardware cryptography with z/OS Integrated Cryptographic Service Facility (ICSF), the z/OSMF server requires access to the ICSF callable services. Table 7 shows which permissions must be granted to the z/OSMF server user ID. Commands for the creating the permissions are included in commented sections in the IZUSEC job. To issue the commands when the job runs, uncomment the sections.

Table 7. Security setup requirements for hardware cryptography with ICSF
Resource class	Resource name	Who needs access?	Type of access required	Why
CSFSERV	CSFIQF	IZUSVR	READ	ICSF query facility callable service.
CSFSERV	CSFENC	IZUSVR	READ	Encipher callable service.
CSFSERV	CSFCVE	IZUSVR	READ	Cryptographic variable encipher callable service.
CSFSERV	CSFDEC	IZUSVR	READ	Decipher callable service.
CSFSERV	CSFSAE	IZUSVR	READ	Symmetric algorithm encipher callable service.
CSFSERV	CSFSAD	IZUSVR	READ	Symmetric algorithm decipher callable service.
CSFSERV	CSFOWH	IZUSVR	READ	One-way hash generate callable service.
CSFSERV	CSFRNG	IZUSVR	READ	Random number generate callable service.
CSFSERV	CSFRNGL	IZUSVR	READ	Random number generate long callable service.
CSFSERV	CSFPKG	IZUSVR	READ	PKA key generate callable service.
CSFSERV	CSFDSG	IZUSVR	READ	Digital signature generate service.
CSFSERV	CSFDSV	IZUSVR	READ	Digital signature verify callable service.
CSFSERV	CSFPKT	IZUSVR	READ	PKA key generate callable service.
CSFSERV	CSFRKL	IZUSVR	READ	Retained key list callable service.
CSFSERV	CSFPKX	IZUSVR	READ	PKA Public Key Extract callable service.
CSFSERV	CSFPKE	IZUSVR	READ	PKA encrypt callable service.
CSFSERV	CSFPKD	IZUSVR	READ	PKA decrypt callable service.
CSFSERV	CSFPKI	IZUSVR	READ	PKA key import callable service.
CSFSERV	CSFCKM	IZUSVR	READ	Multiple clear key import callable service.
CSFSERV	CSFKGN	IZUSVR	READ	Multiple clear key import callable service.
CSFSERV	CSFEDH	IZUSVR	READ	ECC Diffie-Hellman callable service.

Resource authorizations for Common Information Model

If your z/OSMF configuration includes tasks that use the Common Information Model (CIM) server on the host z/OS system, users of the services require the proper level of access to CIM server resources.

These authorizations are required for using any of the following optional services or core functions:

Capacity Provisioning
Incident Log
Workload Management
The asynchronous job notifications function of z/OSMF, which is described in Configuring your system for asynchronous job notifications.

CIM includes the CFZSEC job to help you create these authorizations. See the topic on CIM server quick setup and verification in z/OS Common Information Model User's Guide. IBM supplies the CFZSEC job in SYS1.SAMPLIB. If your installation does not plan to run the CFZSEC job, ensure that z/OSMF users, and, if you are configuring the Workload Management service, the z/OSMF server user ID, have UPDATE access to the CIMSERV profile in the WBEM class. If necessary, refresh the WBEM class.

For more information about CIM authorization requirements, see Configuring the CIM server for your system.

Table 8 lists the CIM security groups that are required for the optional services.

Table 8. CIM groups that might be required for the optional services
Group	Purpose	Default group ID (GID)	Created by
CFZADMGP	Security group for the CIM administrator role.	9502	Member CFZSEC in SYS1.SAMPLIB.
CFZUSRGP	Security group for the CIM user role. This group grants a user access to all resources that are managed through CIM. Depending on how granular you want to control user access to CIM, your installation might have created more groups to allow access to only a subset of resources that are managed through CIM.	9503	Member CFZSEC in SYS1.SAMPLIB.

With the IZUAUTH job, your security administrator can supply the names of the CIM groups, based on your selection of optional services. These values include the names of the CIM administrators group (by default, CFZADMGP) and the CIM users group (by default, CFZUSRGP). The IZUAUTH job contains commands for connecting users to the groups and thus, depend on the groups to exist.

Resource authorizations for Capacity Provisioning Manager

If your z/OSMF configuration includes the Capacity Provisioning service, users of the service must be defined and authorized for all resources that are accessed by the Provisioning Manager. IBM provides the CPOSEC1 and CPOSEC2 jobs in SYS1.SAMPLIB to help you create these authorizations when you set up a Capacity Provisioning domain. For more information, see the topic on setting up a Capacity Provisioning domain in z/OS MVS Capacity Provisioning User's Guide.

Table 9 lists the default values for the Provisioning Manager. Your installation might have selected different values for these settings.

Table 9. Name information for a Capacity Provisioning domain
Provisioning Manager setting	Default value
Domain name	DOMAIN1
Started task procedure name	CPOSERV
High-level qualifier for runtime data set	CPO
Provisioning Manager user	CPOSRV

With the IZUCPSEC job, your security administrator can supply the names of the security groups that your installation created for authorizing users to the Provisioning Manager on your system. The IZUAUTH job contains commands for connecting users to the groups and thus, depend on the groups to exist.

Table 10 lists the security groups that are required for the Capacity Provisioning service.

Table 10. Security groups required for the Capacity Provisioning service
Group	Purpose	Default group ID (GID)	Created by
CPOCTRL	Security group for users of the Capacity Provisioning task Edit function.	None; your installation must specify a GID for this group.	Member CPOSEC1 in SYS1.SAMPLIB.
CPOQUERY	Security group for users of the Capacity Provisioning task View function.	None; your installation must specify a GID for this group.	Member CPOSEC1 in SYS1.SAMPLIB.

Resource authorizations for common event adapter (CEA)

If your z/OSMF configuration includes tasks that use the common event adapter (CEA) component on the z/OS host system, users of the services require the proper level of access to CEA resources. IBM provides the CEASEC job in SYS1.SAMPLIB to help you create these authorizations.

These authorizations are needed if you plan to use one or more of the following z/OSMF tasks:

Incident Log
ISPF
Sysplex Management

CEA has security profiles in the SERVAUTH class for protecting different portions of its processing. When you run the IZUILSEC job, you permit the z/OSMF groups to the CEA resources.

For more information, see the topic on customizing for CEA in z/OS Planning for Installation.

Resource authorizations for the z/OS compliance REST interface

In z/OS V2R4 and later, the process of collecting compliance data is assisted with the introduction of SMF type 1154. This record type is used to collect system settings and other forms of compliance data. On receiving an event notification facility (ENF) code 86 signal from the z/OS compliance REST interface, selected z/OS components and products collect and write compliance data to their associated SMF 1154 subtype records.

For more information about SMF record type 1154 and its associated mapping macros and subtypes, see z/OS MVS System Management Facilities (SMF).

Table 11. Security setup requirements for the z/OS compliance REST interface
Resource class	Resource name	Who needs access?	Type of access required	Why
EJBROLE	`<SAF-prefix>. IzuManagementFacilityRestCompliance.izuUs ers`	IZUADMIN IZUUSER	READ	Allows callers to connect to the z/OS compliance REST interface.
SERVAUTH	`CEA.SIGNAL.ENF86`	IZUSVR started task ID	READ	Allow callers to access the CEA service responsible for the signal event 86 across the sysplex.

Resource authorizations for the z/OS console REST interface

In z/OSMF, users require access to z/OS console services when they use the following functions:

z/OS console REST interface
z/OS Operator Consoles
IBM Cloud Provisioning and Management for z/OS, when using templates that issue operator commands or check for unsolicited command responses.
Storage management services, when activating an SCDS or getting an SCDS activation result.

Users of the z/OS console REST interface require access to an extended MCS (EMCS) console for issuing commands and receiving console messages. Specifically, users require the following authorizations:

READ access to the MVS.MCSOPER.consolename resource in the OPERCMDS class, where consolename is the name of the EMCS console that is used to issue the command.
READ access to the CONSOLE resource in the TSOAUTH class.
READ access to the <SAF_PREFIX>.IzuManagementFacilityRestConsoles.izuUsers resource in the EJBROLE class. Or, READ access to the <SAF_PREFIX>.*.izuUsers profile in the EJBROLE class.

z/OSMF uses TSO/E address space services to create a TSO address space as the host for the EMCS console. Therefore, users of the z/OS console REST interface require the following authorizations:

READ access to the resource account in the ACCTNUM class, where account is the value that is specified in the COMMON_TSO ACCT option in parmlib member IZUPRMxx.
READ access to the resource CEA.CEATSO.TSOREQUEST in the SERVAUTH class.
READ access to the resource proc in the TSOPROC class, where proc is the value that is specified with the COMMON_TSO PROC option in parmlib member IZUPRMxx.

Also, the z/OSMF started task user ID, which is IZUSVR by default, requires READ access to the resource CEA.CEATSO.TSOREQUEST in the SERVAUTH class.

You can control which parameters are used for creating the TSO address space by setting the appropriate parameters in parmlib member IZUPRMxx. For example:

COMMON_TSO ACCT(IZUACCT) REGION(50000) PROC(IZUFPROC)

Ensure that your settings are configured before the z/OS console REST interface is used. Otherwise, the default values (shown here) are used.

The attributes of the EMCS console that is started by z/OSMF are controlled by the OPERPARM settings of the user profile <consolename>. Thus, for example, if a user wants the z/OS Operator Consoles task to create a console named console1, a user profile named console1 must exist and contain an OPERPARM segment with the appropriate settings.

Most IBM Cloud Provisioning and Management for z/OS templates use the defcn Console REST API endpoint, which expects a predefined console name. The convention is to use userid plus "CN", where the value for userid is truncated to the first six characters. For example, if the user ID is IBMUSER, the defcn value is expected to be IBMUSECN.

Typically, z/OSMF uses the following console attributes from the user's OPERPARM segment:

AUTH: Specifies the command authority for the console.
ROUTCODE: Specifies the routing codes for the console, which affects which messages can be received by the console. The default value is NONE, which prevents the console from receiving any messages.
MSCOPE: Specifies the system message scope in the sysplex.

For more information about setting these attributes, see the commented sections in SAMPLIB jobs IZUGCSEC and IZUPRSEC. For information about creating OPERPARM segments for users, see z/OS MVS Planning: Operations.

In addition to the local system (the system on which z/OSMF is installed), users can enter system commands on other systems in the sysplex. To do so, users require READ access to the resource MVS.ROUTE.CMD.<sysname> in the OPERCMDS class.

Users can retrieve messages from OPERLOG or SYSLOG. To do so, users require the following authorizations:

To retrieve messages from OPERLOG, users require READ access to the resource SYSPLEX.OPERLOG in the LOGSTRM class.
To retrieve messages from SYSLOG, users require READ access to the resource node-id.+MASTER+.SYSLOG.*.* in the JESSPOOL class, where node-id is the NJE node ID of the JES2 or JES3 subsystem.

Table 12 summarizes the security requirements for users of the z/OS console REST interface. IBM provides job IZUGCSEC in SYS1.SAMPLIB to assist you with performing these updates. The job contains RACF commands for creating the required security authorizations.

Table 12. Security setup requirements for the z/OS console REST interface
Resource class	Resource name	Who needs access?	Type of access required	Why
N/A	User profile `<consolename>` with the appropriate OPERPARM segment.	N/A	N/A	The attributes of the EMCS console that is started by the z/OS Operator Consoles task are controlled by the OPERPARM setting of user profile `<consolename>`. The setting of OPERPARM can restrict which messages are received by the EMCS console and limit the commands that the EMCS console can issue.
ACCTNUM	IZUACCT	Users of the z/OS console services REST interface.	READ	Allow the user to access the account number for the procedure for the z/OS console services.
EJBROLE	`<SAF-prefix>` .IzuManagementFacilityRestConsoles .izuUsers	Users of: z/OS console services z/OS Operator Consoles task.	READ	Allow the user to use the z/OS console services to issue operator commands.
EJBROLE	`<SAF-prefix>` .IzuManagementFacilityTsoServices .izuUsers	IZUADMIN	READ	Allow the user of the Operator Consoles task to start or reconnect to address spaces on other systems in the sysplex.
JESSPOOL	`node-id`.+MASTER+ .SYSLOG..	Users of the z/OS Operator Consoles task.	READ	Allows the user to retrieve messages from SYSLOG by using the z/OS Operator Consoles task. `node-id` is the NJE node ID of the JES2 or JES3 subsystem.
LOGSTRM	SYSPLEX.OPERLOG	Users of the z/OS Operator Consoles task.	READ	Allows the user to retrieve messages from OPERLOG by using the z/OS Operator Consoles task.
OPERCMDS	MVS.MCSOPER.`consolename`	Users of the z/OS console services REST interface.	READ	Allow the user to operate the specified extended MCS console.
OPERCMDS	MVS.ROUTE.CMD.`<sysname>`	Users of the z/OS Operator Consoles task.	READ	Allows the user to use the ROUTE command to route commands to another system in sysplex, which is indicated by `sysname`. Otherwise, the user is limited to entering commands on the local system (the system on which z/OSMF is installed).
SERVAUTH	CEA.CEATSO.TSOREQUEST	Users of the z/OS console services REST interface.	READ	Allow the user to access the CEA TSO/E address space services. This setting allows HTTP client applications on your z/OS system to start and manage TSO/E address spaces.
SERVAUTH	CEA.CEATSO.TSOREQUEST	IZUSVR	READ	Allows the z/OSMF server to access the CEA TSO/E address space services. This setting allows the z/OSMF server to start and manage TSO/E address space services.
TSOAUTH	CONSOLE	Users of the z/OS console services REST interface.	READ	Allow the user to issue the TSO/E CONSOLE command to activate the extended MCS console.
TSOPROC	IZUFPROC	IZUADMIN IZUUSER	READ	Allow the user to access the procedure for the z/OS console services.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.CONSOLES. ZOSOPER	Users of the z/OS Operator Consoles task.	READ	Allows the user to view and access the z/OS Operator Consoles task in the z/OSMF desktop interface.

Resource authorizations for the z/OS data set and file REST interface

The z/OS data set and file REST interface requires access to local resources on your z/OS system. Table 13 describes the security requirements for the z/OS data set and file REST interface.

For more information about the z/OS data set and file REST interface services, see IBM z/OS Management Facility Programming Guide.

Table 13. Security setup requirements for the z/OS data set and file REST interface
Resource class	Resource name	Who needs access?	Type of access required	Why
ACCTNUM	IZUACCT	IZUADMIN IZUUSER	READ	Allows callers to access the account number that is used for the procedure for the z/OS data set and file REST interface services.
EJBROLE	`<SAF-prefix>`.IzuManagementFacilityRestFiles.izuUsers	IZUADMIN IZUUSER	READ	Allows callers to connect to the z/OS data set and file REST interface.
SERVAUTH	CEA.CEATSO.TSOREQUEST	IZUADMIN IZUUSER	READ	Allows callers to access the CEA TSO/E address space services. This setting allows HTTP client applications on your z/OS system to start and manage TSO/E address spaces.
SERVAUTH	CEA.CEATSO.TSOREQUEST	IZUSVR	READ	Allows the z/OSMF server to access the CEA TSO/E address space services. This setting allows the z/OSMF server to start and manage TSO/E address space services.
TSOPROC	IZUFPROC	IZUADMIN IZUUSER	READ	Allows callers to access the procedure for the z/OS data set and file REST interface services.

Resource authorizations for the z/OS jobs REST interface

The z/OS jobs REST interface requires access to local resources on your z/OS system. Table 14 describes the security requirements for the z/OS jobs REST interface. These authorizations allow the CIM server to interact with the common event adapter (CEA) component. CIM includes the CFZSEC job to help you create these authorizations.

Table 14. Security setup requirements for the z/OS jobs REST interface
Resource class	Resource name	Who needs access?	Type of access required	Why
SERVAUTH	CEA.CONNECT	CFZSRV	READ	If your installation uses the z/OS jobs REST interface, this setting is needed for interactions with the common event adapter (CEA) component.
SERVAUTH	CEA.SUBSCRIBE.*	CFZSRV	READ	If your installation uses the z/OS jobs REST interface, this setting allows HTTP client applications on your z/OS system to receive asynchronous job notifications.
SERVAUTH	CEA.SUBSCRIBE.ENF_0078*	CFZSRV	READ	If your installation uses the z/OS jobs REST interface, this setting allows HTTP client applications on your z/OS system to receive asynchronous job notifications.

For programs that use the z/OS jobs REST interface services to perform job modify operations, the caller’s user ID must be authorized to the appropriate resources in the JESJOBS class, as shown in Table 15.

Table 15. JESJOBS class authorizations needed for performing job modify operations
Operation	JESJOBS resource	Access required
Hold a job	HOLD.nodename.userid.jobname	UPDATE
Release a job	RELEASE.nodename.userid.jobname	UPDATE
Change the job class	MODIFY.nodename.userid.jobname	UPDATE
Cancel a job	CANCEL.nodename.userid.jobname	ALTER
Delete a job (cancel a job and purge its output)	CANCEL.nodename.userid.jobname	ALTER

For more information about the z/OS jobs REST interface services, see IBM z/OS Management Facility Programming Guide.

If run asynchronously, the z/OS jobs REST interface services also require that the caller’s user ID is authorized to the CIM server and permitted to the JES2-JES3Jobs CIM provider. CIM includes jobs (CFZSEC and CFZRCUST) to help you configure the CIM server, including security authorizations and file system customization. For more information, see the topic on CIM server quick setup and verification in z/OS Common Information Model User's Guide. IBM supplies the CFZSEC job in SYS1.SAMPLIB.

Resource authorizations for the Capacity Provisioning service

The Capacity Provisioning service requires access to local resources on your z/OS system. Table 16 describes the security requirements for the Capacity Provisioning service. The IZUCPSEC job includes sample RACF commands for creating these authorizations.

Table 16. Security setup requirements for the Capacity Provisioning service
Resource class	Resource name	Who needs access?	Type of access required	Why
EJBROLE	`<SAF-prefix>`.IzuManagementFacilityCapacityProvisioning.izuUsers	IZUADMIN IZUUSER	READ	Allow the user to connect to the Capacity Provisioning task.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.CAPACITY_PROVISIONING.CAPACITY_ PROVISIONING.EDIT	IZUADMIN	READ	Allow the user to display and access the Capacity Provisioning task Edit function.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.CAPACITY_PROVISIONING.CAPACITY_ PROVISIONING.EDIT.DOMAIN	IZUADMIN	READ	Allow the user to use the Capacity Provisioning task Edit function to edit a Capacity Provisioning domain.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.CAPACITY_PROVISIONING.CAPACITY_ PROVISIONING.EDIT.POLICY	IZUADMIN	READ	Allow the user to use the Capacity Provisioning task Edit function to edit a Capacity Provisioning policy.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.CAPACITY_PROVISIONING.CAPACITY_ PROVISIONING.VIEW	IZUADMIN IZUUSER	READ	Allow the user to access the Capacity Provisioning task View function.

More authorizations are required as follows:

The Capacity Provisioning service requires the CIM server; thus, you must also create the authorizations that are described in Resource authorizations for Common Information Model.
Users of the Capacity Provisioning service must be authorized for resources that are accessed by the Provisioning Manager. IBM provides the CPOSEC1 and CPOSEC2 jobs in SYS1.SAMPLIB to help you create these authorizations. For more information, see the topic on setting up a Capacity Provisioning domain in z/OS MVS Capacity Provisioning User's Guide.

Resource authorizations for the Network Configuration Assistant service

The Network Configuration Assistant service requires access to local resources on your z/OS system. Table 17 describes the security requirements for theNetwork Configuration Assistant service. The IZUCASEC job includes sample RACF commands for creating these authorizations.

Table 17. Security setup requirements for the Network Configuration Assistant service
Resource class	Resource name	Who needs access?	Type of access required	Why
EJBROLE	`<SAF-prefix>`.IzuConfigurationAssistant.izuUsers	IZUADMIN IZUUSER	READ	Allow the user to connect to the Network Configuration Assistant task.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.CONFIGURATION_ ASSISTANT.CONFIGURATION_ASSISTANT	IZUADMIN IZUUSER	READ	Allow the user to access the Network Configuration Assistant task.

Resource authorizations for the Incident Log service

The Incident Log service requires access to local resources on your z/OS system. Table 18 describes the security requirements for the Incident Log service. The IZUILSEC job includes sample RACF commands for creating these authorizations.

Table 18. Security setup requirements for the Incident Log service
Resource class	Resource name	Who needs access?	Type of access required	Why
ALIAS	CEA	N/A	N/A	If your installation has a user catalog set-up instead of using the master catalog, you might need to define CEA alias to the user catalog.
DATASET	CEA.*	IZUADMIN IZUUSER	ALTER	Allow the user to create data sets with the CEA high-level qualifier (HLQ).
DATASET	`your_master_catalog`	IZUADMIN IZUUSER	UPDATE	If your installation has master catalog setup, you might need to permit a user to the master catalog data set class.
EJBROLE	`<SAF-prefix>`.IzuManagementFacilityIncidentLog.izuUsers	IZUADMIN IZUUSER	READ	Allow the user to connect to the Incident Log task.
JESSPOOL	`node-id`.+MASTER+.SYSLOG..	CEA	READ	If your installation is using the system log (SYSLOG) as the source for diagnostic log snapshots, the CEA user ID requires READ access to the JESSPOOL class. This authorization allows the JES subsystem to access SYSLOG on behalf of the common event adapter (CEA) component. `node-id` is the NJE node ID of the JES2 or JES3 subsystem.
SERVAUTH	CEA.CEADOCONSOLECMD	IZUADMIN IZUUSER	READ	Allow the calling program to issue operator commands to accomplish its function.
SERVAUTH	CEA.CEADOCMD	IZUADMIN IZUUSER	READ	Allow the user to cancel the FTP job.
SERVAUTH	CEA.CEAGETPS	IZUADMIN IZUUSER	READ	Allow the user to obtain information about the FTP job.
SERVAUTH	CEA.CEAPDWB.CEACHECKSTATUS	IZUADMIN IZUUSER	READ	Allow the user to check status and return incident information.
SERVAUTH	CEA.CEAPDWB.CEADELETEINCIDENT	IZUADMIN IZUUSER	READ	Allow the user to delete selected incidents, including the dumps, all diagnostic snapshot files, and the corresponding sysplex dump directory entry.
SERVAUTH	CEA.CEAPDWB.CEAGETINCIDENT	IZUADMIN IZUUSER	READ	Allow the user to obtain data that is associated with a specific incident.
SERVAUTH	CEA.CEAPDWB.CEAGETINCIDENTCOLLECTION	IZUADMIN IZUUSER	READ	Allow the user to obtain collection of incident data for all incidents that match a filter.
SERVAUTH	CEA.CEAPDWB.CEAPREPAREINCIDENT	IZUADMIN IZUUSER	READ	Allow the user to prepare data for FTP (locate and compress/terse).
SERVAUTH	CEA.CEAPDWB.CEASETINCIDENTINFO	IZUADMIN IZUUSER	READ	Allow the user to set information that is associated with the incident, such as the Notes field.
SERVAUTH	CEA.CEAPDWB.CEASETPROBLEMTRACKINGNUMBER	IZUADMIN IZUUSER	READ	Allow the user to set a problem ID, such as a PMR number, or problem management tracking ID.
SERVAUTH	CEA.CEAPDWB.CEAUNSUPPRESSDUMP	IZUADMIN IZUUSER	READ	Allow user to allow a dump that is marked for suppression through DAE to be taken.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.INCIDENT_LOG.INCIDENT_LOG	IZUADMIN IZUUSER	READ	Allow the user to access the Incident Log task.

Additional authorizations are required as follows:

The Incident Log service requires the CIM server; thus, you must also create the authorizations that are described in Resource authorizations for Common Information Model.
Users of the Incident Log service must be authorized for resources that are accessed by the common event adapter (CEA) component of z/OS. IBM provides the CEASEC job in SYS1.SAMPLIB to help you create these authorizations. For more information, see Resource authorizations for common event adapter (CEA).

Resource authorizations for the ISPF service

The ISPF service requires access to local resources on your z/OS system. Table 19 describes the security requirements for the ISPF service. The IZUISSEC job includes sample RACF commands for creating these authorizations.

Note that users of this service must also be authorized for resources that are accessed by the common event adapter (CEA) component of z/OS. IBM provides the CEASEC job in SYS1.SAMPLIB to help you create these authorizations. See Resource authorizations for common event adapter (CEA).

Table 19. Security setup requirements for the ISPF service
Resource class	Resource name	Who needs access?	Type of access required	Why
EJBROLE	`<SAF-prefix>`.IzuManagementFacilityISPF.izuUsers	IZUADMIN IZUUSER	READ	Allow the user to connect to the ISPF task.
SERVAUTH	CEA.CEATSO.TSOREQUEST	IZUADMIN IZUUSER	READ	Allow the user to access the CEATSOREQUEST API so that the user’s session can be managed through the ISPF task.
SERVAUTH	CEA.CEATSO.TSOREQUEST	IZUSVR	READ	Allow the z/OSMF server to access the CEATSOREQUEST API.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.ISPF.ISPF	IZUADMIN IZUUSER	READ	Allow the user to access the ISPF task.

Resource authorizations for the Resource Monitoring service

The Resource Monitoring service requires access to local resources on your z/OS system. Table 20 describes the security requirements for the Resource Monitoring service. The IZURMSEC job includes sample RACF commands for creating these authorizations.

Table 20. Security setup requirements for the Resource Monitoring service
Resource class	Resource name	Who needs access?	Type of access required	Why
EJBROLE	`<SAF-prefix>`.IzuManagementFacilityResourceMonitoring.izuUsers	IZUADMIN IZUUSER	READ	Allow the user to connect to the Resource Monitoring and System Status tasks.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.RESOURCE_MONITORING.PERFDESKS	IZUADMIN IZUUSER	READ	Allow the user to access the Resource Monitoring task.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.RESOURCE_MONITORING.OVERVIEW	IZUADMIN IZUUSER	READ	Allow the user to access the System Status task.

Resource authorizations for the Software Deployment service

The Software Deployment service requires access to local resources on your z/OS system. Table 21 describes the security requirements for the service. The IZUDMSEC job includes sample RACF commands for creating these authorizations.

Table 21. Security setup requirements for the Software Deployment service
Resource class	Resource name	Who needs access?	Type of access required	Why
EJBROLE	`<SAF-prefix>`.IzuManagementFacilitySoftwareDeployment.izuUsers	IZUADMIN IZUUSER	READ	Allow the user to connect to the Software Management task.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.SOFTWARE_DEPLOYMENT.SOFTWARE_ MANAGEMENT	IZUADMIN IZUUSER	READ	Allow the user to access the Software Management task.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.SOFTWARE_ DEPLOYMENT.DATA.`objectType`.`objectSuffix` For more information about the possible values for `objectType` and `objectSuffix`, see Creating access controls for the Software Management task.	IZUADMIN IZUUSER	CONTROL	Allow the user to access the Software Management task objects.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.SOFTWARE_DEPLOYMENT.SOFTWARE_ MANAGEMENT.PRODUCT _INFO_FILE.RETRIEVE	IZUADMIN	READ	Allow the user to access the Software Management task Product Information File Retrieve function.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.SOFTWARE_DEPLOYMENT.SOFTWARE_ MANAGEMENT.CATEGORIES.MODIFY	IZUADMIN	READ	Allow the user to add, copy, modify, or remove Software Management categories.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.SOFTWARE_DEPLOYMENT.SOFTWARE_ MANAGEMENT.SWUPDATE	IZUADMIN IZUUSER	READ	Allow the user to access the Software Update task.
UNIXPRIV	SUPERUSER.FILESYS.MOUNT	IZUADMIN IZUUSER	UPDATE	Allow the user to create workflow instances from workflow definition files that reside in UNIX file systems that are not currently mounted.
UNIXPRIV	SUPERUSER.FILESYS.USERMOUNT	IZUADMIN, IZUUSER	READ	Allow the user to mount a temporary work space UNIX file system data set created and used by the Deployment Unzip job and the Export job. Note: You can read about the SUPERUSER.FILESYS.USERMOUNT (and SUPERUSER.FILESYS.MOUNT) resource here: https://www.ibm.com/docs/en/zos/2.4.0?topic=security-using-unixpriv-class-profiles
FACILITY	STGADMIN.ADR.COPY.INCAT STGADMIN.ADR.DUMP.INCAT	IZUADMIN IZUUSER	READ	Allow the user access to the COPY and DUMP commands for program ADRDSSU. The COPY and DUMP commands are used by Deployment and Export JCL that is generated by Software Management. Note: INCAT is used only when source data sets are not cataloged in the current active catalog environment. This is an unlikely scenario. See Table Note 1.

If a resource profile is defined, then READ access is required. If a resource profile is not defined, then all users have access to that resource. More specifically:
- If a profile for a resource is not defined, then the user can use the resource.
- If a profile for a resource is defined and the user has at least READ access, then the user can use the resource.
- If a profile for a resource is defined and the user does not have at least READ access, then the user cannot use the resource.

Resource authorizations for the Sysplex Management service

The Sysplex Management service requires access to local resources on your z/OS system.

Table 22 describes the security requirements for the Sysplex Management service. The IZUSPSEC job includes sample RACF commands for creating these authorizations.

Table 22. Security setup requirements for the Sysplex Management service
Resource class	Resource name	Who needs access?	Type of access required	Why
EJBROLE	`<SAF-prefix>`.IzuManagementFacilitySysplexManagement.izuUsers	IZUADMIN IZUUSER	READ	Allow the user to connect to the Sysplex Management task.
FACILITY	MVSADMIN.XCF.CFRM	IZUADMIN	READ or UPDATE	Allow the user to use the CFRM Policy Editor to edit CFRM policies. Assign UPDATE access authority to users who must alter or maintain the policy. Assign READ access authority to users who can view the policy, but not change it.
SERVAUTH	CEA.XCF.CDS	IZUADMIN IZUUSER	READ	Allow the user to access the couple data set for the Sysplex Management task.
SERVAUTH	CEA.XCF.CF	IZUADMIN IZUUSER	READ	Allow the user to access the coupling facility for the Sysplex Management task.
SERVAUTH	CEA.XCF.FLOW.`<sysname>`	IZUADMIN IZUUSER	READ	Allow the user to access the sysplex resources on remote systems for the Sysplex Management task. Replace `<sysname>` with the 8 character name of the system in the sysplex.
SERVAUTH	CEA.XCF.STRUCTURE	IZUADMIN IZUUSER	READ	Allow the user to access the coupling facility structures for the Sysplex Management task.
SERVAUTH	CEA.XCF.SYSPLEX	IZUADMIN IZUUSER	READ	Allow the user to access the sysplex general information and systems for the Sysplex Management task.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.SYSPLEX	IZUADMIN IZUUSER	READ	Allow the user to access the Sysplex Management task.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.SYSPLEX.LOG	IZUADMIN or a particular z/OS user ID.	READ	Allow the user to use the Sysplex Management task to clean up the command log table and specify clean-up settings.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.SYSPLEX.MODIFY	IZUADMIN	READ	Allow the user to use the Sysplex Management task to modify sysplex resources. This authorization also allows the user to use the CFRM Policy Editor to update Sysplex CFRM administrative policy information.

Resource authorizations for the Workload Management service

The Workload Management service requires access to local resources on your z/OS system. Table 23 describes the security requirements for the service. The IZUWMSEC job includes sample RACF commands for creating these authorizations.

This service requires the CIM server; thus, you must also create the authorizations that are described in Resource authorizations for Common Information Model.

Table 23. Security setup requirements for the Workload Management service
Resource class	Resource name	Who needs access?	Type of access required	Why
EJBROLE	`<SAF-prefix>`.IzuManagementFacilityWorkloadManagement.izuUsers	IZUADMIN IZUUSER	READ	Allow the user to connect to the Workload Management task.
FACILITY	MVSADMIN.WLM.POLICY	IZUSVR	READ	Allow the z/OSMF server to access the WLM policies.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_ MANAGEMENT.ENWRP	IZUADMIN WLM resource pool administration group	READ	For z/OS Cloud Provisioning, allow the user to access the WLM Resource Pooling (WRP) functions of z/OSMF. Using a WRP definition, the user can associate cloud information (tenant name, domain ID, template type, service levels supported) with WLM elements (report classes and classification rules).
ZMFAPLA	`<SAF-prefix>`.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_ MANAGEMENT.VIEW	IZUADMIN IZUUSER	READ	Allow the user to access the Workload Management View function.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_ MANAGEMENT.MODIFY	IZUADMIN	READ	Allow the user to access the Workload Management Modify function.
ZMFAPLA	`<SAF-prefix>`.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_ MANAGEMENT.INSTALL	IZUADMIN	READ	Allow the user to access the Workload Management Install function.

Resource authorizations for the IBM zERT Network Analyzer service

The IBM zERT Network Analyzer service provides access to sensitive network security information. Only users authorized to manage this data should be allowed to access the IBM zERT Network Analyzer service. The IZUNASEC job includes sample RACF commands to create the group IZUZNA. The IZUZNA group should be used to control access to the IBM zERT Network Analyzer service.

Your security team might determine that existing group names would be preferred. If so, you can use your existing group names in place of the supplied z/OSMF default group names. For example, you might already have a group that is aligned with network security administrators; if so, you could use that group instead of the default group enabling access to the IBM zERT Network Analyzer service, IZUZNA.

The IBM zERT Network Analyzer service requires access to local resources on your z/OS system. Table 24 describes the security requirements for the IBM zERT Network Analyzer service. The IZUNASEC job includes sample RACF commands for creating these authorizations.

Table 24. Security setup requirements for the IBM zERT Network Analyzer service
Resource class	Resource name	Who needs access?	Type of access required	Why
EJBROLE	`<SAF-prefix>`.IzuZertNetworkAnalyzer.izuUsers	IZUZNA	READ	Allow the user to connect to the IBM zERT Network Analyzer task.
EJBROLE	`<SAF-prefix>` .com.ibm.ws.management.security.resource. Administrator	IZUSVR	READ	Allow the IBM zERT Network Analyzer to run the required WebSphere Liberty administrative actions.
ZMFAPLA	`<SAF-prefix>`.ZOSMF	IZUZNA	READ	Designates the user as a z/OSMF user
ZMFAPLA	`<SAF-prefix>`.ZOSMF.ZERT_NETWORK_ANALYZER	IZUZNA	READ	Allow a user to access the IBM zERT Network Analyzer task.

Resource authorizations for the z/OS Management Services Catalog service

The security configuration requirements for z/OS Management Services Catalog are described in the sections that follow. These sections describe the resources that must be defined, and the groups that must be permitted to the resources. Typically, these permissions are created by your security administrator.

z/OS Management Services Catalog uses a software defined role-based authorization model. A user ID's role determines what the user ID can do in the product.

Table 25. z/OS Management Services Catalog User Roles
Role	Recommended group	Capabilities
User	IZUUSER	Users have access to the Catalog, Activity, and History pages. Users can submit services from the Catalog, manage queued and active service submissions in Activity, and access completed and terminated service submissions in History. Users can see service submissions from other users and administrators. A service submission that has been started but is not yet submitted is saved in My drafts and cannot be seen by other users or administrators. Users can control their notification preferences using Settings.
Administrator	IZUADMIN	Administrators have additional authority that grants them access to the Administration page and the plug-in Global settings page. Administrators can manage existing services, create new services, and request approval to publish new services to the Catalog. Administrators can manage the plug-in's Global settings and take actions on service submissions that are created by other users.
Publishing approver	IZUMSPAP	The publishing approver role authorizes a user ID to be assigned as an approver of services that are requested to be published in the Catalog. User IDs given this role must be that of a real user that can review and approve requests to publish services so that they are available on the Catalog page. Approvers are assigned by an administrator in the Publishing approvals table of Global Settings. Approvers have access to the Administration page and all services for which they are an approver.
RunAsUser step approver	IZUMSRAP	A user ID must have this role if a service's underlying workflow definition file requires the user ID to approve the use of a runAsUser step. User IDs given this role must be that of a real user that can review and approve the use of the runAsUser step. Do not use functional or application IDs as approvers. A runAsUser step is a step in the workflow that is performed by a specific user ID that might not be the user that runs the workflow. The user ID that the step is performed as is not necessarily the same as the user ID that approves the step. Every runAsUser step has an assigned user ID to approve it. This user ID's approval is required to publish the service in the Catalog. RunAsUser step approvers have access to the Administration page and all services for which they are an approver.
RunAsUser user ID	IZUMSRAU	This role is required for any user ID assigned as the runAsUser for a runAsUser step in a workflow definition. Authorization to this role is checked when you create a new service from a workflow definition that contains runAsUser steps. It is also checked when the Workflows task runs a runAsUser step for workflow instances that are created by service submissions. This role does not grant any access to z/OS Management Services Catalog.

Note: At least one publish approver is required when publish approval is enabled in Global settings.

Table 26. Resource Authorization requirements for the z/OS Management Services Catalog service
Resource class	Resource name	Who needs access?	Type of access required	Why
EJBROLE	`<SAF-prefix> .IzuManagementFacilityManagementServicesCatalog.izuUsers`	z/OSMF users (IZUUSER) z/OSMF administrators (IZUADMIN)	READ	Allow the user to open the Management Services Catalog desktop app.
ZMFAPLA	`<SAF-prefix> .ZOSMF.MGMT_SERVICES.MGMT_SERVICES`	z/OSMF users (IZUUSER) z/OSMF administrators (IZUADMIN)	READ	Allow the user to open the Management Services Catalog desktop app.
ZMFAPLA	`<SAF-prefix>.ZOSMF.MGMT_SERVICES.ADMIN`	z/OSMF administrators (IZUADMIN)	READ	Grants the administrator role to the user.
ZMFAPLA	`<SAF-prefix>.ZOSMF.MGMT_SERVICES.USER`	z/OSMF users (IZUUSER)	READ	Grants the user role to the user.
ZMFAPLA	`<SAF-prefix>.ZOSMF.MGMT_SERVICES.PUBLISH.APPROVER`	IZUMSPAP	READ	Grants the publishing approver role to the user.
ZMFAPLA	`<SAF-prefix>.ZOSMF.MGMT_SERVICES.RUNASUSER.APPROVER`	IZUMSRAP	READ	Grants the runAsUser step approver role to the user.
ZMFAPLA	`<SAF-prefix>.IZUDFLT.ZOSMF.MGMT_SERVICES.RUNASUSER`	IZUMSRAU	READ	Grants authority to the user ID to be used as the runAsUser user ID in any workflow instance created by a service.

Resource authorizations for the Storage Management service

The Storage Management services require update access to the Source Control Data Set (SCDS) on your z/OS system to perform SCDS modification, validation and activation.

Table 27. Resource Authorization requirements for the Storage Management Services service
Resource class	Resource name	Who needs access?	Type of access required	Why
ZMFAPLA	`<SAF-prefix>.ZOSMF.STORAGE.SG.VOLUME`	z/OSMF administrators (IZUADMIN)	UPDATE	Allow the user to add volumes to storage group.
ZMFAPLA	`<SAF-prefix>. ZOSMF.STORAGE.SCDS`	z/OSMF administrators (IZUADMIN)	UPDATE	Allow the user to validate or activate the SCDS specified.
OPERCMDS	`MVS.SETSMS.SMS`	z/OSMF administrators (IZUADMIN)	UPDATE	Allow the user to activate the SCDS by using the `SETSMS SCDS("scds-name")` command.