Local user access control to TCP/IP resources using SAF

You can use System Authorization Facility (SAF) to control which z/OS® users can access specific TCP/IP resources, which protects against unauthorized user access to these resources.

You define SAF resource profiles in the SERVAUTH class to control access to the TCP/IP resources. After you define a SAF resource profile, a local user can access the associated TCP/IP resource if their user ID has at least READ access to the resource.

z/OS Communication Server programs call SAF to determine which users have access to protected resources. The user's credentials, a resource name, and a requested level of access (READ, UPDATE, and so on) are provided to SAF. SAF has three defined return codes:

0: Permit
4: No decision
8: Deny

The following situations can result in a no-decision return code from SAF:

The security server is not available.
The resource class is not active.
The named resource does not have a profile defined in the class.

When SAF returns a no-decision return code, the resource manager decides whether to allow access. The No SAF decision column in Table 1 indicates the action that the resource manager takes for each resource.

Table 1 summarizes the SERVAUTH resource names that are used by TCP/IP.

Table 1. SERVAUTH resource names used by TCP/IP
Function	Description	No SAF decision	SERVAUTH resource name
Function	Description	No SAF decision	LOGSTR in any SAF logging (SMF type 80 records for RACF®)
Broadcast access control	Provides ability to control whether an application is permitted to set the SO_BROADCAST socket option needed to send broadcast datagrams	Permit	EZB.SOCKOPT.sysname.tcpname.SO_BROADCAST
Broadcast access control		Permit	TCPIP SOCKOPT ACCESS CHECK
CIM provider access control	Provides ability to restrict access to CIM data	Deny	EZB.CIMPROV.sysname.tcpname
CIM provider access control	Provides ability to restrict access to CIM data	Deny	TCPIP CIM PROVIDER CHECK
DCAS server access control	Controls ability to access DCAS server based on SAF user ID associated with TLS-authenticated X.509 client certificate	Permit	EZA.DCAS.cvtsysname
DCAS server access control		Permit	DCAS SAFCERT CHECK FOR USER certuser or TCPIP EZACDRAU AUTH CHECK FOR EZA.DCAS.cvtsysname
Fast Response Cache Accelerator (FRCA) Access Control	Provides ability of user to create FRCA cache (FRCA used by web servers for caching static web pages in the stack)	Deny, see result 1	EZB.FRCAACCESS.sysname.tcpname
Fast Response Cache Accelerator (FRCA) Access Control		Deny, see result 1	TCPIP FRCA ACCESS CHECK
FTP server access control	Controls ability to access FTP server based on SAF user ID used to log in	Permit	EZB.FTP.sysname.ftpdaemonname.PORTxxxxx
FTP server access control		Permit	(none)
FTP SITE command control	Provides ability to restrict usage of SITE DUMP and DEBUG commands (commands generate large amount of output)	Permit	EZB.FTP.sysname.ftpdaemonname.SITE.DUMP EZB.FTP.sysname.ftpdaemonname.SITE.DEBUG
FTP SITE command control		Permit	(none)
FTP z/OS UNIX file system access control	Provides ability to generally restrict FTP user access to the z/OS UNIX file system	Permit	EZB.FTP.sysname.ftpdaemonname.ACCESS.HFS
FTP z/OS UNIX file system access control		Permit	(none)
ipsec command access control	Provides ability to control ipsec command usage	Deny	EZB.IPSECCMD.sysname.tcpname.command_type EZB.IPSECCMD.sysname.DMD_GLOBAL.command_type
ipsec command access control	Provides ability to control ipsec command usage	Deny	TCPIP EZACDRAU AUTH CHECK FOR EZB.IPSECCMD.sysname.tcpname.command_type or TCPIP EZACDRAU AUTH CHECK FOR EZB.IPSECCMD.sysname.DMD_GLOBAL.command_type
IPSec network management interface (NMI) access control for control requests (local)	Controls whether a user can issue NMI control requests to the local IKE daemon to manage IP filtering and IPSec function (for example, activate and deactivate requests) pertaining to a local TCP/IP stack	Deny	EZB.NETMGMT.sysname.tcpname.IPSEC.CONTROL
		Deny	TCPIP EZACDRAU AUTH CHECK FOR EZB.NETMGMT.sysname.tcpname.IPSEC.CONTROL
IPSec NMI access control for display requests (local)	Controls whether a user can issue NMI monitoring requests to the local IKE daemon to retrieve IP filtering and IPSec monitoring data pertaining to a local TCP/IP stack	Deny	EZB.NETMGMT.sysname.tcpname.IPSEC.DISPLAY
IPSec NMI access control for display requests (local)		Deny	TCPIP EZACDRAU AUTH CHECK FOR EZB.NETMGMT.sysname.tcpname.IPSEC.DISPLAY
IPSec NMI and ipsec command access control	Controls whether a user can issue: NMI requests to display IKE daemon NSS client information The ipsec command with the -w option to display IKE daemon NSS IPSec client information	Deny	EZB.NETMGMT.sysname.sysname.IKED.DISPLAY
IPSec NMI and ipsec command access control		Deny	TCPIP EZACDRAU AUTH CHECK FOR EZB.NETMGMT.sysname.sysname.IKED.DISPLAY
IPSec NMI and ipsec command access control for control requests (remote)	Controls whether a user can issue: NMI management requests to the NSS server that pertain to an NSS client (for example, activate and deactivate requests) The ipsec command with the -z option to perform a management action to an NSS IPSec client (for example, to activate and deactivate options)	Deny	EZB.NETMGMT.sysname.clientname.IPSEC.CONTROL
		Deny	TCPIP EZACDRAU AUTH CHECK FOR EZB.NETMGMT.sysname.clientname.IPSEC.CONTROL
IPSec NMI and ipsec command access control for display requests (remote)	Controls whether a user can issue: NMI monitoring requests to the NSS server that pertain to an NSS client (that is, get requests) The ipsec command with the -z option to display options for an NSS IPSec client	Deny	EZB.NETMGMT.sysname.clientname.IPSEC.DISPLAY
		Deny	TCPIP EZACDRAU AUTH CHECK FOR EZB.NETMGMT.sysname.clientname.IPSEC.DISPLAY
IPv6 Advanced Socket API access control	Provides ability to control whether an application is permitted to set IPv6 advanced socket API options: IPv6_NEXTHOP IPv6_TCLASS IPv6_RTHDR IPV6_HOPOPTS IPV6_DSPOPTS IPV6_RTHDRDSTOPT IPV6_PKTINFO IPV6_HOPLIMIT	Deny, see result 2	EZB.SOCKOPT.sysname.tcpname.IPV6_NEXTHOP EZB.SOCKOPT.sysname.tcpname.IPV6_TCLASS EZB.SOCKOPT.sysname.tcpname.IPV6_RTHDR EZB.SOCKOPT.sysname.tcpname.IPV6_HOPOPTS EZB.SOCKOPT.sysname.tcpname.IPV6_DSTOPTS EZB.SOCKOPT.sysname.tcpname.IPV6_RTHDRDSTOPTS EZB.SOCKOPT.sysname.tcpname.IPV6_PKTINFO EZB.SOCKOPT.sysname.tcpname.IPV6_HOPLIMIT
IPv6 Advanced Socket API access control		Deny, see result 2	TCPIP SOCKOPT ACCESS CHECK
Netstat command access control	Provides ability to restrict Netstat usage	Permit, see result 3	EZB.NETSTAT.sysname.tcpname.netstat_option
Netstat command access control	Provides ability to restrict Netstat usage	Permit, see result 3	TCPIP EZACDNET AUTH CHECK FOR EZB.NETSTAT.sysname.tcpname.netstat_option
Network security services (NSS) NMI and command access control	Controls whether a user can issue: NMI requests to display connections to the NSS server The ipsec command with the -x option to display NSS IPSec client connections to the NSS server The nssctl command to display NSS client connections to the NSS server.	Deny	EZB.NETMGMT.sysname.sysname.NSS.DISPLAY
		Deny	TCPIP EZACDRAU AUTH CHECK FOR EZB.NETMGMT.sysname.sysname.NSS.DISPLAY
NSS server access control	Controls whether an NSS IPSec client can register with the NSS server for the NSS IPSec certificate service	Deny	EZB.NSS.sysname.clientname.IPSEC.CERT
NSS server access control		Deny	TCPIP EZACDRAU AUTH CHECK FOR EZB.NSS.sysname.clientname.IPSEC.CERT
NSS server access control	Controls whether an NSS IPSec client can register with the NSS server for the NSS IPSec remote management service	Deny	EZB.NSS.sysname.clientname.IPSEC.NETMGMT
NSS server access control		Deny	TCPIP EZACDRAU AUTH CHECK FOR EZB.NSS.sysname.clientname.IPSEC.NETMGMT
NSS server access control	Controls whether an NSS XMLAppliance client can register with the NSS server for the XMLAppliance SAFAccess service.	Deny	EZB.NSS.sysname.clientname.XMLAPPLIANCE.SAFACCESS
NSS server access control		Deny	TCPIP EZACDRAU AUTH CHECK FOR EZB.NSS.sysname.clientname.XMLAPPLIANCE.SAFACCESS
NSS server access control	Controls whether an NSS XMLAppliance client can register with the NSS server for the XMLAppliance certificate service.	Deny	EZB.NSS.sysname.clientname.XMLAPPLIANCE.CERT
NSS server access control		Deny	TCPIP EZACDRAU AUTH CHECK FOR EZB.NSS.sysname.clientname.XMLAPPLIANCE.CERT
NSS server access control	Controls whether an NSS XMLAppliance client can register with the NSS server for the XMLAppliance private key service.	Deny	EZB.NSS.sysname.clientname.XMLAPPLIANCE.PRIVKEY
NSS server access control		Deny	TCPIP EZACDRAU AUTH CHECK FOR EZB.NSS.sysname.clientname.XMLAPPLIANCE.PRIVKEY
NSS server certificate access control	Controls whether an NSS client can access a CERTAUTH certificate on the key ring of the NSS server	Deny	EZB.NSSCERT.sysname.mappedlabelname.CERTAUTH
NSS server certificate access control		Deny	TCPIP EZACDRAU AUTH CHECK FOR EZB.NSSCERT.sysname.mappedlabelname.CERTAUTH
NSS server certificate access control	Controls whether an NSS client can access a PERSONAL or SITE certificate on the key ring of the NSS server	Deny	EZB.NSSCERT.sysname.mappedlabelname.HOST
NSS server certificate access control		Deny	TCPIP EZACDRAU AUTH CHECK FOR EZB.NSSCERT.sysname.mappedlabelname.HOST
NSS server private key access control	Controls whether an NSS XMLAppliance client can access the private key for a certificate on the key ring of the NSS server	Deny	EZB.NSSCERT.sysname.mappedlabelname.PRIVKEY
NSS server private key access control		Deny	TCPIP EZACDRAU AUTH CHECK FOR EZB.NSSCERT.sysname.mappedlabelname.PRIVKEY
OSM access control	Controls ability to access the intranode management network using OSM interfaces	Deny	EZB.OSM.sysname.tcpname
OSM access control		Deny	TCPIP OSM ACCESS CHECK
Partner information ioctl access control	Controls whether an application can use the SIOCGPARTNERINFO ioctl to obtain partner security credentials within a sysplex or subplex over a trusted TCP connection	Deny	EZB.IOCTL.sysname.tcpprocname.PARTNERINFO
Partner information ioctl access control		Deny	SIOCGPARTNERINFO
Policy Agent command control	Provides ability to restrict pasearch command, IKE daemon, policy clients, and nslapm2 usage by type	Deny	EZB.PAGENT.sysname.image.ptype
Policy Agent command control		Deny	TCPIP EZACDRAU AUTH CHECK FOR EZB.PAGENT.sysname.image.ptype
Real-time application-controlled TCP/IP trace NMI access control - Open request	Controls whether an application can invoke the NMI to open a trace; intended for network management applications	Deny	EZB.TRCCTL.sysname.tcpname.OPEN
		Deny	TCPIP NETWORK MANAGEMENT
Real-time application-controlled TCP/IP trace NMI access control - Set filters	Controls whether an application can invoke the NMI to set filters for packet trace; intended for network management applications	Deny	EZB.TRCCTL.sysname.tcpname.PKTTRACE
		Deny	TCPIP NETWORK MANAGEMENT
Real-time application-controlled TCP/IP trace NMI access control - Set filters	Controls whether an application can request IPSec cleartext data on a packet trace filter	Deny	EZB.TRCSEC.sysname.tcpname.IPSEC
		Deny	TCPIP NETWORK MANAGEMENT
Real-time application-controlled TCP/IP trace NMI access control - Set filters	Controls whether an application can invoke the NMI to set filters for data trace; intended for network management applications	Deny	EZB.TRCCTL.sysname.tcpname.DATTRACE
		Deny	TCPIP NETWORK MANAGEMENT
Real-time application-controlled TCP/IP trace NMI access control - Set filters	Controls whether an application can request AT-TLS cleartext data on a data trace filter	Deny	EZB.TRCSEC.sysname.tcpname.ATTLS
		Deny	TCPIP NETWORK MANAGEMENT
Real-time OSAENTA information service access control	Provides ability to restrict access to select real-time OSAENTA packet trace records accessible using the OSAENTA information service; intended for network management applications	Deny, see result 4	EZB.NETMGMT.sysname.tcpname.SYSTCPOT
Real-time OSAENTA information service access control		Deny, see result 4	TCPIP NETWORK MANAGEMENT
Real-time SMF information service access control	Provides ability to restrict access to select real-time SMF records accessible using the SMF information service; intended for network management applications	Deny, see result 4	EZB.NETMGMT.sysname.tcpname.SYSTCPSM
Real-time SMF information service access control		Deny, see result 4	TCPIP NETWORK MANAGEMENT
Real-time TCP connection information service access control	Provides ability to restrict access to the TCP connection information using TCP connection information service; intended for network management applications	Deny, see result 4	EZB.NETMGMT.sysname.tcpname.SYSTCPCN
Real-time TCP connection information service access control		Deny, see result 4	TCPIP NETWORK MANAGEMENT
Real-time TCP/IP packet trace service access control	Provides ability to restrict access to select real-time packet trace records accessible using the TCP/IP packet trace service; intended for network management applications	Deny, see result 4	EZB.NETMGMT.sysname.tcpname.SYSTCPDA
Real-time TCP/IP packet trace service access control		Deny, see result 4	TCPIP NETWORK MANAGEMENT
rpcbind access control	Provides ability to control whether an applications is permitted to register and unregister its port with rpcbind.	Deny	EZB.RPCBIND.sysname.rpcbindname.REGISTRY
rpcbind access control		Deny	(none)
SNMP agent control	Provides control over usage of SNMP subagents that connect to the SNMP agent by using a TCP connection	Permit	EZB.SNMPAGENT.sysname.tcpname
SNMP agent control		Permit	TCPIP EZACDRAU AUTH CHECK FOR EZB.SNMPAGENT.sysname.tcpname
TCP/IP local port access control	Controls user ability to bind to a non-ephemeral TCP or UDP port	Deny	EZB.PORTACCESS.sysname.tcpname.port_safname
TCP/IP local port access control		Deny	TCPIP PORT ACCESS CHECK PORT portnum
TCP/IP netaccess access control	Controls local user inbound and outbound access to network resources, and local user access to local IP address when explicitly binding to local interface (or using job-specific or destination-specific source IP addresses)	Deny	EZB.NETACCESS.sysname.tcpname.zonename
TCP/IP netaccess access control		Deny	TCPIP NETWORK ACCESS CHECK ipaddress
TCP/IP stack access control	Controls user ability to open a socket and get host name or host ID	Permit	EZB.STACKACCESS.sysname.tcpname
TCP/IP stack access control		Permit	TCPIP STACK ACCESS CHECK
TCP/IP stack initialization access control	Controls ability of applications to open a socket before AT-TLS policy is loaded into the TCP/IP stack	Deny	EZB.INITSTACK.sysname.tcpname
TCP/IP stack initialization access control		Deny	TCPIP INIT STACK ACCESS CHECK
TN3270E Telnet server access control	Controls ability to access TN3270E Telnet server based on SAF user ID associated with TLS-authenticated X.509 client certificate	Deny	EZB.TN3270.sysname.tn3270name.PORTxxxxx
TN3270E Telnet server access control		Deny	TN3270 SAFCERT CHECK FOR USER userid PORT portnum ON tn3270name
VIPARANGE access control for any VIPA range (bind)	Controls whether an application can create a DVIPA by binding to a DVIPA that is specified by any VIPARANGE statement	Permit	EZB.BINDDVIPARANGE.sysname.tcpname
VIPARANGE access control for any VIPA range (bind)		Permit	TCPIP BINDDVIPA ACCESS CHECK
VIPARANGE access control for any VIPA range (MODDVIPA and ioctl)	Provides access control for all VIPARANGE statements, and controls whether a user or application can perform the following tasks: Create a dynamic VIPA (DVIPA) that is specified by any VIPARANGE statement, using the SIOCSVIPA ioctl call, the SIOCSVIPA6 ioctl call, or the MODDVIPA utility Delete a DVIPA that was created using this profile and the SIOCSVIPA ioctl call, the SIOCSVIPA6 ioctl call, or the MODDVIPA utility	Deny, see result 5	EZB.MODDVIPA.sysname.tcpname
		Deny, see result 5	TCPIP MODDVIPA or SIOCSVIPA(6) ACCESS CHECK
VIPARANGE access control for a specific VIPA range (bind)	Controls whether an application can create an application-specific DVIPA, by binding to a DVIPA that is specified by a VIPARANGE statement that includes the SAF parameter with the same value for resname.	Deny	EZB.BINDDVIPARANGE.sysname.tcpname.resname
VIPARANGE access control for a specific VIPA range (bind)		Deny	TCPIP BINDDVIPA SAF ACCESS CHECK
VIPARANGE access control for a specific VIPA range (MODDVIPA and ioctl)	Provides access control for a specific VIPARANGE statement that includes the SAF parameter with the same value for resname, and controls whether a user or application can perform the following tasks: Create an application-specific DVIPA that is specified by a specific VIPARANGE statement, using the SIOCSVIPA ioctl call, the SIOCSVIPA6 ioctl call, or the MODDVIPA utility Delete a DVIPA that was created using this profile and the SIOCSVIPA ioctl call, the SIOCSVIPA6 ioctl call, or the MODDVIPA utility	Deny	EZB.MODDVIPA.sysname.tcpname.resname
		Deny	TCPIP MODDVIPA or SIOCSVIPA(6) SAF ACCESS CHECK
Results: Deny, unless the user ID is a WLM user or is a UNIX System Services superuser. Deny, unless the user ID is APF authorized or is a UNIX System Services superuser. Permit, except for the DROP option, when access is denied. Deny, unless the user ID is a UNIX System Services superuser or has READ access to BPX.SUPERUSER. Deny, unless the user ID is APF authorized and is a UNIX System Services superuser.