Security structures for z/OSMF

Using z/OSMF requires sufficient authority in z/OS®. Specifically, on the z/OS system to be managed, the resources to be accessed on behalf of users (data sets, operator commands, and so on) are secured through the external security manager at your installation, such as RACF®. Your installation's security administrator must create the authorizations in your external security manager. To assist your security administrator, z/OSMF provides sample jobs in SYS1.SAMPLIB and the information in this document. Your security administrator can use the sample jobs to create the groups, user IDs, and resource profiles for your z/OSMF configuration. Later, these z/OSMF constructs require more permissions to a number of existing groups, user IDs, and resources on your system.

This appendix describes the security configuration requirements for z/OSMF. Included are the resource authorizations that are created when your installation runs one or more of the following sample security jobs:
  • IZUNUSEC, to help you set up basic security for a z/OSMF nucleus configuration.
  • Individual IZUxxSEC jobs for the core services
  • IZUSEC job that consolidates the security set-up for both the z/OSMF nucleus and the core services
  • Individual IZUxxSEC jobs for the optional services.

Also listed are the resource authorizations that your installation must define outside of the configuration process.

The security configuration requirements for z/OSMF are described in the sections that follow. Creating these permissions requires the assistance of your security administrator.

Class activations that z/OSMF requires

For a RACF installation, the security classes that are shown in Table 1 must be active when you configure z/OSMF. Commands for activating the classes (with generic profile checking activated) are included in commented sections in the IZUxxSEC jobs. To allow the commands to be issued when the jobs run, uncomment the sections. Or, ask your security administrator to enter the commands directly, as shown in Table 1.
Table 1. Class activations that z/OSMF requires
Class Purpose RACF commands for activating
ACCTNUM Controls access to the account number used for the procedure for the z/OSMF REST interfaces.
SETROPTS CLASSACT(ACCTNUM)
APPL Controls access to the z/OSMF application domain. This access is required by:
  • Security group for z/OSMF administrators (IZUADMIN, by default)
  • Security group for z/OSMF unauthenticated guest users (IZUGUEST, by default)
  • Security group for the z/OSMF users (IZUUSER, by default)
  • Security group for the z/OS security administrator (IZUSECAD, by default).

If there is no matching profile in the APPL class, RACF allows the user to access the application.

SETROPTS CLASSACT(APPL)
SETROPTS RACLIST(APPL) GENERIC(APPL)
EJBROLE Controls the user’s ability to connect to the z/OSMF core functions and tasks. z/OSMF defines a resource name for each core function and task.
SETROPTS CLASSACT(EJBROLE)
SETROPTS RACLIST(EJBROLE) GENERIC(EJBROLE)
FACILITY Controls the user’s access to profiles when the user performs an action. This access is required by the z/OSMF started task user ID (IZUSVR, by default). Examples include the profiles that are used to control privileges in the z/OS UNIX environment.
SETROPTS CLASSACT(FACILITY)
SETROPTS RACLIST(FACILITY) GENERIC(FACILITY)
JESSPOOL Allows the user to retrieve messages from the system log (SYSLOG).
SETROPTS CLASSACT(JESSPOOL)                   
SETROPTS RACLIST(JESSPOOL)
LOGSTRM Allows the user to retrieve messages from the operations log (OPERLOG).
SETROPTS CLASSACT(LOGSTRM)                                     
SETROPTS RACLIST(LOGSTRM)
OPERCMDS Allows the user to create an EMCS console by using the z/OS Operator Consoles task.
SETROPTS CLASSACT(OPERCMDS)
SETROPTS RACLIST(OPERCMDS)
SERVAUTH Controls the user’s ability to use CEA TSO/E address space services. In z/OSMF, this access is required by:
  • z/OSMF started task user ID (IZUSVR, by default)
  • Callers of the z/OS data set and file REST interface services
  • Users of the ISPF task.
SETROPTS CLASSACT(SERVAUTH)
SETROPTS RACLIST(SERVAUTH) GENERIC(SERVAUTH)
SERVER Allows the z/OSMF started task user ID to request services from z/OS system components, such as the System Authorization Facility (SAF), workload management (WLM), and SVCDUMP services.
SETROPTS CLASSACT(SERVER)
SETROPTS RACLIST(SERVER) GENERIC(SERVER)
STARTED Assigns an identity to the z/OSMF started task during the processing of an MVS™ START command. By default, the started task runs under the IZUSVR user ID.
SETROPTS CLASSACT(STARTED)
SETROPTS RACLIST(STARTED) GENERIC(STARTED)
TSOAUTH Allows the user to create an EMCS console by using the z/OS Operator Consoles task.
SETROPTS CLASSACT(TSOAUTH)
SETROPTS RACLIST(TSOAUTH)
TSOPROC Controls access to the procedure for the z/OSMF REST interfaces.
SETROPTS CLASSACT(TSOPROC)
ZMFAPLA Controls the user’s ability to use the z/OSMF core functions and tasks. z/OSMF defines a resource name for each core function and task.
  • Profile names in this class are case-sensitive.
  • The ZMFAPLA class requires the RACLIST option.
SETROPTS CLASSACT(ZMFAPLA)
SETROPTS RACLIST(ZMFAPLA) GENERIC(ZMFAPLA)
ZMFCLOUD Allows the user to use the z/OSMF core functions and tasks that are related to IBM® Cloud Provisioning. z/OSMF defines a resource name for each core function and task for IBM Cloud Provisioning.

For more information, see Configure the Cloud Provisioning services.

The ZMFCLOUD class requires the RACLIST option.

SETROPTS CLASSACT(ZMFCLOUD) GENERIC(ZMFCLOUD)
RACLIST(ZMFCLOUD)

If your installation uses an external security manager other than RACF, ask your security administrator to create equivalent commands for your environment.

SAF profile prefix for z/OSMF resources

During the configuration process, your security administrator runs the IZUxxSEC jobs to secure z/OSMF resources. In these jobs, your installation specifies a System Authorization Facility (SAF) profile prefix to be used for naming z/OSMF resources. The SAF prefix is prepended to the names of z/OSMF resource profiles, and is used in some of the RACF commands that are contained in the IZUxxSEC jobs.

In the examples in this document, the SAF prefix is shown as <SAF-prefix>. By default, the SAF prefix is IZUDFLT. If your installation selects to use a different value, substitute the value in the examples.

User IDs that z/OSMF creates during configuration

The IZUSEC job creates the user IDs that are described in Table 2.
Table 2. User IDs that z/OSMF creates during the configuration process
User ID Purpose Default UID Created by
IZUGUEST User ID for performing unauthenticated work, such as guest user access to the Welcome page. 9011 IZUSEC job
IZUSVR User ID for the z/OSMF started tasks, which are named IZUANG1 and IZUSVR1, by default. 9010 IZUSEC job
Table 2 shows the IBM default values. Your security administrator can specify different user IDs in place of the default user IDs in the IZUSEC job.

Security groups that z/OSMF creates during configuration

The IZUSEC job creates a base set of security groups for your z/OSMF configuration. These groups are necessary for giving users the proper level of access to z/OSMF and z/OS system resources.

Your security team might determine that the existing group names would be preferred. If so, you can use your existing group names in place of the supplied z/OSMF default group names. For example, you might already have a group that is aligned with administrators; if so, you can use that group, instead of the z/OSMF default group for administrators, IZUADMIN.

Table 3 lists the groups that the IZUSEC job creates. The group names can change, based on the values you provide during the configuration process. Table 3 shows the IBM default values.
Table 3. Security groups that z/OSMF creates during the configuration process
Group Purpose Created by
IZUADMIN Security group for the z/OSMF administrator role. Any user IDs connected to this group are considered to be z/OSMF administrators. IZUSEC job
IZUUSER Security group for the z/OSMF user role. IZUSEC job
IZUSECAD Security group for the z/OS security administrator role in z/OSMF. IZUSEC job
IZUUNGRP Security group for the z/OSMF unauthenticated user ID. IZUSEC job

Resource authorizations for the Security Configuration Assistant service

Table 4 describes the access requirements for the Security Configuration Assistant service. The IZUSASEC job includes sample RACF commands for creating these authorizations on your system. These values can vary, based on the values you use at your installation. Table 4 shows the IBM default values.
Table 4. Security setup requirements for the Security Configuration Assistant service
Resource class Resource name Who needs access? Type of access required Why
SERVER BBG.SECCLASS.ACCTNUM IZUSVR READ Grant the server permission to perform authorization checks against the ACCTNUM profile in the SERVER class.
SERVER BBG.SECCLASS.APPL IZUSVR READ Grant the server permission to perform authorization checks against the APPL profile in the SERVER class.
SERVER BBG.SECCLASS.CSFSERV IZUSVR READ Grant the server permission to perform authorization checks against the CSFSERV profile in the SERVER class.
SERVER BBG.SECCLASS.EJBROLE IZUSVR READ Grant the server permission to perform authorization checks against the EJBROLE profile in the SERVER class.
SERVER BBG.SECCLASS.FACILITY IZUSVR READ Grant the server permission to perform authorization checks against the FACILITY profile in the SERVER class.
SERVER BBG.SECCLASS.JESSPOOL IZUSVR READ Grant the server permission to perform authorization checks against the JESSPOOL profile in the SERVER class.
SERVER BBG.SECCLASS.LOGSTRM IZUSVR READ Grant the server permission to perform authorization checks against the LOGSTRM profile in the SERVER class.
SERVER BBG.SECCLASS.OPERCMDS IZUSVR READ Grant the server permission to perform authorization checks against the OPERCMDS profile in the SERVER class.
SERVER BBG.SECCLASS.RDATALIB IZUSVR READ Grant the server permission to perform authorization checks against the RDATALIB profile in the SERVER class.
SERVER BBG.SECCLASS.SERVAUTH IZUSVR READ Grant the server permission to perform authorization checks against the SERVAUTH profile in the SERVER class.
SERVER BBG.SECCLASS.SERVER IZUSVR READ Grant the server permission to perform authorization checks against the SERVER profile in the SERVER class.
SERVER BBG.SECCLASS.STARTED IZUSVR READ Grant the server permission to perform authorization checks against the STARTED profile in the SERVER class.
SERVER BBG.SECCLASS.TSOAUTH IZUSVR READ Grant the server permission to perform authorization checks against the TSOAUTH profile in the SERVER class.
SERVER BBG.SECCLASS.TSOPROC IZUSVR READ Grant the server permission to perform authorization checks against the TSOPROC profile in the SERVER class.
SERVER BBG.SECCLASS.UNIXPRIV IZUSVR READ Grant the server permission to perform authorization checks against the UNIXPRIV profile in the SERVER class.
SERVER BBG.SECCLASS.ZMFAPLA IZUSVR READ Grant the server permission to perform authorization checks against the ZMFAPLA profile in the SERVER class.
SERVER BBG.SECCLASS.ZMFCLOUD IZUSVR READ Grant the server permission to perform authorization checks against the ZMFCLOUD profile in the SERVER class.
ZMFAPLA <SAF-prefix>.ZOSMF. CONFIGURATION.SECURITY_ASSISTANT

IZUADMIN

READ Allow the user to access the Security Configuration Assistant task.

See Table Notes 1 and 2.

  1. User authorizations to functions, tasks, and links are controlled through the system authorization facility (SAF) profile prefix. By default, the SAF prefix is IZUDFLT.
  2. Users require READ access to at least the profile <SAF-prefix>.ZOSMF to do work in z/OSMF. Without this authorization, the user is treated as an authenticated guest. That is, the user can log in to z/OSMF and display the Welcome page, but cannot access the z/OSMF functions and tasks.

Resource authorizations for the z/OSMF core functions

Table 5 describes the access requirements for the z/OSMF core functions. The IZUSEC job includes sample RACF commands for creating these authorizations on your system. These values can change, based on the values you provide during the configuration process. Table 5 shows the IBM default values.
Table 5. Security setup requirements for z/OSMF core functions
Resource class Resource name Who needs access? Type of access required Why
ACCTNUM IZUACCT IZUADMIN IZUUSER READ Allows callers to access the account number that is used for the procedure for the z/OSMF REST interfaces.
APPL <SAF-prefix>


IZUADMIN
IZUGUEST
IZUUSER
IZUSECAD

READ Allow access to the z/OSMF application domain.

If there is no matching profile in the APPL class, RACF allows the user to access the application.

CERT DefaultzOSMFCert.<SAF-prefix> Owned by the IZUSVR user ID N/A Needed for secure communications between the browser and the z/OSMF server.
CERT zOSMFCA N/A N/A Certificate authority that is needed for secure communications between the browser and the z/OSMF server.
CSFSERV CSF* profiles IZUSVR READ z/OS Integrated Cryptographic Service Facility (ICSF) callable services. If your installation uses hardware cryptography with ICSF, you must permit the z/OSMF server user ID to these services, as described in Resource authorizations for hardware cryptography.
DATASET your_stack_include_dataset IZUSVR ALTER Allows the z/OSMF server to write to the configured include data sets when a network resource is provisioned or de-provisioned. There is one include data set per stack defined for IBM Cloud Provisioning. This definition is applicable only when your installation uses discrete or generic profiles to protect data set access.
DATASET your_stack_dynamic_update_dataset IZUSVR ALTER Allows the z/OSMF server to write to the configured dynamic updates data sets when a network resource is provisioned or de-provisioned. One dynamic update data set per stack can be defined for IBM Cloud Provisioning. This definition is applicable only when your installation uses a discrete or generic profiles to protect data set access.
EJBROLE <SAF-prefix>.IzuManagementFacility.izuUsers

IZUADMIN
IZUUSER

READ Allow the user to log on to z/OSMF and view the Welcome page.
EJBROLE <SAF-prefix>.IzuManagementFacilityHelpApp.izuUsers

IZUADMIN
IZUUSER

READ Allow the user to connect to the z/OSMF online help system.
EJBROLE <SAF-prefix>.IzuManagementFacilityImportUtility.izuUsers

IZUADMIN
IZUUSER

READ Allow the user to use the Import Manager task to import services, event types, event handlers, and links into z/OSMF.
EJBROLE <SAF-prefix>.IzuManagementFacilityRestConsoles.izuUsers
IZUADMIN
IZUUSER
READ Allow the user to connect to the z/OS console REST interface.
EJBROLE <SAF-prefix>.IzuManagementFacilityRestFiles.izuUsers
IZUADMIN
IZUUSER
READ Allow the user to connect to the z/OS data set and file REST interface.
EJBROLE <SAF-prefix>.IzuManagementFacilityRestJobs.izuUsers

IZUADMIN
IZUUSER

READ Allow the user to connect to the z/OS jobs REST interface.
EJBROLE <SAF-prefix>.IzuManagementFacilityTsoServices.izuUsers IZUADMIN READ Allow the user of the Operator Consoles task to start or reconnect to address spaces on other systems in the sysplex.
EJBROLE <SAF-prefix>.IzuManagementFacilityWorkflow.izuUsers

IZUADMIN
IZUUSER
IZUSECAD

READ Allow the user to connect to the Workflows task.
EJBROLE <SAF-prefix> .com.ibm.ws.management.security. resource.allAuthenticatedUsers
IZUADMIN
IZUUSER
READ Allow the user to display information about the IBM Cloud Provisioning and Management for z/OS REST APIs.

For more information about the REST services, see IBM z/OS Management Facility Programming Guide.IBM z/OS Management Facility Programming Guide.

FACILITY BBG.SYNC.<SAF-prefix> IZUSVR CONTROL Allow the z/OSMF server to synchronize any RunAs identity with the OS identity.
FACILITY BPX.CONSOLE IZUSVR READ Allow the user to filter z/OS UNIX messages. Specifically, this setting suppresses the BPXM023I message prefix from any write-to-operator (WTO) messages that z/OSMF writes to the console.
FACILITY BPX.WLMSERVER IZUSVR READ Allows the z/OSMF server to use WLM functions to create and manage work requests.
FACILITY HWI.APPLNAME.HWISERV IZUADMIN READ Grant the administrator groups access to BCPii services.
FACILITY HWI.TARGET.<netid.nau> IZUADMIN READ Allow the administrator to access the BCPii request type of CPC.
FACILITY HWI.TARGET.<netid.nau>.<imagename> IZUADMIN READ Allow the administrator to access the BCPii request type of LPAR.
FACILITY IRR.DIGTCERT.LISTRING IZUSVR READ Allow the started task user ID to list and get the certificate keyring.
FACILITY IRR.RUSERMAP IZUSVR READ Allow the started task user ID to use the R_usermap service. This authorization is required for the z/OSMF notification function. The z/OSMF server uses the R_usermap service to determine the application user identity associated with a RACF user ID, or to determine the RACF user ID associated with an application user identity or digital certificate.
KEYRING IZUKeyring.<SAF-prefix> IZUSVR N/A Needed for secure communications.
OPERCMDS MVS.MCSOPER.IZU@*
IZUADMIN
IZUUSER
READ Allow the user to operate an extended MCS console.
OPERCMDS MVS.VARY.TCPIP.OBEYFILE IZUSVR CONTROL Allows the z/OSMF server to issue the VARY TCPIP OBEYFILE command for IBM Cloud Provisioning. This definition is applicable only when your installation utilizes the OPERCMDS class to restrict access to the VARY TCPIP OBEYFILE command.
OPERCMDS MVS.MCSOPER.ZCDPLM* IZUSVR READ Allows the z/OSMF server to issue various operator commands for IBM Cloud Provisioning. The console name for this extended MCS console is the text string ZCDPLM, which is appended with the MVS sysclone value of the system of the z/OSMF instance.
OPERCMDS MVS.DISPLAY.XCF IZUSVR READ Allows the z/OSMF server to issue the DISPLAY XCF operator command for IBM Cloud Provisioning. This definition is applicable only when your installation utilizes the OPERCMDS class to restrict access to the DISPLAY XCF operator command.
OPERCMDS MVS.ROUTE.CMD<sysname> IZUSVR READ Allows the z/OSMF server to issue the ROUTE operator command for IBM Cloud Provisioning and Management for z/OS. This definition is applicable only if the installation uses this profile to restrict the use of the ROUTE command.
SERVAUTH CEA.CEATSO.TSOREQUEST

IZUADMIN
IZUUSER

READ Allow the HTTP client applications on your z/OS system to start and manage TSO/E address spaces.
SERVAUTH CEA.CEATSO.TSOREQUEST IZUSVR READ Allow the z/OSMF server to start and manage TSO/E address space services.
SERVAUTH CEA.SIGNAL.ENF86 IZUSVR (z/OSMF started task ID) READ Allow callers to access the CEA service responsible for signal event 86 across sysplex.
SERVAUTH CEA.SIGNAL.ENF83 IZUSVR READ Allow the z/OSMF server to use ENF83 to indicate its status to other systems in the sysplex.
SERVAUTH EZB.INITSTACK.sysname.tcpname IZUSVR READ Allows the z/OSMF server to access the TCP/IP stack during TCP/IP initialization.

This authorization is needed if the TCP/IP profile activates Application Transparent Transport Layer Security (AT-TLS).

SERVAUTH EZB.NETWORKUTILS.CLOUD.mvsname IZUSVR READ Allows the z/OSMF started task user ID issue operator commands for IBM Cloud Provisioning. mvsname is the name of the system on which the z/OSMF server is running.
SERVAUTH EZB.NETSTAT.<mvsname>.<tcpname> IZUSVR READ Allows the z/OSMF started task user ID to issue the NETSTAT command. Otherwise, the z/OSMF server fails on initialization.

This definition is applicable only when your installation has configured an AT-TLS policy.

SERVAUTH EZB.NETSTAT.<mvsname>.<tcpprocname>.CONFIG IZUSVR   Allows the Network Configuration Assistant task to issue the command NETSTAT CONFIG. This definition is applicable only when your installation uses the SERVAUTH class to restrict usage of the NETSTAT command. When this definition is applicable, IZUSVR must be authorized for each stack defined for IBM Cloud Provisioning and Management for z/OS.
SERVAUTH EZB.NETSTAT.<mvsname>.<tcpprocname>.VIPADCFG IZUSVR READ Allows the z/OSMF started task user ID to issue the NETSTAT VIPADCFG command. This definition is applicable only when your installation uses the SERVAUTH class to restrict usage of the NETSTAT command. When this definition is applicable, the z/OSMF started task user ID must be authorized for each stack that is defined for IBM Cloud Provisioning.
SERVER BBG.ANGEL IZUSVR READ Allow the z/OSMF server to access the angel process.
SERVER BBG.ANGEL.IZUANG1 IZUSVR READ Allow the z/OSMF server to access the z/OSMF named angel process.
SERVER BBG.ANGEL.proc-name IZUSVR READ Allows the z/OSMF server to use z/OS authorized services.
SERVER BBG.AUTHMOD.BBGZSAFM IZUSVR READ Allow the z/OSMF server to access the SAF authorized registry.
SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED IZUSVR READ Allow the z/OSMF server to access the SAF authorization services.
SERVER BBG.AUTHMOD.BBGZSAFM.TXRRS IZUSVR READ Allow the z/OSMF server to access the transaction services.
SERVER BBG.AUTHMOD.BBGZSAFM.ZOSDUMP IZUSVR READ Allow the z/OSMF server to access the SVC dump services.
SERVER BBG.AUTHMOD.BBGZSAFM.ZOSWLM IZUSVR READ Allow the z/OSMF server to access the WLM services.
SERVER BBG.SECCLASS.ZMFAPLA IZUSVR READ Allow the z/OSMF server to authorize checks for the ZMFAPLA class.
SERVER BBG.SECPFX.<SAF-prefix> IZUSVR READ Allow the z/OSMF server to make authentication calls against the APPL-ID.
STARTED IZUINSTP.IZUINSTP IZUADMIN N/A

Defines the started task for the z/OSMF dependent address space, which is used to determine whether z/OS UNIX and TCP/IP are available.

The job name must be IZUINSTP. Otherwise, the z/OSMF dependent address space is not initialized during z/OSMF autostart processing.

STARTED IZUSVR1.jobname IZUADMIN N/A Define the started task for the z/OSMF server process.
STARTED IZUANG1.jobname IZUADMIN N/A Define the started task for the z/OSMF angel process.
TSOAUTH CONSOLE
IZUADMIN
IZUUSER
READ Allow the user to issue the TSO/E CONSOLE command to activate the extended MCS console.
TSOPROC IZUFPROC IZUADMIN IZUUSER READ Allows callers to access the procedure for the z/OSMF REST interfaces.
ZMFAPLA <SAF-prefix>.ZOSMF

IZUADMIN
IZUGUEST
IZUUSER
IZUSECAD

READ Designates the user as a z/OSMF user, rather than an unauthenticated guest user. This authorization is the minimum requirement for allowing a user to do more than log in to z/OSMF and view the Welcome page. Without this authorization, the logged-in user is treated as an authenticated guest.

Use the other ZMFAPLA resource names that follow in this table to create specific controls for each core function and task.

See Table Notes 1 and 2.

ZMFAPLA <SAF-prefix>.ZOSMF.GENERAL.SETTINGS IZUADMIN READ Allow the user to access the Task Settings task.
ZMFAPLA <SAF-prefix>.ZOSMF.ADMINTASKS.APPLINKING IZUADMIN READ Allow the user to access the Application Linking Manager task.
ZMFAPLA <SAF-prefix>.ZOSMF.ADMINTASKS.DIAGNOSTIC_ASSISTANT IZUADMIN READ Allow the user to access the z/OSMF Diagnostic Assistant task.
ZMFAPLA <SAF-prefix>.ZOSMF.ADMINTASKS.IMPORTMANAGER IZUADMIN READ Allow the user to access the Import Manager task.
ZMFAPLA <SAF-prefix>.ZOSMF.ADMINTASKS.LINKSTASK IZUADMIN READ Allow the user to access the Links task.
ZMFAPLA <SAF-prefix>.ZOSMF.ADMINTASKS.LOGGER IZUADMIN READ Allow the user to manage the settings that control the behavior and content of the z/OSMF logs. This capability is used only in service situations.
ZMFAPLA <SAF-prefix>.ZOSMF.ADMINTASKS.UI_LOG _MANAGEMENT IZUADMIN READ Allow the user to manage the settings that control the behavior of the user interface (UI) portion of z/OSMF logging. This capability is used only in service situations.
ZMFAPLA <SAF-prefix>.ZOSMF.ADMINTASKS.USAGESTATISTICS IZUADMIN READ Allow the user to collect usage statistics about z/OSMF.
ZMFAPLA <SAF-prefix>.ZOSMF.LINK.linkName IZUADMIN IZUUSER READ Allow the user to view an installation-specified link.

See Table Notes 3 and 4.

ZMFAPLA <SAF-prefix>.ZOSMF.LINK.SHOPZSERIES

IZUADMIN
IZUUSER

READ Allow the user to view the ShopzSeries web site link.
ZMFAPLA <SAF-prefix>.ZOSMF.LINK.SUPPORT_FOR_Z_OS IZUADMIN IZUUSER READ Allow the user to view the Support for z/OS web site link.
ZMFAPLA <SAF-prefix>.ZOSMF.LINK.SYSTEM_Z_REDBOOKS

IZUADMIN
IZUUSER

READ Allow the user to view the IBM Redbooks® web site link.
ZMFAPLA <SAF-prefix>.ZOSMF.LINK.WSC_FLASHES _TECHDOCS

IZUADMIN
IZUUSER

READ Allow the user to view the WSC Flashes and Techdocs web site link.
ZMFAPLA <SAF-prefix>.ZOSMF.LINK.Z_OS_BASICS _INFORMATION_CENTER

IZUADMIN
IZUUSER

READ Allow the user to view the z/OS Basic Skills Information Center web site link.
ZMFAPLA <SAF-prefix>.ZOSMF.LINK.Z_OS_HOME_PAGE

IZUADMIN
IZUUSER

READ Allow the user to view the z/OS Home Page web site link.
ZMFAPLA <SAF-prefix>.ZOSMF.LINK.Z_OS_INTERNET_LIBRARY

IZUADMIN
IZUUSER

READ Allow the user to view the z/OS Library web site link.
ZMFAPLA <SAF-prefix>.ZOSMF.NOTIFICATION.MODIFY IZUADMIN IZUUSER READ Allow the user to compose a notification.
ZMFAPLA <SAF-prefix>.ZOSMF.NOTIFICATION.SETTINGS IZUADMIN IZUUSER READ Allow the user to define an mail account for receiving notifications from z/OSMF. This action is performed through the Notification Settings task of z/OSMF.
ZMFAPLA <SAF-prefix>.ZOSMF.NOTIFICATION.SETTINGS.ADMIN IZUADMIN READ Allow the user to access the Notification Settings task of z/OSMF
Start of changeZMFAPLAEnd of change Start of change<SAF-prefix>.ZOSMF.SEND.IBM.FEEDBACKEnd of change Start of change

IZUADMIN
IZUUSER

End of change
Start of changeREADEnd of change Start of changeAllow the user to send feedback data to IBM by using the Provide IBM Feedback option in the z/OSMF desktop.End of change
ZMFAPLA <SAF-prefix>.ZOSMF.SETTINGS.FTP_SERVERS

IZUADMIN
IZUUSER

READ Allow the user to access the FTP Servers task.
ZMFAPLA <SAF-prefix>.ZOSMF.SETTINGS.FTP_SERVERS.VIEW

IZUADMIN
IZUUSER

READ Allow the user to access the FTP Servers task View function.
ZMFAPLA <SAF-prefix>.ZOSMF.SETTINGS.FTP_SERVERS.MODIFY IZUADMIN READ Allow the user to access the z/OSMF Task Settings task Modify function.
ZMFAPLA <SAF-prefix>.ZOSMF.SETTINGS.SYSTEMS IZUADMIN IZUUSER READ Allow the user to access the Systems task.
Start of changeZMFAPLA End of change Start of change<SAF-prefix>.ZOSMF.SETTINGS.SYSTEMS.AES.MODIFYEnd of change Start of changeIZUADMINEnd of change Start of changeREADEnd of change Start of changeAllow the user to enable or disable AES encryption for the LTPA password.End of change
ZMFAPLA <SAF-prefix>.ZOSMF.SETTINGS.SYSTEMS.VIEW

IZUADMIN
IZUUSER

READ Allow the user to access the Systems task View function.
ZMFAPLA <SAF-prefix>.ZOSMF.SETTINGS.SYSTEMS.MODIFY IZUADMIN READ Allow the user to access the z/OSMF Task Settings task Modify function.
ZMFAPLA <SAF-prefix>.ZOSMF.VARIABLES.SYSTEM.ADMIN IZUADMIN READ Allows the user to access the system variables in the Systems task.
ZMFAPLA <SAF-prefix>.ZOSMF.WORKFLOW.ADMIN IZUADMIN READ Allow the user to change the assigned owner of a workflow.
Start of changeZMFAPLAEnd of change Start of change<SAF-prefix>.ZOSMF.WORKFLOW.EDITOREnd of change Start of change

IZUADMIN IZUUSER

End of change
Start of changeREADEnd of change Start of changeAllow the user to access the Workflow Editor task.End of change
Start of changeZMFAPLAEnd of change Start of change<SAF-prefix>.ZOSMF.WORKFLOW.RUNASUSEREnd of change Start of changeIZUUSEREnd of change Start of changeREADEnd of change Start of changeAllow the user to be defined as the runAsUser ID in a workflow instance that does not originate from z/OS Management Services Catalog or IBM Cloud Provisioning and Management for z/OS.End of change
Start of changeZMFAPLAEnd of change Start of change<SAF-prefix>.ZOSMF.WORKFLOW.SIGNEREnd of change Start of changeIZUADMINEnd of change Start of changeREADEnd of change Start of changeAllow the user to be granted the runAsUser step signer role.End of change
ZMFAPLA <SAF-prefix>.ZOSMF.WORKFLOW.WORKFLOWS

IZUADMIN
IZUSECAD
IZUUSER

READ Allow the user to access the z/OSMF Workflows task.

See Table Note 5.

  1. User authorizations to functions, tasks, and links are controlled through the system authorization facility (SAF) profile prefix. By default, the SAF prefix is IZUDFLT.
  2. Users require READ access to at least the profile <SAF-prefix>.ZOSMF to do work in z/OSMF. Without this authorization, the user is treated as an authenticated guest. That is, the user can log in to z/OSMF and display the Welcome page, but cannot access the z/OSMFz/OSMF functions and tasks.
  3. In a default z/OSMF configuration, all users are granted authority to all links through a wildcarded profile: <SAF-prefix>.ZOSMF.LINK.* *
  4. You must provide a SAF resource name prefix for any links that you add to z/OSMF. You can control access to specific links by specifying a unique resource name for the link, for example, by including the link name as part of the resource name. For example: IZUDFLT.ZOSMF.LINK.mylink

    For more information about defining links to z/OSMF, see Adding links to z/OSMF.

  5. A user with access to the Workflows task can access any of the workflows that are displayed in the Workflows task. By default, the z/OSMF defined security groups IZUADMIN, IZUSECAD, and IZUUSER have access to the Workflows task.
  6. If your installation uses hardware cryptography with z/OS Integrated Cryptographic Service Facility (ICSF), be aware that services such as CSFRNGL, CSFDSV, CSFOWH, CSFIQF, and others, might be protected through profiles that are established in your external security manager, such as RACF. In some cases, z/OSMF uses these services; therefore, you must permit the z/OSMF started task user ID to these profiles. For more information, see Resource authorizations for hardware cryptography.
  7. All z/OSMF users must have a TSO segment that is defined in your installation’s security database. Failure to have a TSO segment causes some z/OSMF functions not to work.

Resource authorizations for hardware compression

If your installation uses IBM zEnterprise® Data Compression (zEDC), the z/OSMF server requires READ access to the FPZ.ACCELERATOR.COMPRESSION resource in the FACILITY class. Otherwise, if this authorization is not in place, the z/OSMF server runs without the use of zEDC. The system issues an error message, such as the following:
XAT1 IZUSVRU  IZUSVR1 RACF ACCESS violation for IZUSVRU: 
(READ,NONE) on FACILITY FPZ.ACCELERATOR.COMPRESSION 

You can ignore the message.

Table 6 shows which permissions must be granted to the z/OSMF server user ID. Commands for the creating the permissions are included in commented sections in the IZUSEC job. To issue the commands when the job runs, uncomment the sections.
Table 6. Security setup requirements for IBM zEnterprise Data Compression (zEDC)
Resource class Resource name Who needs access? Type of access required Why
FACILITY FPZ.ACCELERATOR.COMPRESSION IZUSVR READ Enable the z/OSMF server to run with IBM zEnterprise Data Compression (zEDC).

Resource authorizations for hardware cryptography

If your installation uses hardware cryptography with z/OS Integrated Cryptographic Service Facility (ICSF), the z/OSMF server requires access to the ICSF callable services. Table 7 shows which permissions must be granted to the z/OSMF server user ID. Commands for the creating the permissions are included in commented sections in the IZUSEC job. To issue the commands when the job runs, uncomment the sections.
Table 7. Security setup requirements for hardware cryptography with ICSF
Resource class Resource name Who needs access? Type of access required Why
CSFSERV CSFIQF IZUSVR READ ICSF query facility callable service.
CSFSERV CSFENC IZUSVR READ Encipher callable service.
CSFSERV CSFCVE IZUSVR READ Cryptographic variable encipher callable service.
CSFSERV CSFDEC IZUSVR READ Decipher callable service.
CSFSERV CSFSAE IZUSVR READ Symmetric algorithm encipher callable service.
CSFSERV CSFSAD IZUSVR READ Symmetric algorithm decipher callable service.
CSFSERV CSFOWH IZUSVR READ One-way hash generate callable service.
CSFSERV CSFRNG IZUSVR READ Random number generate callable service.
CSFSERV CSFRNGL IZUSVR READ Random number generate long callable service.
CSFSERV CSFPKG IZUSVR READ PKA key generate callable service.
CSFSERV CSFDSG IZUSVR READ Digital signature generate service.
CSFSERV CSFDSV IZUSVR READ Digital signature verify callable service.
CSFSERV CSFPKT IZUSVR READ PKA key generate callable service.
CSFSERV CSFRKL IZUSVR READ Retained key list callable service.
CSFSERV CSFPKX IZUSVR READ PKA Public Key Extract callable service.
CSFSERV CSFPKE IZUSVR READ PKA encrypt callable service.
CSFSERV CSFPKD IZUSVR READ PKA decrypt callable service.
CSFSERV CSFPKI IZUSVR READ PKA key import callable service.
CSFSERV CSFCKM IZUSVR READ Multiple clear key import callable service.
CSFSERV CSFKGN IZUSVR READ Multiple clear key import callable service.
CSFSERV CSFEDH IZUSVR READ ECC Diffie-Hellman callable service.

Resource authorizations for Common Information Model

If your z/OSMF configuration includes tasks that use the Common Information Model (CIM) server on the host z/OS system, users of the services require the proper level of access to CIM server resources.

These authorizations are required for using any of the following optional services or core functions:

CIM includes the CFZSEC job to help you create these authorizations. See the topic on CIM server quick setup and verification in z/OS Common Information Model User's Guide. IBM supplies the CFZSEC job in SYS1.SAMPLIB. If your installation does not plan to run the CFZSEC job, ensure that z/OSMF users, and, if you are configuring the Workload Management service, the z/OSMF server user ID, have UPDATE access to the CIMSERV profile in the WBEM class. If necessary, refresh the WBEM class.

For more information about CIM authorization requirements, see Configuring the CIM server for your system.

Table 8 lists the CIM security groups that are required for the optional services.
Table 8. CIM groups that might be required for the optional services
Group Purpose Default group ID (GID) Created by
CFZADMGP Security group for the CIM administrator role. 9502 Member CFZSEC in SYS1.SAMPLIB.
CFZUSRGP Security group for the CIM user role. This group grants a user access to all resources that are managed through CIM. Depending on how granular you want to control user access to CIM, your installation might have created more groups to allow access to only a subset of resources that are managed through CIM. 9503 Member CFZSEC in SYS1.SAMPLIB.

With the IZUAUTH job, your security administrator can supply the names of the CIM groups, based on your selection of optional services. These values include the names of the CIM administrators group (by default, CFZADMGP) and the CIM users group (by default, CFZUSRGP). The IZUAUTH job contains commands for connecting users to the groups and thus, depend on the groups to exist.

Resource authorizations for Capacity Provisioning Manager

If your z/OSMF configuration includes the Capacity Provisioning service, users of the service must be defined and authorized for all resources that are accessed by the Provisioning Manager. IBM provides the CPOSEC1 and CPOSEC2 jobs in SYS1.SAMPLIB to help you create these authorizations when you set up a Capacity Provisioning domain. For more information, see the topic on setting up a Capacity Provisioning domain in z/OS MVS Capacity Provisioning User's Guide.

Table 9 lists the default values for the Provisioning Manager. Your installation might have selected different values for these settings.
Table 9. Name information for a Capacity Provisioning domain
Provisioning Manager setting Default value
Domain name DOMAIN1
Started task procedure name CPOSERV
High-level qualifier for runtime data set CPO
Provisioning Manager user CPOSRV

With the IZUCPSEC job, your security administrator can supply the names of the security groups that your installation created for authorizing users to the Provisioning Manager on your system. The IZUAUTH job contains commands for connecting users to the groups and thus, depend on the groups to exist.

Table 10 lists the security groups that are required for the Capacity Provisioning service.
Table 10. Security groups required for the Capacity Provisioning service
Group Purpose Default group ID (GID) Created by
CPOCTRL Security group for users of the Capacity Provisioning task Edit function. None; your installation must specify a GID for this group. Member CPOSEC1 in SYS1.SAMPLIB.
CPOQUERY Security group for users of the Capacity Provisioning task View function. None; your installation must specify a GID for this group. Member CPOSEC1 in SYS1.SAMPLIB.

Resource authorizations for common event adapter (CEA)

If your z/OSMF configuration includes tasks that use the common event adapter (CEA) component on the z/OS host system, users of the services require the proper level of access to CEA resources. IBM provides the CEASEC job in SYS1.SAMPLIB to help you create these authorizations.

These authorizations are needed if you plan to use one or more of the following z/OSMF tasks:
  • Incident Log
  • ISPF
  • Sysplex Management

CEA has security profiles in the SERVAUTH class for protecting different portions of its processing. When you run the IZUILSEC job, you permit the z/OSMF groups to the CEA resources.

For more information, see the topic on customizing for CEA in z/OS Planning for Installation.

Start of change

Resource authorizations for the z/OS compliance REST interface

In z/OS V2R4 and later, the process of collecting compliance data is assisted with the introduction of SMF type 1154. This record type is used to collect system settings and other forms of compliance data. On receiving an event notification facility (ENF) code 86 signal from the z/OS compliance REST interface, selected z/OS components and products collect and write compliance data to their associated SMF 1154 subtype records.

For more information about SMF record type 1154 and its associated mapping macros and subtypes, see z/OS MVS System Management Facilities (SMF).

Table 11. Security setup requirements for the z/OS compliance REST interface
Resource class Resource name Who needs access? Type of access required Why
EJBROLE <SAF-prefix>. IzuManagementFacilityRestCompliance.izuUs ers IZUADMIN IZUUSER READ Allows callers to connect to the z/OS compliance REST interface.
SERVAUTH CEA.SIGNAL.ENF86 IZUSVR started task ID READ Allow callers to access the CEA service responsible for the signal event 86 across the sysplex.
End of change

Resource authorizations for the z/OS console REST interface

In z/OSMF, users require access to z/OS console services when they use the following functions:
  • z/OS console REST interface
  • z/OS Operator Consoles
  • IBM Cloud Provisioning and Management for z/OS, when using templates that issue operator commands or check for unsolicited command responses.
  • Start of changeStorage management services, when activating an SCDS or getting an SCDS activation result.End of change
Users of the z/OS console REST interface require access to an extended MCS (EMCS) console for issuing commands and receiving console messages. Specifically, users require the following authorizations:
  • READ access to the MVS.MCSOPER.consolename resource in the OPERCMDS class, where consolename is the name of the EMCS console that is used to issue the command.
  • READ access to the CONSOLE resource in the TSOAUTH class.
  • READ access to the <SAF_PREFIX>.IzuManagementFacilityRestConsoles.izuUsers resource in the EJBROLE class. Or, READ access to the <SAF_PREFIX>.*.izuUsers profile in the EJBROLE class.
z/OSMF uses TSO/E address space services to create a TSO address space as the host for the EMCS console. Therefore, users of the z/OS console REST interface require the following authorizations:
  • READ access to the resource account in the ACCTNUM class, where account is the value that is specified in the COMMON_TSO ACCT option in parmlib member IZUPRMxx.
  • READ access to the resource CEA.CEATSO.TSOREQUEST in the SERVAUTH class.
  • READ access to the resource proc in the TSOPROC class, where proc is the value that is specified with the COMMON_TSO PROC option in parmlib member IZUPRMxx.

Also, the z/OSMF started task user ID, which is IZUSVR by default, requires READ access to the resource CEA.CEATSO.TSOREQUEST in the SERVAUTH class.

You can control which parameters are used for creating the TSO address space by setting the appropriate parameters in parmlib member IZUPRMxx. For example:
COMMON_TSO ACCT(IZUACCT) REGION(50000) PROC(IZUFPROC)

Ensure that your settings are configured before the z/OS console REST interface is used. Otherwise, the default values (shown here) are used.

The attributes of the EMCS console that is started by z/OSMF are controlled by the OPERPARM settings of the user profile <consolename>. Thus, for example, if a user wants the z/OS Operator Consoles task to create a console named console1, a user profile named console1 must exist and contain an OPERPARM segment with the appropriate settings.

Most IBM Cloud Provisioning and Management for z/OS templates use the defcn Console REST API endpoint, which expects a predefined console name. The convention is to use userid plus "CN", where the value for userid is truncated to the first six characters. For example, if the user ID is IBMUSER, the defcn value is expected to be IBMUSECN.

Typically, z/OSMF uses the following console attributes from the user's OPERPARM segment:
AUTH
Specifies the command authority for the console.
ROUTCODE
Specifies the routing codes for the console, which affects which messages can be received by the console. The default value is NONE, which prevents the console from receiving any messages.
MSCOPE
Specifies the system message scope in the sysplex.

For more information about setting these attributes, see the commented sections in SAMPLIB jobs IZUGCSEC and IZUPRSEC. For information about creating OPERPARM segments for users, see z/OS MVS Planning: Operations.

In addition to the local system (the system on which z/OSMF is installed), users can enter system commands on other systems in the sysplex. To do so, users require READ access to the resource MVS.ROUTE.CMD.<sysname> in the OPERCMDS class.

Users can retrieve messages from OPERLOG or SYSLOG. To do so, users require the following authorizations:
  • To retrieve messages from OPERLOG, users require READ access to the resource SYSPLEX.OPERLOG in the LOGSTRM class.
  • To retrieve messages from SYSLOG, users require READ access to the resource node-id.+MASTER+.SYSLOG.*.* in the JESSPOOL class, where node-id is the NJE node ID of the JES2 or JES3 subsystem.
Table 12 summarizes the security requirements for users of the z/OS console REST interface. IBM provides job IZUGCSEC in SYS1.SAMPLIB to assist you with performing these updates. The job contains RACF commands for creating the required security authorizations.
Table 12. Security setup requirements for the z/OS console REST interface
Resource class Resource name Who needs access? Type of access required Why
N/A User profile <consolename> with the appropriate OPERPARM segment. N/A N/A The attributes of the EMCS console that is started by the z/OS Operator Consoles task are controlled by the OPERPARM setting of user profile <consolename>. The setting of OPERPARM can restrict which messages are received by the EMCS console and limit the commands that the EMCS console can issue.
ACCTNUM IZUACCT Users of the z/OS console services REST interface. READ Allow the user to access the account number for the procedure for the z/OS console services.
EJBROLE <SAF-prefix> .IzuManagementFacilityRestConsoles .izuUsers
Users of:
  • z/OS console services
  • z/OS Operator Consoles task.
READ Allow the user to use the z/OS console services to issue operator commands.
EJBROLE <SAF-prefix> .IzuManagementFacilityTsoServices .izuUsers IZUADMIN READ Allow the user of the Operator Consoles task to start or reconnect to address spaces on other systems in the sysplex.
JESSPOOL node-id.+MASTER+ .SYSLOG.*.* Users of the z/OS Operator Consoles task. READ Allows the user to retrieve messages from SYSLOG by using the z/OS Operator Consoles task.

node-id is the NJE node ID of the JES2 or JES3 subsystem.

LOGSTRM SYSPLEX.OPERLOG Users of the z/OS Operator Consoles task. READ Allows the user to retrieve messages from OPERLOG by using the z/OS Operator Consoles task.
OPERCMDS MVS.MCSOPER.consolename Users of the z/OS console services REST interface. READ Allow the user to operate the specified extended MCS console.
OPERCMDS MVS.ROUTE.CMD.<sysname> Users of the z/OS Operator Consoles task. READ Allows the user to use the ROUTE command to route commands to another system in sysplex, which is indicated by sysname. Otherwise, the user is limited to entering commands on the local system (the system on which z/OSMF is installed).
SERVAUTH CEA.CEATSO.TSOREQUEST Users of the z/OS console services REST interface. READ Allow the user to access the CEA TSO/E address space services. This setting allows HTTP client applications on your z/OS system to start and manage TSO/E address spaces.
SERVAUTH CEA.CEATSO.TSOREQUEST IZUSVR READ Allows the z/OSMF server to access the CEA TSO/E address space services. This setting allows the z/OSMF server to start and manage TSO/E address space services.
TSOAUTH CONSOLE Users of the z/OS console services REST interface. READ Allow the user to issue the TSO/E CONSOLE command to activate the extended MCS console.
TSOPROC IZUFPROC IZUADMIN IZUUSER READ Allow the user to access the procedure for the z/OS console services.
ZMFAPLA <SAF-prefix>.ZOSMF.CONSOLES. ZOSOPER Users of the z/OS Operator Consoles task. READ Allows the user to view and access the z/OS Operator Consoles task in the z/OSMF desktop interface.

Resource authorizations for the z/OS data set and file REST interface

The z/OS data set and file REST interface requires access to local resources on your z/OS system. Table 13 describes the security requirements for the z/OS data set and file REST interface.

For more information about the z/OS data set and file REST interface services, see IBM z/OS Management Facility Programming Guide.

Table 13. Security setup requirements for the z/OS data set and file REST interface
Resource class Resource name Who needs access? Type of access required Why
ACCTNUM IZUACCT IZUADMIN IZUUSER READ Allows callers to access the account number that is used for the procedure for the z/OS data set and file REST interface services.
EJBROLE <SAF-prefix>.IzuManagementFacilityRestFiles.izuUsers IZUADMIN IZUUSER READ Allows callers to connect to the z/OS data set and file REST interface.
SERVAUTH CEA.CEATSO.TSOREQUEST IZUADMIN IZUUSER READ Allows callers to access the CEA TSO/E address space services. This setting allows HTTP client applications on your z/OS system to start and manage TSO/E address spaces.
SERVAUTH CEA.CEATSO.TSOREQUEST IZUSVR READ Allows the z/OSMF server to access the CEA TSO/E address space services. This setting allows the z/OSMF server to start and manage TSO/E address space services.
TSOPROC IZUFPROC IZUADMIN IZUUSER READ Allows callers to access the procedure for the z/OS data set and file REST interface services.

Resource authorizations for the z/OS jobs REST interface

The z/OS jobs REST interface requires access to local resources on your z/OS system. Table 14 describes the security requirements for the z/OS jobs REST interface. These authorizations allow the CIM server to interact with the common event adapter (CEA) component. CIM includes the CFZSEC job to help you create these authorizations.
Table 14. Security setup requirements for the z/OS jobs REST interface
Resource class Resource name Who needs access? Type of access required Why
SERVAUTH CEA.CONNECT CFZSRV READ If your installation uses the z/OS jobs REST interface, this setting is needed for interactions with the common event adapter (CEA) component.
SERVAUTH CEA.SUBSCRIBE.* CFZSRV READ If your installation uses the z/OS jobs REST interface, this setting allows HTTP client applications on your z/OS system to receive asynchronous job notifications.
SERVAUTH CEA.SUBSCRIBE.ENF_0078* CFZSRV READ If your installation uses the z/OS jobs REST interface, this setting allows HTTP client applications on your z/OS system to receive asynchronous job notifications.
For programs that use the z/OS jobs REST interface services to perform job modify operations, the caller’s user ID must be authorized to the appropriate resources in the JESJOBS class, as shown in Table 15.
Table 15. JESJOBS class authorizations needed for performing job modify operations
Operation JESJOBS resource Access required
Hold a job HOLD.nodename.userid.jobname UPDATE
Release a job RELEASE.nodename.userid.jobname UPDATE
Change the job class MODIFY.nodename.userid.jobname UPDATE
Cancel a job CANCEL.nodename.userid.jobname ALTER
Delete a job (cancel a job and purge its output) CANCEL.nodename.userid.jobname ALTER

For more information about the z/OS jobs REST interface services, see IBM z/OS Management Facility Programming Guide.

If run asynchronously, the z/OS jobs REST interface services also require that the caller’s user ID is authorized to the CIM server and permitted to the JES2-JES3Jobs CIM provider. CIM includes jobs (CFZSEC and CFZRCUST) to help you configure the CIM server, including security authorizations and file system customization. For more information, see the topic on CIM server quick setup and verification in z/OS Common Information Model User's Guide. IBM supplies the CFZSEC job in SYS1.SAMPLIB.

Resource authorizations for the Capacity Provisioning service

The Capacity Provisioning service requires access to local resources on your z/OS system. Table 16 describes the security requirements for the Capacity Provisioning service. The IZUCPSEC job includes sample RACF commands for creating these authorizations.
Table 16. Security setup requirements for the Capacity Provisioning service
Resource class Resource name Who needs access? Type of access required Why
EJBROLE <SAF-prefix>.IzuManagementFacilityCapacityProvisioning.izuUsers

IZUADMIN
IZUUSER

READ Allow the user to connect to the Capacity Provisioning task.
ZMFAPLA <SAF-prefix>.ZOSMF.CAPACITY_PROVISIONING.CAPACITY_ PROVISIONING.EDIT IZUADMIN READ Allow the user to display and access the Capacity Provisioning task Edit function.
ZMFAPLA <SAF-prefix>.ZOSMF.CAPACITY_PROVISIONING.CAPACITY_ PROVISIONING.EDIT.DOMAIN IZUADMIN READ Allow the user to use the Capacity Provisioning task Edit function to edit a Capacity Provisioning domain.
ZMFAPLA <SAF-prefix>.ZOSMF.CAPACITY_PROVISIONING.CAPACITY_ PROVISIONING.EDIT.POLICY IZUADMIN READ Allow the user to use the Capacity Provisioning task Edit function to edit a Capacity Provisioning policy.
ZMFAPLA <SAF-prefix>.ZOSMF.CAPACITY_PROVISIONING.CAPACITY_ PROVISIONING.VIEW

IZUADMIN
IZUUSER

READ Allow the user to access the Capacity Provisioning task View function.
More authorizations are required as follows:
  • The Capacity Provisioning service requires the CIM server; thus, you must also create the authorizations that are described in Resource authorizations for Common Information Model.
  • Users of the Capacity Provisioning service must be authorized for resources that are accessed by the Provisioning Manager. IBM provides the CPOSEC1 and CPOSEC2 jobs in SYS1.SAMPLIB to help you create these authorizations. For more information, see the topic on setting up a Capacity Provisioning domain in z/OS MVS Capacity Provisioning User's Guide.

Resource authorizations for the Network Configuration Assistant service

The Network Configuration Assistant service requires access to local resources on your z/OS system. Table 17 describes the security requirements for theNetwork Configuration Assistant service. The IZUCASEC job includes sample RACF commands for creating these authorizations.
Table 17. Security setup requirements for the Network Configuration Assistant service
Resource class Resource name Who needs access? Type of access required Why
EJBROLE <SAF-prefix>.IzuConfigurationAssistant.izuUsers

IZUADMIN
IZUUSER

READ Allow the user to connect to the Network Configuration Assistant task.
ZMFAPLA <SAF-prefix>.ZOSMF.CONFIGURATION_ ASSISTANT.CONFIGURATION_ASSISTANT
IZUADMIN
IZUUSER
READ Allow the user to access the Network Configuration Assistant task.

Resource authorizations for the Incident Log service

The Incident Log service requires access to local resources on your z/OS system. Table 18 describes the security requirements for the Incident Log service. The IZUILSEC job includes sample RACF commands for creating these authorizations.
Table 18. Security setup requirements for the Incident Log service
Resource class Resource name Who needs access? Type of access required Why
ALIAS CEA N/A N/A If your installation has a user catalog set-up instead of using the master catalog, you might need to define CEA alias to the user catalog.
DATASET CEA.*

IZUADMIN
IZUUSER

ALTER Allow the user to create data sets with the CEA high-level qualifier (HLQ).
DATASET your_master_catalog

IZUADMIN
IZUUSER

UPDATE If your installation has master catalog setup, you might need to permit a user to the master catalog data set class.
EJBROLE <SAF-prefix>.IzuManagementFacilityIncidentLog.izuUsers

IZUADMIN
IZUUSER

READ Allow the user to connect to the Incident Log task.
JESSPOOL node-id.+MASTER+.SYSLOG.*.* CEA READ If your installation is using the system log (SYSLOG) as the source for diagnostic log snapshots, the CEA user ID requires READ access to the JESSPOOL class. This authorization allows the JES subsystem to access SYSLOG on behalf of the common event adapter (CEA) component.

node-id is the NJE node ID of the JES2 or JES3 subsystem.

SERVAUTH CEA.CEADOCONSOLECMD

IZUADMIN
IZUUSER

READ Allow the calling program to issue operator commands to accomplish its function.
SERVAUTH CEA.CEADOCMD

IZUADMIN
IZUUSER

READ Allow the user to cancel the FTP job.
SERVAUTH CEA.CEAGETPS

IZUADMIN
IZUUSER

READ Allow the user to obtain information about the FTP job.
SERVAUTH CEA.CEAPDWB.CEACHECKSTATUS

IZUADMIN
IZUUSER

READ Allow the user to check status and return incident information.
SERVAUTH CEA.CEAPDWB.CEADELETEINCIDENT

IZUADMIN
IZUUSER

READ Allow the user to delete selected incidents, including the dumps, all diagnostic snapshot files, and the corresponding sysplex dump directory entry.
SERVAUTH CEA.CEAPDWB.CEAGETINCIDENT

IZUADMIN
IZUUSER

READ Allow the user to obtain data that is associated with a specific incident.
SERVAUTH CEA.CEAPDWB.CEAGETINCIDENTCOLLECTION

IZUADMIN
IZUUSER

READ Allow the user to obtain collection of incident data for all incidents that match a filter.
SERVAUTH CEA.CEAPDWB.CEAPREPAREINCIDENT

IZUADMIN
IZUUSER

READ Allow the user to prepare data for FTP (locate and compress/terse).
SERVAUTH CEA.CEAPDWB.CEASETINCIDENTINFO

IZUADMIN
IZUUSER

READ Allow the user to set information that is associated with the incident, such as the Notes field.
SERVAUTH CEA.CEAPDWB.CEASETPROBLEMTRACKINGNUMBER

IZUADMIN
IZUUSER

READ Allow the user to set a problem ID, such as a PMR number, or problem management tracking ID.
SERVAUTH CEA.CEAPDWB.CEAUNSUPPRESSDUMP

IZUADMIN
IZUUSER

READ Allow user to allow a dump that is marked for suppression through DAE to be taken.
ZMFAPLA <SAF-prefix>.ZOSMF.INCIDENT_LOG.INCIDENT_LOG

IZUADMIN
IZUUSER

READ Allow the user to access the Incident Log task.
Additional authorizations are required as follows:

Resource authorizations for the ISPF service

The ISPF service requires access to local resources on your z/OS system. Table 19 describes the security requirements for the ISPF service. The IZUISSEC job includes sample RACF commands for creating these authorizations.
Note that users of this service must also be authorized for resources that are accessed by the common event adapter (CEA) component of z/OS. IBM provides the CEASEC job in SYS1.SAMPLIB to help you create these authorizations. See Resource authorizations for common event adapter (CEA).
Table 19. Security setup requirements for the ISPF service
Resource class Resource name Who needs access? Type of access required Why
EJBROLE <SAF-prefix>.IzuManagementFacilityISPF.izuUsers

IZUADMIN
IZUUSER

READ Allow the user to connect to the ISPF task.
SERVAUTH CEA.CEATSO.TSOREQUEST

IZUADMIN
IZUUSER

READ Allow the user to access the CEATSOREQUEST API so that the user’s session can be managed through the ISPF task.
SERVAUTH CEA.CEATSO.TSOREQUEST

IZUSVR

READ Allow the z/OSMF server to access the CEATSOREQUEST API.
ZMFAPLA <SAF-prefix>.ZOSMF.ISPF.ISPF

IZUADMIN
IZUUSER

READ Allow the user to access the ISPF task.

Resource authorizations for the Resource Monitoring service

The Resource Monitoring service requires access to local resources on your z/OS system. Table 20 describes the security requirements for the Resource Monitoring service. The IZURMSEC job includes sample RACF commands for creating these authorizations.
Table 20. Security setup requirements for the Resource Monitoring service
Resource class Resource name Who needs access? Type of access required Why
EJBROLE <SAF-prefix>.IzuManagementFacilityResourceMonitoring.izuUsers IZUADMIN IZUUSER READ Allow the user to connect to the Resource Monitoring and System Status tasks.
ZMFAPLA <SAF-prefix>.ZOSMF.RESOURCE_MONITORING.PERFDESKS IZUADMIN IZUUSER READ Allow the user to access the Resource Monitoring task.
ZMFAPLA <SAF-prefix>.ZOSMF.RESOURCE_MONITORING.OVERVIEW IZUADMIN IZUUSER READ Allow the user to access the System Status task.

Resource authorizations for the Software Deployment service

The Software Deployment service requires access to local resources on your z/OS system. Table 21 describes the security requirements for the service. The IZUDMSEC job includes sample RACF commands for creating these authorizations.
Table 21. Security setup requirements for the Software Deployment service
Resource class Resource name Who needs access? Type of access required Why
EJBROLE <SAF-prefix>.IzuManagementFacilitySoftwareDeployment.izuUsers

IZUADMIN
IZUUSER

READ Allow the user to connect to the Software Management task.
ZMFAPLA <SAF-prefix>.ZOSMF.SOFTWARE_DEPLOYMENT.SOFTWARE_ MANAGEMENT

IZUADMIN
IZUUSER

READ Allow the user to access the Software Management task.
ZMFAPLA <SAF-prefix>.ZOSMF.SOFTWARE_ DEPLOYMENT.DATA.objectType.objectSuffix

For more information about the possible values for objectType and objectSuffix, see Creating access controls for the Software Management task.

IZUADMIN
IZUUSER

CONTROL Allow the user to access the Software Management task objects.
ZMFAPLA <SAF-prefix>.ZOSMF.SOFTWARE_DEPLOYMENT.SOFTWARE_ MANAGEMENT.PRODUCT _INFO_FILE.RETRIEVE IZUADMIN READ Allow the user to access the Software Management task Product Information File Retrieve function.
ZMFAPLA <SAF-prefix>.ZOSMF.SOFTWARE_DEPLOYMENT.SOFTWARE_ MANAGEMENT.CATEGORIES.MODIFY IZUADMIN READ Allow the user to add, copy, modify, or remove Software Management categories.
ZMFAPLA <SAF-prefix>.ZOSMF.SOFTWARE_DEPLOYMENT.SOFTWARE_ MANAGEMENT.SWUPDATE

IZUADMIN
IZUUSER

READ Allow the user to access the Software Update task.
Start of changeUNIXPRIVEnd of change Start of changeSUPERUSER.FILESYS.MOUNTEnd of change Start of change

IZUADMIN
IZUUSER

End of change
Start of changeUPDATEEnd of change Start of changeAllow the user to create workflow instances from workflow definition files that reside in UNIX file systems that are not currently mounted.End of change
UNIXPRIV SUPERUSER.FILESYS.USERMOUNT IZUADMIN, IZUUSER READ Allow the user to mount a temporary work space UNIX file system data set created and used by the Deployment Unzip job and the Export job.
Note: You can read about the SUPERUSER.FILESYS.USERMOUNT (and SUPERUSER.FILESYS.MOUNT) resource here: https://www.ibm.com/docs/en/zos/2.4.0?topic=security-using-unixpriv-class-profiles
Start of changeStart of changeFACILITYEnd of changeEnd of change Start of change
STGADMIN.ADR.COPY.INCAT
STGADMIN.ADR.DUMP.INCAT
End of change
Start of change
IZUADMIN
IZUUSER
End of change
Start of changeREADEnd of change Start of changeAllow the user access to the COPY and DUMP commands for program ADRDSSU. The COPY and DUMP commands are used by Deployment and Export JCL that is generated by Software Management.
Note: INCAT is used only when source data sets are not cataloged in the current active catalog environment. This is an unlikely scenario.

See Table Note 1.

End of change
  1. If a resource profile is defined, then READ access is required. If a resource profile is not defined, then all users have access to that resource. More specifically:
    • If a profile for a resource is not defined, then the user can use the resource.
    • If a profile for a resource is defined and the user has at least READ access, then the user can use the resource.
    • If a profile for a resource is defined and the user does not have at least READ access, then the user cannot use the resource.

Resource authorizations for the Sysplex Management service

The Sysplex Management service requires access to local resources on your z/OS system.

Table 22 describes the security requirements for the Sysplex Management service. The IZUSPSEC job includes sample RACF commands for creating these authorizations.
Table 22. Security setup requirements for the Sysplex Management service
Resource class Resource name Who needs access? Type of access required Why
EJBROLE <SAF-prefix>.IzuManagementFacilitySysplexManagement.izuUsers

IZUADMIN
IZUUSER

READ Allow the user to connect to the Sysplex Management task.
Start of changeFACILITYEnd of change Start of changeMVSADMIN.XCF.CFRMEnd of change Start of changeIZUADMINEnd of change Start of changeREAD or UPDATEEnd of change Start of changeAllow the user to use the CFRM Policy Editor to edit CFRM policies. Assign UPDATE access authority to users who must alter or maintain the policy. Assign READ access authority to users who can view the policy, but not change it. End of change
SERVAUTH CEA.XCF.CDS

IZUADMIN
IZUUSER

READ Allow the user to access the couple data set for the Sysplex Management task.
SERVAUTH CEA.XCF.CF

IZUADMIN
IZUUSER

READ Allow the user to access the coupling facility for the Sysplex Management task.
SERVAUTH CEA.XCF.FLOW.<sysname>

IZUADMIN
IZUUSER

READ Allow the user to access the sysplex resources on remote systems for the Sysplex Management task.

Replace <sysname> with the 8 character name of the system in the sysplex.

SERVAUTH CEA.XCF.STRUCTURE

IZUADMIN
IZUUSER

READ Allow the user to access the coupling facility structures for the Sysplex Management task.
SERVAUTH CEA.XCF.SYSPLEX

IZUADMIN
IZUUSER

READ Allow the user to access the sysplex general information and systems for the Sysplex Management task.
ZMFAPLA <SAF-prefix>.ZOSMF.SYSPLEX

IZUADMIN
IZUUSER

READ Allow the user to access the Sysplex Management task.
ZMFAPLA <SAF-prefix>.ZOSMF.SYSPLEX.LOG IZUADMIN or a particular z/OS user ID. READ Allow the user to use the Sysplex Management task to clean up the command log table and specify clean-up settings.
ZMFAPLA <SAF-prefix>.ZOSMF.SYSPLEX.MODIFY IZUADMIN READ Allow the user to use the Sysplex Management task to modify sysplex resources. Start of changeThis authorization also allows the user to use the CFRM Policy Editor to update Sysplex CFRM administrative policy information.End of change

Resource authorizations for the Workload Management service

The Workload Management service requires access to local resources on your z/OS system. Table 23 describes the security requirements for the service. The IZUWMSEC job includes sample RACF commands for creating these authorizations.
This service requires the CIM server; thus, you must also create the authorizations that are described in Resource authorizations for Common Information Model.
Table 23. Security setup requirements for the Workload Management service
Resource class Resource name Who needs access? Type of access required Why
EJBROLE <SAF-prefix>.IzuManagementFacilityWorkloadManagement.izuUsers

IZUADMIN
IZUUSER

READ Allow the user to connect to the Workload Management task.
FACILITY MVSADMIN.WLM.POLICY IZUSVR READ Allow the z/OSMF server to access the WLM policies.
ZMFAPLA <SAF-prefix>.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_ MANAGEMENT.ENWRP IZUADMIN

WLM resource pool administration group

READ For z/OS Cloud Provisioning, allow the user to access the WLM Resource Pooling (WRP) functions of z/OSMF. Using a WRP definition, the user can associate cloud information (tenant name, domain ID, template type, service levels supported) with WLM elements (report classes and classification rules).
ZMFAPLA <SAF-prefix>.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_ MANAGEMENT.VIEW

IZUADMIN
IZUUSER

READ Allow the user to access the Workload Management View function.
ZMFAPLA <SAF-prefix>.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_ MANAGEMENT.MODIFY IZUADMIN READ Allow the user to access the Workload Management Modify function.
ZMFAPLA <SAF-prefix>.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_ MANAGEMENT.INSTALL IZUADMIN READ Allow the user to access the Workload Management Install function.

Resource authorizations for the IBM zERT Network Analyzer service

The IBM zERT Network Analyzer service provides access to sensitive network security information. Only users authorized to manage this data should be allowed to access the IBM zERT Network Analyzer service. The IZUNASEC job includes sample RACF commands to create the group IZUZNA. The IZUZNA group should be used to control access to the IBM zERT Network Analyzer service.

Your security team might determine that existing group names would be preferred. If so, you can use your existing group names in place of the supplied z/OSMF default group names. For example, you might already have a group that is aligned with network security administrators; if so, you could use that group instead of the default group enabling access to the IBM zERT Network Analyzer service, IZUZNA.

The IBM zERT Network Analyzer service requires access to local resources on your z/OS system. Table 24 describes the security requirements for the IBM zERT Network Analyzer service. The IZUNASEC job includes sample RACF commands for creating these authorizations.
Table 24. Security setup requirements for the IBM zERT Network Analyzer service
Resource class Resource name Who needs access? Type of access required Why
EJBROLE <SAF-prefix>.IzuZertNetworkAnalyzer.izuUsers
IZUZNA
READ Allow the user to connect to the IBM zERT Network Analyzer task.
EJBROLE <SAF-prefix> .com.ibm.ws.management.security.resource. Administrator IZUSVR READ Allow the IBM zERT Network Analyzer to run the required WebSphere Liberty administrative actions.
ZMFAPLA <SAF-prefix>.ZOSMF IZUZNA READ Designates the user as a z/OSMF user
ZMFAPLA <SAF-prefix>.ZOSMF.ZERT_NETWORK_ANALYZER IZUZNA READ Allow a user to access the IBM zERT Network Analyzer task.

Resource authorizations for the z/OS Management Services Catalog service

The security configuration requirements for z/OS Management Services Catalog are described in the sections that follow. These sections describe the resources that must be defined, and the groups that must be permitted to the resources. Typically, these permissions are created by your security administrator.

z/OS Management Services Catalog uses a software defined role-based authorization model. A user ID's role determines what the user ID can do in the product.
Table 25. z/OS Management Services Catalog User Roles
Role Recommended group Capabilities
User IZUUSER

Users have access to the Catalog, Activity, and History pages. Users can submit services from the Catalog, manage queued and active service submissions in Activity, and access completed and terminated service submissions in History. Users can see service submissions from other users and administrators.

A service submission that has been started but is not yet submitted is saved in My drafts and cannot be seen by other users or administrators.

Users can control their notification preferences using Settings.

Administrator IZUADMIN

Administrators have additional authority that grants them access to the Administration page and the plug-in Global settings page.

Administrators can manage existing services, create new services, and request approval to publish new services to the Catalog. Administrators can manage the plug-in's Global settings and take actions on service submissions that are created by other users.

Publishing approver IZUMSPAP

The publishing approver role authorizes a user ID to be assigned as an approver of services that are requested to be published in the Catalog. User IDs given this role must be that of a real user that can review and approve requests to publish services so that they are available on the Catalog page.

Approvers are assigned by an administrator in the Publishing approvals table of Global Settings.

Approvers have access to the Administration page and all services for which they are an approver.

RunAsUser step approver IZUMSRAP

A user ID must have this role if a service's underlying workflow definition file requires the user ID to approve the use of a runAsUser step. User IDs given this role must be that of a real user that can review and approve the use of the runAsUser step. Do not use functional or application IDs as approvers.

A runAsUser step is a step in the workflow that is performed by a specific user ID that might not be the user that runs the workflow. The user ID that the step is performed as is not necessarily the same as the user ID that approves the step.

Every runAsUser step has an assigned user ID to approve it. This user ID's approval is required to publish the service in the Catalog.

RunAsUser step approvers have access to the Administration page and all services for which they are an approver.

RunAsUser user ID IZUMSRAU

This role is required for any user ID assigned as the runAsUser for a runAsUser step in a workflow definition. Authorization to this role is checked when you create a new service from a workflow definition that contains runAsUser steps. It is also checked when the Workflows task runs a runAsUser step for workflow instances that are created by service submissions.

This role does not grant any access to z/OS Management Services Catalog.

Note: At least one publish approver is required when publish approval is enabled in Global settings.
Table 26. Resource Authorization requirements for the z/OS Management Services Catalog service
Resource class Resource name Who needs access? Type of access required Why
EJBROLE <SAF-prefix> .IzuManagementFacilityManagementServicesCatalog.izuUsers
  • z/OSMF users (IZUUSER)
  • z/OSMF administrators (IZUADMIN)
READ Allow the user to open the Management Services Catalog desktop app.
ZMFAPLA <SAF-prefix> .ZOSMF.MGMT_SERVICES.MGMT_SERVICES
  • z/OSMF users (IZUUSER)
  • z/OSMF administrators (IZUADMIN)
READ Allow the user to open the Management Services Catalog desktop app.
ZMFAPLA <SAF-prefix>.ZOSMF.MGMT_SERVICES.ADMIN
  • z/OSMF administrators (IZUADMIN)
READ Grants the administrator role to the user.
ZMFAPLA <SAF-prefix>.ZOSMF.MGMT_SERVICES.USER
  • z/OSMF users (IZUUSER)
READ Grants the user role to the user.
ZMFAPLA <SAF-prefix>.ZOSMF.MGMT_SERVICES.PUBLISH.APPROVER
  • IZUMSPAP
READ Grants the publishing approver role to the user.
ZMFAPLA <SAF-prefix>.ZOSMF.MGMT_SERVICES.RUNASUSER.APPROVER
  • IZUMSRAP
READ Grants the runAsUser step approver role to the user.
ZMFAPLA <SAF-prefix>.IZUDFLT.ZOSMF.MGMT_SERVICES.RUNASUSER
  • IZUMSRAU
READ Grants authority to the user ID to be used as the runAsUser user ID in any workflow instance created by a service.
Start of change

Resource authorizations for the Storage Management service

The Storage Management services require update access to the Source Control Data Set (SCDS) on your z/OS system to perform SCDS modification, validation and activation.
Table 27. Resource Authorization requirements for the Storage Management Services service
Resource class Resource name Who needs access? Type of access required Why
ZMFAPLA <SAF-prefix>.ZOSMF.STORAGE.SG.VOLUME
  • z/OSMF administrators (IZUADMIN)
UPDATE Allow the user to add volumes to storage group.
ZMFAPLA <SAF-prefix>. ZOSMF.STORAGE.SCDS
  • z/OSMF administrators (IZUADMIN)
UPDATE Allow the user to validate or activate the SCDS specified.
OPERCMDS MVS.SETSMS.SMS
  • z/OSMF administrators (IZUADMIN)
UPDATE Allow the user to activate the SCDS by using the SETSMS SCDS("scds-name") command.
End of change